chimera | 1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838

Analysis

max time kernel
148s
max time network
141s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
29-05-2024 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Chimera.exe
Size

232KB
MD5

60fabd1a2509b59831876d5e2aa71a6b
SHA1

8b91f3c4f721cb04cc4974fc91056f397ae78faa
SHA256

1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838
SHA512

3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a
SSDEEP

3072:BMhIBKH7j7DzQi7y5bvl4YAbdY9KWvwn7XHMzqEOf64CEEl64HBVdGXPKD:BMh5H7j5g54YZKXoxOuEEl64HZAi

Score

10^/10

chimera ransomware spyware stealer

Malware Config

Signatures

Chimera 64 IoCs

Ransomware which infects local and network files, often distributed via Dropbox links.

ransomware chimera

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files\Windows Sidebar\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files\VideoLAN\VLC\skins\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files\Microsoft Games\Solitaire\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files\Microsoft Games\Mahjong\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files\Microsoft Games\FreeCell\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files\Java\jre7\bin\server\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files\Java\jre7\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files\Java\jre7\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Windows Sidebar\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe

Chimera Ransomware Loader DLL 1 IoCs

Drops/unpacks executable file which resembles Chimera's Loader.dll.

ransomware

resource	yara_rule
behavioral1/memory/2824-3-0x0000000010000000-0x0000000010010000-memory.dmp	chimera_loader_dll

