chimera | 1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838

Analysis

max time kernel
125s
max time network
138s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15-03-2024 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HawkEye.exe
Size

232KB
MD5

60fabd1a2509b59831876d5e2aa71a6b
SHA1

8b91f3c4f721cb04cc4974fc91056f397ae78faa
SHA256

1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838
SHA512

3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a
SSDEEP

3072:BMhIBKH7j7DzQi7y5bvl4YAbdY9KWvwn7XHMzqEOf64CEEl64HBVdGXPKD:BMh5H7j5g54YZKXoxOuEEl64HZAi

Score

10^/10

chimera ransomware spyware stealer

Malware Config

Signatures

Chimera 64 IoCs

Ransomware which infects local and network files, often distributed via Dropbox links.

ransomware chimera

Processes:

HawkEye.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jre7\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\7-Zip\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jre7\bin\server\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
3	bot.whatismyipaddress.com
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Microsoft Games\Solitaire\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Microsoft Office\Office14\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	HawkEye.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\VideoLAN\VLC\skins\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Microsoft Games\Hearts\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Microsoft Games\FreeCell\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Microsoft Games\Purble Place\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe

Chimera Ransomware Loader DLL 1 IoCs

Drops/unpacks executable file which resembles Chimera's Loader.dll.

ransomware

Processes:

resource	yara_rule
behavioral1/memory/1740-3-0x0000000010000000-0x0000000010010000-memory.dmp	chimera_loader_dll

Renames multiple (2016) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 37 IoCs

Processes:

HawkEye.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	HawkEye.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 bot.whatismyipaddress.com

flow	ioc
3	bot.whatismyipaddress.com

Drops file in Program Files directory 64 IoCs

Processes:

HawkEye.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_zh_4.4.0.v20140623020002.jar	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding_1.4.2.v20140729-1044.jar	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\cpu.js	HawkEye.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	HawkEye.exe
File opened for modification	C:\Program Files\Java\jre7\bin\server\Xusage.txt	HawkEye.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms_3.6.100.v20140422-1825.jar	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_ja_4.4.0.v20140623020002.jar	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.ja_5.5.0.165303.jar	HawkEye.exe
File created	C:\Program Files\Microsoft Games\FreeCell\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\calendar.js	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.Interop.InfoPath.Xml.xml	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base.nl_ja_4.4.0.v20140623020002.jar	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\rtf_choosefont.gif	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Visualizer.zip	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-queries.xml	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-options-api.jar	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core.xml	HawkEye.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\35.png	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_zh_CN.jar	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_ja.jar	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\it-IT\gadget.xml	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewTemplate.html	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\diner.png	HawkEye.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Groove.gif	HawkEye.exe
File created	C:\Program Files\Java\jre7\bin\server\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-previous-static.png	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_top_left.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\SignedManagedObjects.cer	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider_left.png	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-api.xml	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\gadget.xml	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\divider-vertical.png	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.el_2.2.0.v201303151357.jar	HawkEye.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\highDpiImageSwap.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Module.xml	HawkEye.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-highlight.png	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-charts.jar	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\icon.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\4.png	HawkEye.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Medium.jpg	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_ja_4.4.0.v20140623020002.jar	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\14.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-hot.png	HawkEye.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_ja_4.4.0.v20140623020002.jar	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.servlet_1.1.500.v20140318-1755.jar	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Thawte Root Certificate.cer	HawkEye.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.ja_5.5.0.165303.jar	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\timeZones.js	HawkEye.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_SelectionSubpicture.png	HawkEye.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416666689"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000c12c25e2ddfb54dbf19c8710c23067700000000020000000000106600000001000020000000e8b6bed3bc7f54a7a6b52f758a287d86568668d76f1cf8af63c29fd484f4b29a000000000e800000000200002000000060b9a0d47c2632cc9d291d27d6be0fe3f0aad1200116f36580d1f7eef46293cf20000000c19c1359b0d71c13bc66ea7ace160b3a86af24924b34737ebc324adc5dfcf398400000002de8ca3899519c5df90c798f2c40ccd8363111c6b67f7b332e3ed3a59ca310d8a5e0277abee4adb32daf4fc10f430a877a77b63fe4a7d20ead06d91b71934d2c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7562CCE1-E2C5-11EE-9A2B-D20227E6D795} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000c12c25e2ddfb54dbf19c8710c23067700000000020000000000106600000001000020000000051220ccf7653efc1e64e6432a3075d2b7eef492cf35276331ee1fc0ac81b415000000000e800000000200002000000098199d875c8444001ba22cdf603cd5757357d3d5a6e914bf68c8726c23884ae290000000bdb6d211fd60636e1c906a34b0129f7a8c864516121a90530960dc00d6e8670c2ea90031c725716ea9254f75b812b95a64d8a0e6264b6ff5ba9d2ab9f8100a4d6b30622ac45a8c1016a312f2b872aca848c76150a998b57cc05a7da6c165cd16a3d6292a3a4bfee3e0d0dd88badb8cbad22c653837f73fa6dd74cc63c7dacb5c4810447843fceef4c1e2d40443da728f4000000069815b1d4a3b01c92479ad0c3d6c692f84dfc941e14b1f9b944fcc5e9daa30dad310ff7f95527afa1ea6cc035f6c298d885e0b451a66239eec2f1e06c26b40a1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c043f44bd276da01	iexplore.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

