chimera | 1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838

Analysis

max time kernel
65s
max time network
72s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
04/08/2024, 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HawkEye.exe
Size

232KB
MD5

60fabd1a2509b59831876d5e2aa71a6b
SHA1

8b91f3c4f721cb04cc4974fc91056f397ae78faa
SHA256

1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838
SHA512

3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a
SSDEEP

3072:BMhIBKH7j7DzQi7y5bvl4YAbdY9KWvwn7XHMzqEOf64CEEl64HBVdGXPKD:BMh5H7j5g54YZKXoxOuEEl64HZAi

Score

10^/10

chimera discovery ransomware spyware stealer

Malware Config

Signatures

Chimera 64 IoCs

Ransomware which infects local and network files, often distributed via Dropbox links.

ransomware chimera

description	flow	ioc	Process
File created		C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
	4	bot.whatismyipaddress.com	Process not Found
File created		C:\Program Files\Microsoft Office\Office14\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jre7\lib\deploy\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Common Files\microsoft shared\Stationery\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\VideoLAN\VLC\lua\http\requests\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\7-Zip\Lang\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jre7\lib\images\cursors\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Windows Sidebar\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jre7\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Microsoft Office\Office14\1033\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\VideoLAN\VLC\skins\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Common Files\Microsoft Shared\Stationery\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\VideoLAN\VLC\lua\http\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Microsoft Games\Hearts\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\VideoLAN\VLC\lua\http\js\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\db\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Microsoft Games\FreeCell\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe

Chimera Ransomware Loader DLL 1 IoCs

Drops/unpacks executable file which resembles Chimera's Loader.dll.

ransomware

resource	yara_rule
behavioral1/memory/2384-3-0x0000000010000000-0x0000000010010000-memory.dmp	chimera_loader_dll

Renames multiple (2010) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 37 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	HawkEye.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	bot.whatismyipaddress.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImages.jpg	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\library.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_h.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared16x16Images.jpg	HawkEye.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\heart_glass_Thumbnail.bmp	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\help.gif	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-heapwalker.jar	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\24.png	HawkEye.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-overlay.png	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\gadget.xml	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_up.png	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_ja_4.4.0.v20140623020002.jar	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\service.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImages16x16.jpg	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.jpg	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf_3.4.0.v20140827-1444.jar	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\picturePuzzle.js	HawkEye.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	HawkEye.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-util-lookup.jar	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_ja_4.4.0.v20140623020002.jar	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_down.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\15.png	HawkEye.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_ja_4.4.0.v20140623020002.jar	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-progress-ui.xml	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_zh_CN.jar	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\Management.cer	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\6.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactHighMask.bmp	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system_settings.png	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt_0.12.1.v20140903-1023.jar	HawkEye.exe
File opened for modification	C:\Program Files\Java\jre7\lib\javaws.jar	HawkEye.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist_jstree.xml	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\settings.html	HawkEye.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_SelectionSubpicture.png	HawkEye.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_m.png	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_fr.jar	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-attach.jar	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\as80.xsl	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_h.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Dataset.zip	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIconImages.jpg	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.ja_5.5.0.165303.jar	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_down.png	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\settings.html	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_ja.jar	HawkEye.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport.wmv	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_ja.jar	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml	HawkEye.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_s.png	HawkEye.exe
File opened for modification	C:\Program Files\WriteMeasure.odt	HawkEye.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_glass_Thumbnail.bmp	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_right.png	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)redStateIcon.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonUp_On.png	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.zh_CN_5.5.0.165303.jar	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\currency.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\settings.html	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonUp_On.png	HawkEye.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HawkEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30f3d470c9e6da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9A13D901-52BC-11EF-971E-EA452A02DA21} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000082ebb0b9d6f3f0458e93e15bd38f268f000000000200000000001066000000010000200000005a9e41965964a657dca63bf365e9ffbe08d0c8bd997c9a18380d5b45b145bcb0000000000e8000000002000020000000a969f937a528021a532766075c2132d7089e97c92b299708a1579bcda785862d900000009e76b23368b0f6f9494341793a66ebf65edf90eee330790730d8b35680db1120dd43d9c9d9081d1db0303be6733cfcd62667677d8eb742de38475d927510b4357be30bc1af4ea5e4bd86b53b42d36dc3509a5331de66d32e671a7599f15112b80993393c12a5cbf976fd262af80af3e0ac553ce57f1cf192eb18d06b4f4182824ce67520a8b7f9d40e6401c14513c92a4000000022ad5a50fa0706fa9a7a9c33ce309fcefb05e64d70c4c0dd2272f2eda0b81d9f5f065416311b26ade453cdc2b912a63250275f2e43975be41735b18e667517c4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000082ebb0b9d6f3f0458e93e15bd38f268f00000000020000000000106600000001000020000000bca7266c997fce238ce7915618500420467eafcddbfcb83c5edc47a0d7e8017e000000000e8000000002000020000000e47c4e837387ce33bb7219b6eee4a680ddbd920edc11a5eb9d0f794150b2304120000000054b01391a1cd6c50392257f3c7bbb0c23917b1779d36bdaef3814e944558a0340000000fac6e0d16fb120b7c01a0acbea2e73530ae96df4ffb67953187c7f39f028801d7837cf6c650cfb51d3dbda8659c247823d474f8e739d1ea5c9bec3354aaf5362	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_Classes\Local Settings	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WINWORD.EXE	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\OpenWithList\WINWORD.EXE	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\OpenWithList	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2384	HawkEye.exe
Token: SeDebugPrivilege	2888	taskmgr.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2920	iexplore.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2920	iexplore.exe
2920	iexplore.exe
2324	IEXPLORE.EXE
2324	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2920	2384	HawkEye.exe	34
PID 2384 wrote to memory of 2920	2384	HawkEye.exe	34
PID 2384 wrote to memory of 2920	2384	HawkEye.exe	34
PID 2384 wrote to memory of 2920	2384	HawkEye.exe	34
PID 2920 wrote to memory of 2324	2920	iexplore.exe	35
PID 2920 wrote to memory of 2324	2920	iexplore.exe	35
PID 2920 wrote to memory of 2324	2920	iexplore.exe	35
PID 2920 wrote to memory of 2324	2920	iexplore.exe	35