Renames multiple (2008) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 37 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	Chimera.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	Chimera.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	Chimera.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	Chimera.exe
File opened for modification	C:\Program Files\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	Chimera.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	Chimera.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Public\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	Chimera.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	Chimera.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	Chimera.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	Chimera.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	Chimera.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	Chimera.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Chimera.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	bot.whatismyipaddress.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-outline.xml	Chimera.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Star_Full.png	Chimera.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm	Chimera.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml	Chimera.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_SelectionSubpicture.png	Chimera.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\flyout_background.png	Chimera.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\indxicon.gif	Chimera.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png	Chimera.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_over.png	Chimera.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html	Chimera.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\boot_zh_CN.jar	Chimera.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_zh_CN.jar	Chimera.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_zh_CN.jar	Chimera.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-views_ja.jar	Chimera.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain_PAL.wmv	Chimera.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	Chimera.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\Tulip.jpg	Chimera.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\localizedStrings.js	Chimera.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\picturePuzzle.html	Chimera.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\flyoutBack.png	Chimera.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml	Chimera.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\gadget.xml	Chimera.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passportcover.png	Chimera.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_LightSpirit.gif	Chimera.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)grayStateIcon.png	Chimera.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_over.png	Chimera.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\search_background.png	Chimera.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_ja.jar	Chimera.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\settings.html	Chimera.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Newsprint.xml	Chimera.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\connectionmanager_dmr.xml	Chimera.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	Chimera.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\settings.js	Chimera.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\back.png	Chimera.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\6.png	Chimera.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full_partly-cloudy.png	Chimera.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up_BIDI.png	Chimera.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain.wmv	Chimera.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sampler.xml	Chimera.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\index.gif	Chimera.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\tab_off.gif	Chimera.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_ja_4.4.0.v20140623020002.jar	Chimera.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_ja_4.4.0.v20140623020002.jar	Chimera.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.zh_CN_5.5.0.165303.jar	Chimera.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.ja_5.5.0.165303.jar	Chimera.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\redStateIcon.png	Chimera.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	Chimera.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	Chimera.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_zh_CN.jar	Chimera.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\gadget.xml	Chimera.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Star_Empty.png	Chimera.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	Chimera.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveDrop32x32.gif	Chimera.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat	Chimera.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Technic.xml	Chimera.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\currency.js	Chimera.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Class.zip	Chimera.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\SynchronizationEula.rtf	Chimera.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423157522"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1BC3EC21-1DCE-11EF-9AB8-560090747152} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000075fa78d928f84d408bd7086103bda42c0000000002000000000010660000000100002000000086edeaa6cb8006738e5db1cacab364ba7967973ab7919fdc3fb27826fb6632a6000000000e80000000020000200000000df319b2eddec23a943de412265b158530cc387db98f95464463f43208621c4e90000000c39f3c22220d0adf1bd90b0ba84f4ab9f5f1d8563987d5149642f04498dde09cd243062fa0b9cb121a25634315ea508f5c450b74a8a1806530c0ddbe3798b6b5ec9466034e7d0f4d85571c51de532d0376e566e631a1b1d55c1d321edab21797bdb41037f0d368482578e920c1de06295652d6bd409eef37cfcf9320db92d32db10f49cbc4a2d6e4ed4810d6d1f398fd40000000f39cf07fd36c5e1e88778b053a0cd45a2d4257afd8d80502b58e184be3f8ead7e8b5a1363dea6014c8911d2e9ff8fba809f029caf9d631c7a3ec691067e2c4b9	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20d72bf1dab1da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000075fa78d928f84d408bd7086103bda42c00000000020000000000106600000001000020000000290f7a83ac92060ca4f8ae10d021992fe1ec5464ffdeaa73f30297a063808023000000000e8000000002000020000000656539566630db4b7b572cf44576361f4c9e3faa4aa8e03e0018bb595f6d90b520000000773a2dd508c9c01d237c3f0d670682f7b157c17c20cd6e15f27cb467e7e0e97a40000000a8861f256f7c1b433a28a78838120d6f0c37b4e46696fcc675b6cd89ca9a345384b1e705babd42758d116c4168e68ec4d18e431c7fdbbcbf2438585efd0a4976	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2824	Chimera.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1532	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1532	iexplore.exe
1532	iexplore.exe
1504	IEXPLORE.EXE
1504	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 1532	2824	Chimera.exe	31
PID 2824 wrote to memory of 1532	2824	Chimera.exe	31
PID 2824 wrote to memory of 1532	2824	Chimera.exe	31
PID 2824 wrote to memory of 1532	2824	Chimera.exe	31
PID 1532 wrote to memory of 1504	1532	iexplore.exe	32
PID 1532 wrote to memory of 1504	1532	iexplore.exe	32
PID 1532 wrote to memory of 1504	1532	iexplore.exe	32
PID 1532 wrote to memory of 1504	1532	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\Chimera.exe
"C:\Users\Admin\AppData\Local\Temp\Chimera.exe"
1⤵
- Chimera
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Desktop\YOUR_FILES_ARE_ENCRYPTED.HTML"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1532 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\jre\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
fa737024a58a138220547dd5eff615e1

SHA1
4323afac89385c3a803f834f27a685ed2c7ce958

SHA256
4fae492bf0bc087b87319c53b4debd79c5a5e59a86c740cc341a928a2a9bb773

SHA512
5c335ca4cfb99b2f293383b4b6cc8761a6a60c35f626ee7a477e2946d289f97b93dd238eddcf41aa327af22534bf15c150b9f3c9a903d0973635eb145f868124

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
4aee786e15e99429ca0c6c74e37aeca5

SHA1
4ef677007364a9bc0a27064ac7bd863f9a862cd1

SHA256
c3cbded080db370d6298a853ee5ed92149556002530ae5b76d97f8eeaf001cd8

SHA512
ef2bd0f96669c98e869840ced4608ad1cb70344c0c96d557a7e514aebc52443e0f347d89231727130023e47527cc4742c845f8beb84d7335e9029ae1e83c60eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9e3b58cc4db897f21ceca2ffb9d224d

SHA1
533891f11151099d91a66810b94dc1449ab2d055

SHA256
f1443221f54c11e0aaea30bacb2c768814536a7c5292facf71d11eae81974837

SHA512
c5fd8a4b8699a6b3ca6f037085f12ee89b37d99db7f25576ff6a8915acd74883d5a1ce199850c28e3b33d30c785a285dca0d34b80d2b7ec939b03998124d2d08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
010b018c524fdc5493893c784ca16da3