HawkEye.exe

description pid process

Token: SeDebugPrivilege 1740 HawkEye.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2420 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2420 iexplore.exe
2420 iexplore.exe
2116 IEXPLORE.EXE
2116 IEXPLORE.EXE

description	pid	process
Token: SeDebugPrivilege	1740	HawkEye.exe

pid	process
2420	iexplore.exe

pid	process
2420	iexplore.exe
2420	iexplore.exe
2116	IEXPLORE.EXE
2116	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

HawkEye.exeiexplore.exe

description	pid	process	target process
PID 1740 wrote to memory of 2420	1740	HawkEye.exe	iexplore.exe
PID 1740 wrote to memory of 2420	1740	HawkEye.exe	iexplore.exe
PID 1740 wrote to memory of 2420	1740	HawkEye.exe	iexplore.exe
PID 1740 wrote to memory of 2420	1740	HawkEye.exe	iexplore.exe
PID 2420 wrote to memory of 2116	2420	iexplore.exe	IEXPLORE.EXE
PID 2420 wrote to memory of 2116	2420	iexplore.exe	IEXPLORE.EXE
PID 2420 wrote to memory of 2116	2420	iexplore.exe	IEXPLORE.EXE
PID 2420 wrote to memory of 2116	2420	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\HawkEye.exe
"C:\Users\Admin\AppData\Local\Temp\HawkEye.exe"
1⤵
- Chimera
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Music\YOUR_FILES_ARE_ENCRYPTED.HTML"
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2116

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\jre\YOUR_FILES_ARE_ENCRYPTED.HTML
Filesize
4KB

MD5
8096c240cc56aeab15b7a92248f3372d

SHA1
8f57875fd8cc89bc510224e19bc8839aa692d3bb

SHA256
82479e2ce20a0646b956b6e8e0f64331227d4229d7aac510e01eb18c67c10f40

SHA512
52c61e9c0c8998cefeea2777b17755f9ec2f1793282aa8095e85faa881d24471f3a5d3a925b33ccd496306280cef7a966fc32c4252ca293c8d409fdddd813676

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
497a554225126a4a454978fe0297c916

SHA1
9b31fb68b902f6649da641366294dd151c3d7dc6

SHA256
3608b44161e3cc8483c069613ddefc877303d73b7c361cb128c63cb0578708a1

SHA512
71b5815a6745a8c7c5eda7377193a4691d36025f21227c6919804d9a66c6f53deff5dbce9d8827d3ac0f1d58d1987d7552069d851143842aac2fef57c8a11bca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9143270cfff9ec411f92480213e7491c

SHA1
c5866fee4214441cc537d129e7d6cc42d3beaf9c

SHA256
ccc60e5feba13c000c89a5198e7b622c003c8cc46a700a9507e7937cb2c0a82a

SHA512
b577b0dc9b5fc6f42a3f95d0b695398145cf22bf3ea4f11af912a66ce958de043d51708fcc2c1c5c77d5bdafbb6b79f454e653afb1e6a4cbb96bb0b4ff75d3a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a992b8e3c11600f99237d0ef5a70b20f

SHA1
abd08c13182af9e8d4f7484748b15202bd1f2435

SHA256
0cebb819bce4b169eb8778ca4eb3c2f33b5c82950b81991781a43d7c029cf68a

SHA512
18699ac8706990fa4ac02e24a4b85b4653e8d9f89d15027a61c070268e9e60056e98f300b95703915324ec28c810f4ea870f1bd843f19b9e8ce32d38f628421c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
46930b15e7442e893e0e01697f54a24d

SHA1
0ff00e16823fa7664c143430cfed2e7b523157ca

SHA256
074ad81e2c0a05f9f417748a030883b24affeab4607988f12074398a7948cb85

SHA512
a4196ed1539b133a3c9dedea621d3edff98bb5b66ef62bcaea617b4de4876b5cb39437e6a7697b92603a1062e8b1f056b285544893c3297182f4dfcbd2bc78e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
38e02a64f2c26749732a0c14724cdfd6