C:\Users\Admin\AppData\Local\Temp\HawkEye.exe
"C:\Users\Admin\AppData\Local\Temp\HawkEye.exe"
1⤵
- Chimera
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Desktop\YOUR_FILES_ARE_ENCRYPTED.HTML"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2920 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:2324

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\jre\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
828a4a064cbbeb2dad43b6060c633ec4

SHA1
d60d1c96732d63317900eafcb8807c5d2143ad9d

SHA256
cb2d1c9f544a429c8deda89dc23e4978a065d2e7fdd92c03b5331f6fa0d3ef2b

SHA512
45c9a2f9686aa40b5eba940fe258864e5999fedc15109295c0f4fca1fd600d545b136a07e363ef22549b55405b0dc94a32ae724a9a3e89df743306a400977880

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0c4c61a2f6032c926fe9ed7e3590c67

SHA1
3cb1972adf1be9a4e7b832e0bef523b40b74aff3

SHA256
4a442f9fce86dcc8e9d820fd26ac8f480c49c02f1c7caa6327112d681c6dba2e

SHA512
9d9ffd90e2d086b750b123857ba9e3dfd8d3ac67046186646d14aded1506f9d37d6e4f3ba078ab559e7292a10c97d917928144dd56b20aca76afd836a8ecb118

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06a900b69b95bf8871008343cdc40b15

SHA1
320009fdf44520365e3505db50579a3e3babe643

SHA256
e55dfe6b8521cc7f8c06a8736f186fed079eea457714ed0e588abf3e13889b70

SHA512
67f93f8d99c51c87eae4e394bd7e5ac7835e44a53af4f66738164855c391bec122a6839952b9ed26194081f04d6b096054242cb670c2f342aa5ecd3f60682c7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69cbbab1556109061ba81a18d55b04ff