SHA1
db190b4b0c043666f60dc9a2267b890a96ae7da6

SHA256
ec79781d262c20d9c25355911b41c49924d1025d230d2e494c634dd1cc06a52f

SHA512
fb3e0b5591143338d9344630f7625eb2f0fb436ef0cb8c1d902d2470505b7544f77b04d2a160d1333a8b658026b5320581d6f978cdf714ea08818bfd45389811

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a8f9ebb20e225d047944bb7c8895c88

SHA1
04ec03d5cf24bf57f5e0e4a7e77040cbd006a949

SHA256
18e601637e69d6d5db0532856af94618dfe531d48c7bec9043e0f85e2916baed

SHA512
e4ae74bafa455bd9a741d460e58b2ab298dff91ed0ac49e1a08f3dc2dd58848f82d754ca38671413775293e58eb213467acd87955b2fd6abfd875c4c2a345790

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed3d2eedaaf6c5d33ccc26e0095927f4

SHA1
d35e753404764cde4b540deb628d9c1916d2bf2f

SHA256
25765eee18a104f90e18e9d2a77bb1a8118d1025664793b2372e50cd2e439241

SHA512
5ad44aa427ff40cca3e63bb7c30d2a286de502b97057459c5cd61b9196ec16a47692fde954b795180a24d7d21f285238c155710cb7b15e357f7b9e58779087cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bff883e694c2cfe2bfe6d2c4519f3881

SHA1
4c03b83d03b16d3a6bfb6691ec1b971ccfc84a97

SHA256
967da9a15f1e2b50043c28da0ab29f9bf17a0916a2bab42e3ef9f88b27d9b788

SHA512
4aff1343292a1fda0fd7d72eb5259b39ef3fc1548c9d36c4af342bb6d89646657aeb90bdd0ee0aee995add2fe93e91d0b241a1189359efc8a63fc50435105a2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e454119bc2bdf8785282fbb4d82e0256

SHA1
5aa6966db6b50132af892cb22791a4ce6681dc0e

SHA256
2e426b1d3d4f0d68434e3532c6a9307dfec0c4c22400ef59eb07ed840e413860

SHA512
eef9e1b23827c70cc7ef9c2cf8e0f927d2798c92b6c082edf79f564620a89580ece54eec8d1a20f4370a266f8fc4fedd17589a46068b9ea3ceefe59d8eeacb3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e30eca3b1192cc8459607fbdce6d2459

SHA1
023ae830ea5f5b1705cad4ba74080a2b15ea94c6

SHA256
16e24d22527f9a0d9ab05a623032dd28e098fbf31167c35242939a186ca5ad87

SHA512
6762790a9fcce0145382fab3151371c06f16cda6c35b665f95408c4228aed4925ca0c3f0621da40241314181e3c58a8d76c324e04c330284cf33c57d31bf2e59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67915fae6b92d0d4d598b0ac89c35989

SHA1
4b69a1fa8281408f388e6616ac9e1ba338abdc63

SHA256
0ad87d8af43dd944360fe76532f23fb6956e6eae13d72de0f60f29de41b5d996

SHA512
2c041d591fa019a5b00c31c82bf27bf3b3dadf2643e605c07c1162d9d262dd19ed6f3f12500de4f8f2041a1ab2559d7ffe4cd2a2676fb63c926045037b396125

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4fc11c8c9955db7a1a0ae548e22cfa4b

SHA1
d7ad4600d94daee9604fe4918332ee12704564a4

SHA256
e223a8c607a50df631aa8021a83464f437916530f8c356c9888ef5e94c6f5a37

SHA512
28efdbf94d6e41f40723ae4f4f63441d9f790765748d700bd4354e84e7ed146031bb006f614f4dd242a6b400bf2e89359afbbe49c28d52ab2cf1c90362b509db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79d22e1a29921eeb60d284b406515b8c