SHA1
64b668f2c553a4f086fc3cc494c85f0abeacccc1

SHA256
61d0aaf27bce6b1151890c8aecf3d4ca0cad229db2d93efd01f457ff75ada609

SHA512
0d702061e09308cdd009801489bea5e41488b77316447bf40e94cda74c50ff62f7f10d86e9932d1961d3ca4e3285bd8e013215023e28ab134609c1dcdd443d2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c317e78de743f2aa4f98148b0d78dae3

SHA1
a0023390769f8cd4a9a6776f72aae408eb9a5715

SHA256
9bc0e4223b6b56fb5b8f09220dfe7fabf82e23968ea469998241f3a9af5fb307

SHA512
b77f3470c02206dd26b66d14df730dc2b06caea6225e9b5ce7cc4f7ca19ee18c8443e7c1f539554785352ae6a9adb96e8ea03e9137910490e3bb950112ba52fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c79cf87f953e50f80eac9c8e57b960ae

SHA1
12c302c844b0d78ce65da943549053cd9e1fa1ec

SHA256
90e8e5e573ef5be6bb45931ba54810dc8e5cea6d0cb6e2ab7884c2d634a26248

SHA512
e70c543b3b2bb9dfd7f7e8d3fffb4c14f40b2b5c533fd39cb744883e75710be549018f83ee759aa22af91301a050fb0c2b74c82ad50cca1127a4a467af4ba790

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
cee8e01bdefa3e1e902ea7ff75cdbbd7

SHA1
96df006807a6911afaebff4404de94e3dc1ec34a

SHA256
89ce012fb7652ae82dd4aa6d1fea7c32633f4995c65d9c5fb6e373739bdee8c7

SHA512
6a57c11b35d70030ff26b8b3c522ab2fafc8d1364b07c2e3ccb44ad3e6bfcda8fb09fdb8f8da823eb2abb7606f981e9bbf91762811c699cf14b07fc74f0a8775

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e5ca2571db808f7d964fe4410059da60

SHA1
ac02ff543b427f2edfaf1352af7960eb0f8ab02e

SHA256
3745cb1f89972848ac32cfd2033674313c532fed0de96dc4694550c171411dae

SHA512
8554f0c6b9157963c8ebb8a1f3d41dcad3077a0f1d424bbf6cd27d7381c8e46752040181b323eec77b32f4aa12ec1bd2646823cc9c23db32791a886595683402

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
762a6a4e97aafd0367fe69e1126985cd

SHA1
472be4949435ab1ae902a12538b5b53333f944fc

SHA256
02d8f553b9c11910c43701fd6c9306c4b81367090c8b8572e7999d251dd8935b

SHA512
b935293dc1ca65613d1a131525ac6ad8f93068ce1ff266364a356a287961112f163395a74a6e0743be94efaaefda4aa358389088bf5fa45248ddeb8e8ab1040c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b3b65f04abaf0fa939c947ab3733f01d

SHA1
6d9d2672046a08b928181e877ae7a1265d2efe46

SHA256
778fc3b5c2ec7cb9e5e632f4987541e6c23bae51c3407c5296216a511e0f5c05

SHA512
6c00580271745380742f99c85cc3315e070f63fb1df9c0e255e5e6db58f734262afc582ac0f2dbcaed1be5ed2271730d60b0fbe540de2236a9c1579677207a17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b146e12c8d62a64e91272c834170243a

SHA1
167c95f8f47ebabbc7f3bd570994b683f364cbf4

SHA256
4779b287bcaccf5a869d1202adaa23a4fd515e5b79f34168a3c42dca8925540f

SHA512
53dfb730b69f33ce95f2b56c641e0528858bfed54ce66ab0987fe8f217e7fb853d222fd7137d7fff038a9261cc61a7b1e000564fc35f002644b54589df46bc6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4362a9ecb11cfe6707f4af456480c3a4

SHA1
b0d312342f482f2f2182415a700997ea6f601da7

SHA256
976c41e68660a918101105883fa13be893be9608e307348fb7fbcf10728c59e8

SHA512
bf3e086184b9050a05237f304213b6453f4ecb291f4db192fd90b39fa113e6e5fcd56a507085acc5ee076d62dd88f93ce1049136fbbc9355f77773cd37b0eac8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e8f43e447621369f77e583e91e7ee215

SHA1
b8219d443e419ed78be886f22ef8deb4efc7e7a6

SHA256
b2c07fcd28529cca56e749d1832b7d5ad8ced021e905e2baad65d4cc8c6ef3d9

SHA512
07b0b0513077cbc68d781e7ca195f99cc0bad3c3bea58b176b415feb93bcc1954ced85ccacb69122c4ceb8af6d649527f2d9e4d4a1997b11c21b53ff3e0c41cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
13ecb5f383e233600144a2ae389a866b