SHA1
28ce10b60a58ff5afa5514c32b7339ffa5b20a27

SHA256
2a2857dec44ea7ee7ba9118528e70eae29f66f83dbf83634b5c769f9f0cc41e4

SHA512
ea94703adf9b0eb999a8a49b643e086c5be1c1092cdbcf6b8c6f1208a7a2c8e4d051a6d5f02cc3fb1e6a559842d0ae0025c394880ccf7f4745e755889c223079

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b94c99232139611856472cc5dd9a8be6

SHA1
50b55a9a6949d4f9e24aa9068951fb593690d2d3

SHA256
48f5c6fe54341d8ca298d55d4ea0cefea14b776d5ffe57d14c71ae9e8b7bc678

SHA512
f520c4372f0017958862a50851f8739d2a92523cfce629196bccdc8245e562f24dd8ef550f4111e07d1262d04fa92eb74e7bda54bf7758a1840629b10f2e2511

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7565a0ab8fe84f76e1adcc9430f501b

SHA1
449fdd559dd15941e4c0975db0db361066822689

SHA256
9d465041fe5056019e67c16c0d61cc1cda55b541f9e705e9fb6feea6d53cede2

SHA512
eeb3b0f33e5827054394cc1e6d0ff6ade3b427d26225c5dccd709103b19b60e890363d5f8b6654aa789e44e5b960fe303bffae161acb465a06a247de05288d86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b6ef54c9681aa3b1b79b43f113ddc05

SHA1
01daa81f062f6e008a8ea82ae6c2a67724bf098f

SHA256
21033a6a86a4437e24ba167c846355f2107990ed62f5cba0e44a600b5988e67a

SHA512
dbd9f3d4430e5a420e102abeedadc669571550f7c0ae3c5a5bcf173f4ba4b0e06669025d9b4f251c6a1e4fe08a810233900ba13473a9a847ebea1bd88be80cdc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b57a79b61e09e979c3f67836b4c631b

SHA1
00908a8e419fab632726f35490e3a13cef4d72fb

SHA256
f1e22c9b9794373f210295a4e0fe2c6f47ff87e32f126637e1c2f9cfa8bce8fc

SHA512
0a93e1cbac238b2dd49b6ced9d2ab3f5b69e898e3635bf017c2d0576c116a41be9b8af421a6875c0583a9a90fefd8edd5625b29873a505010878ed9d86361d57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2b3a33ff970491f3f9267a39b63c05fa

SHA1
67e8d738ff34854d0831242655072db44d192522

SHA256
9795b8ea16552461df37bf508773cccc860cb48902dcdb4d296210c2d5159cd9

SHA512
0121784f90d5496fdb7c9548afbc64274dd44bff3cfc1dd1cc152ec0564bed696aadcccfef8eb2cfc0183e81d71348ba6b95aec8494ab5e962db02d80332c971

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e81e941531cdb3b3d6a118737b091d53

SHA1
b728843460ee0b50867d1a9dd1afc17e664bde0e

SHA256
20816b973e5c1715354c785b48ef48d4b7ab9ba5a587f4e5b15253a6243fb3d0

SHA512
333c252316b7d23a14545d8145b4657b7cd63803e6aa649ff192b8c7f495ecf34a92c4f443bed40864d594ac0c248774a5ea24fc0c0be6b5f0eae1247305691f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08732f1d9fc9258e9409df5af863cf76

SHA1
3b43ca47b16c892d0e509268382a630cf415adaf

SHA256
b8f5924c20143f506586ab6c6f96646fde3fb7c821e88165b6dbfa8b604a0905

SHA512
f66dd920104e9111f2dcf93212b85afba05c8bda636ad16a5549cc43d5c4c5a460340cd222b4d5c2f62ecbcea786d76775682d18a4359916ab337a9f981577d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE265.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE41D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2384-4323-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download
memory/2384-0-0x0000000074901000-0x0000000074902000-memory.dmp

Filesize
4KB

Download
memory/2384-9-0x0000000000490000-0x00000000004AA000-memory.dmp

Filesize
104KB

Download
memory/2384-8-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download
memory/2384-3-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2384-2-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download
memory/2384-1-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download
memory/2888-3609-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2888-3610-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download