SHA1
ca164e88bf7872ea461c8e3f60a604947031cf9a

SHA256
89c8f23e05ef535c7191efe72dbaea90b13b805ee6152e4331a2d9da65fe447d

SHA512
90a9e73dba08f4ce19ed64b8602002b7ba00a857b7fc2e78070209786dac9da080d7e1d32f78347c21a8b39edf34745ab8095fb4eb069c8b391c0ed9ec45f209

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4cffd49f79434d1ee95e7850fa864825

SHA1
71abc71262e6aaa275e9a1c94530f28438dc73a4

SHA256
f1bced5579638b9aabb093f05dfd26f11e7c847d0e92ec97a7c43cdb20161d13

SHA512
1700d083e4b5bf298bd98077533a44693f4be6a0488324b227ca683c79af423c5a683d34da071c70727a59af77f0dfaecb82084c801b412e002c2c53af440a0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
527d73e48466550f3dc20f56c37f5e84

SHA1
b87b8d242fd0565fcadab7eca2d37c2dcd11c20e

SHA256
88773211ac619e7c46f25c9657092e000a2a6dd7fde5f1453e9e5c0702e950a9

SHA512
0ae4dddc50f19d07a934d98c105939cd5dcae124dc9b9a7c5f7bcf68d1984ae6884502bee07f0bc5593d073fade12b3e829fd9d6a74a2aa5393f90ea8f05dbde

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
379ee9e4ce1a7c5ff8c73f2e0f0e7dd9

SHA1
f64bb553c9724b97af0f72ad105eae54db8de37d

SHA256
325b3578b9160cf3e908b64f956bb2505b0aeeeb041eeef81b872fafefef01ab

SHA512
6ec05d1d92262745454f3d8f08b9ea5456265c391784655333b104081060996160d0f28491e591d39a6552fe804eea67b3d4eba3261d8b1e52442c7016604c9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6dd55afbafa8ce4d2757836ce19d121

SHA1
9561a8ee9c5d4712e6dea1d5b77b0a5049e2d596

SHA256
06852880db6d5c9de78ab460ee62742c62388b5d60c30fb2dd9dd4e195046696

SHA512
3ecef3ab06084b4b88d13245c9c997c116ea7b27849ba58000d139c93bd4ec6d6002bdc5424239894defad58362682f44216946e147fa0a1908fc6ff035d32ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f2c5132e63d07dcd8db253eeb33b7ac

SHA1
ca617962276f51ef1916b5353f3a79e8329aeae1

SHA256
d3cce9bff8ed668f230fa328b0490cce1b51134bd0a544df4dd83be7aa9c500c

SHA512
826a4df03a15d6164aec3b46f72cf0ef65bf76cb0cf610588358de8cc0ae8ec82b726aa88f9bc603e1bd487da4dbc42c8b95a9d524bef53720fe48a61d1ecee5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d45a5c5b0fadf640fee1d608d13a846

SHA1
2079cf404bf0a9a7a0b9b23392d1159e9580c1ff

SHA256
7fb0c060bb93f8b91bf88a0c34f630899538d9fd2df2fda5524403ee8024fc96

SHA512
cde2964b1797a315ec68929c22e71075ffd723f14b7f74605a60ab3dd6a0c67d9f0283ca94b377fe1feb413653e9c3a434d65fde9d884995cc60f51d6d62d240

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e7cb1527360909159b2fcc2839dc483

SHA1
e8aa60657984c5461062547f58a6272cf51d5fde

SHA256
b1379387499a68931191034431a8ae6d2a405960b9499076ca7eb702e96c0486

SHA512
74e8718e6015fb7a86a11b39c4432ca0bf3a473cde63ceb699638fdabdbdd61b9c02862acadf57799c47479d737e8e30a6bd434ed7bf1d6cc5a5ec891e9c4502

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14944c7319d8d4ff4c4b1c972cb6ba24