SHA1
02b650508d12cd57ed5b7fe8e4d4d8ba5cfbac5c

SHA256
95888e062429ffc2fab17fe1179a553da54a9ff4254eadfc705962356c26d5fe

SHA512
5771d0475e7747da85d0617c305c4d405963e14283857ea0232258fd89bc7f6dc21d1daafab382ecce19c7160c470ffaffee13681f1ce4e1fe7261df7669e1c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8acd5184921772be0c28052da4f75a94

SHA1
3c2263300c29987435d57044a6cc2aa517a97531

SHA256
1ca4443041d24ee12ee4e3a214ae29535fdf999a6adab20bbdb6e8ac67defcd9

SHA512
9ded4b2f8ef9ef21cc0bacd71e1578873ad2aa927df500d675954b6fdf2fffdd048e4f46da9d9d9147143998d76278d870d24b0654cbda1a3140f465387386c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d5e99573683409c966a795915ce459b4

SHA1
986b5866a71fbb62fc2468d4605ff0c0d76604ac

SHA256
e47915f7a3d2b78822726ea1c5a6d130980ebe7f27ae03962992ca80a5e69083

SHA512
c6213784d9af49647d23cb3da26bb894962a6084bb316d2bc849f33c7f94388faa050060e7524afe35d733cea7eaa1652c59b045aabd612bb7fb56cea5b2796c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9cfd27e0dfbd92f49d1516df68e0369a

SHA1
e98c94a6aa9cf54421e6c51f1624d3a53c266b4b

SHA256
f5cfe2317577e57abf3c335e5cfdee00ec9b52bc2f9b289ec714fd9ea23c05bc

SHA512
7610308623e765f37f9a2b38f9e1e7e666fdd5ee00642559031aec9a35f5f8429396ac1d33101e745dca3e7ad9d011731a972f3daefe176b97538526023e1729

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
de200053a2f8510f7f457bdfeabf8d10

SHA1
3a6e271594968e7aa9ae83d08fa483c180e371d8

SHA256
12260cd53288e604a79442c1c24ab5630d77b654fe6510fb9a9a82f87bc72162

SHA512
b54d4adb147d682dc98a2efd69e10e8e2264539e0ac30d1a19bce00a287395912fa05cbd68aa31164f4ecee6b4124713f84f6fe123369b9e28def945fa60a8da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
689ed9afa69ecc9c27b101ba0109722e

SHA1
fb79e692445465769b6194420f71c362bf622b50

SHA256
5dd171c86190a4f7ccc18bf4c4ad2381104b91e65c7e998f36a267210f902dad

SHA512
5b0f845974896d7f8527aa3dc458a3c746f66b3f0babe30bf5c85e38adc2f8b18670d020b87956f772e3b98532006d055d7c71f2bc777e984aa3287ed3e898cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7b2ccb6e8bff59473171df09906c2f17

SHA1
0ef088d9e9c0bbfa6a73d8319dc2e84a4e4e0a03

SHA256
89ed4b5f6cc2db6ab944be23c6c85d3ee8ab0767b31e9ed8b4777c9c68c2befd

SHA512
6fff32f68a3edb4b93fd4ceb25dcc6e80bd8fca6bf37ad24c7a684d3e0c6c15717c04c229db4e73af8fa8a555a0870929ee0d5ad1fb4cd90a3b48b11d56de21d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8948dc25769339eec9a9209fe21c4655

SHA1
379e9670e6195cb1298051c40676508f16671c7b

SHA256
e74f6e096ace958b921895b850c664d6850a9c777a01dcf90222ec6ae7726e53

SHA512
91e2d53148bc63377fc9bcd553ca9f7bdbd7a0ba87c5b59bb95c0d19367e85a636ae8874bf11d0bb3e614f4a722a2e8d9014fd0ec5809438139ee75f88a2038c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2CAE.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3240.tmp
Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
memory/1740-10-0x00000000004A0000-0x00000000004BA000-memory.dmp

Filesize
104KB

Download
memory/1740-0-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/1740-1-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/1740-2-0x0000000000B70000-0x0000000000BB0000-memory.dmp

Filesize
256KB

Download
memory/1740-3-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1740-8-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/1740-9-0x00000000004A0000-0x00000000004BA000-memory.dmp

Filesize
104KB

Download
memory/1740-743-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/1740-1493-0x0000000000B70000-0x0000000000BB0000-memory.dmp

Filesize
256KB

Download
memory/1740-1499-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download