SHA1
3611cb25d527ff48b8a506cdfd220491b633fb8f

SHA256
81a6c81dd1fc473863160208d7aacd4077e6fd5ff766032c079cceaa7b046b70

SHA512
aeb9a70ca2d6f9c239b62d2a78c5d67d25a0506da87455a9dc68cf424e27cea57dff70c0fcdd32e110809fe45a87a3bff3a6fc14040cbffe67f9cfab21b2788b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4253e75ef1d638d9ab6564f5fe898e46

SHA1
e9b9314d32a279195a8f07d89cd550bc4c567c98

SHA256
707c72861de6b2f7d45ab62f2824d92c494a6cdd52b6dee3b2a2ecd1575e836e

SHA512
b3fe43af84bd546de1c9751f378e3bbd8c0220766cb2b9dafa4474cf77da6e126efd3d594ab99df5c2c2cdd18fc77e01ad5bfe55d6d43ac5adfad212ec839402

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6837c70ea05738d47bec410fdba726c2

SHA1
b8d021dcd2b1c2d74e47936df2b0aaaf3de66c30

SHA256
823f46600e3e1dce07fd2e65db2c6eabedbc1243a1447cc346c4b67319706976

SHA512
523fb842bbde89da86c0c1e84289f47f88ff8536431a08abebbd5e05d0094d34b3f432b051ac66a63078bdb6342b4423d29558eb9da00370117c3a597bf933db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2664c2623b641ac05103473c35ccb81

SHA1
080694b8063d602890f199d7a0326ae974f14eca

SHA256
7e4cc305cb21cf6f04d3190720e4cb3d2deda1d9c182226d2c393e5e48d170cd

SHA512
1e2c14b4b7f047085b8948f59730a6420c7a9d1d2858e3e38dcb143315993950ddf1952fa38dd4ba9be2644b131cd7711c2bd539ae30ca69d38a739dd1ac21c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73886d6c849ce44bb29ebf44d92bb461

SHA1
96c2ce33f869867986dab40770c6d99a14dfc773

SHA256
623f93d5b3d3c12359f26bccb5a3d6c4f29917b029ba9602f10e8a9309896822

SHA512
f44c9f697f27e5e81c69b3b0280535c9133d2bf41c6a779ce3f6ce6bb9a162a9b79ba66fbe4b4cc4ba9925b6601e606ed53b5badd2e16fcb042afce435cd11d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0508100eea0d8f3c2698e9b22300a453

SHA1
589161e0557f5cf985da28668254183966e9e24f

SHA256
6331e88b9045bddbc87ae631a001665e8fafe0c79c4e675e43f625d32a099168

SHA512
d81533abb4018e46b2f1cf61d082472e9bec2a290a47280236eb5c26a579b46d602dcdc7d8dd9850ce49dd362065402b7f8e409ea19ed5f760822bb7166fb3cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
d888c4d53a5ad2e74c3b2d8059e69e0e

SHA1
9d89af5658081c746675cd487aff6b548b724de5

SHA256
fa7123697cb8af8ac926252f456a4517c925a2aff4f919002babe49445c4d1eb

SHA512
464098f326ecdb8364fa73011e14a25782279886504f15d38bb61cd1e08ca565c416f20853b40bc036773bfdc7eaa93b48751406cf6495ed803f65e1b25246fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4A5B.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4B4C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2824-0-0x0000000074401000-0x0000000074402000-memory.dmp

Filesize
4KB

Download
memory/2824-4797-0x0000000074400000-0x00000000749AB000-memory.dmp

Filesize
5.7MB

Download
memory/2824-9-0x0000000000270000-0x000000000028A000-memory.dmp

Filesize
104KB

Download
memory/2824-8-0x0000000074400000-0x00000000749AB000-memory.dmp

Filesize
5.7MB

Download
memory/2824-3-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2824-2-0x0000000074400000-0x00000000749AB000-memory.dmp

Filesize
5.7MB

Download
memory/2824-1-0x0000000074400000-0x00000000749AB000-memory.dmp

Filesize
5.7MB

Download