chimera | hxxps://lost-pizza[.]itch[.]io/pizza-tower-netword-cool-build

Analysis

max time kernel
114s
max time network
128s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
19-08-2024 09:30

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://lost-pizza.itch.io/pizza-tower-netword-cool-build

Score

10^/10

chimera bootkit defense_evasion discovery persistence ransomware spyware stealer

Malware Config

Signatures

Chimera 64 IoCs

Ransomware which infects local and network files, often distributed via Dropbox links.

ransomware chimera

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\dotnet\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk-1.8\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Microsoft Office\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sl-sl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe

Chimera Ransomware Loader DLL 1 IoCs

Drops/unpacks executable file which resembles Chimera's Loader.dll.

ransomware

resource	yara_rule
behavioral1/memory/5004-538-0x0000000010000000-0x0000000010010000-memory.dmp	chimera_loader_dll

Renames multiple (3272) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
5004	HawkEye.exe
2940	GoldenEye.exe
2356	logman.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 26 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	HawkEye.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
57	raw.githubusercontent.com
63	raw.githubusercontent.com
66	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
63	bot.whatismyipaddress.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	logman.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-36_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\FetchingMail.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\LargeTile.scale-150_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-150_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptySearch.scale-200.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\theme.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-commonjs\types\IFontStyles.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ru-ru\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\PeopleAppList.targetsize-40_altform-unplated.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Wide310x150Logo.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-gb\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\contrast-white\GetHelpAppList.targetsize-32_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-16_altform-unplated_contrast-black.png	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Todos_2.33.33351.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\utilities\groupedList\GroupedListUtility.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\Async.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PaintStoreLogo.scale-150.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Google.scale-200.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Outlook.scale-150.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\SmallTile.scale-200_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sign-in-2x.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib\focus.js	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Icons\StickyNotesMedTile.scale-125.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_contrast-white.png	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ko-kr\ui-strings.js	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-36.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-80_altform-unplated.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSmallTile.scale-150.png	HawkEye.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\NewsAppList.targetsize-256_altform-unplated_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Todos_0.33.33351.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-16_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\Utilities.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxAccountsLargeTile.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\EMLAttachmentIcon.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-60_altform-unplated.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Icons\StickyNotesMedTile.scale-125_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\arrow-up.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib\selection\Selection.types.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_gridview-hover.svg	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-80.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\Dropdown\Dropdown.styles.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-24_altform-unplated_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Todos_0.33.33351.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-256.png	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_12008.1001.1.0_x64__8wekyb3d8bbwe\AppxManifest.xml	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Xbox_WideTile.scale-125_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-32.png	HawkEye.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\ScrollablePane.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsSplashScreen.scale-100_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-200.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\MicrosoftLogo.scale-200.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\Theme_Photo_SpringDandelion_Thumbnail_Dark.jpg	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\Theme_Photo_SpringDandelion_Background.jpg	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_neutral_split.scale-200_8wekyb3d8bbwe\Win10\contrast-white\MicrosoftSolitaireStoreLogo.scale-200_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-256_altform-lightunplated_contrast-white.png	HawkEye.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\HawkEye.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\GoldenEye.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HawkEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoldenEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	logman.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "3254110004"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31126095"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8"	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2842058299-443432012-2465494467-1000\{E11EB833-FADC-4686-B602-C0BF2C169EBD}	msedge.exe

NTFS ADS 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 854979.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\HawkEye.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 530125.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\GoldenEye.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\{3b182ce0-cc35-4505-be1d-f87730337522}\logman.exe\:SmartScreen:$DATA	GoldenEye.exe
File created	C:\Users\Admin\AppData\Roaming\{3b182ce0-cc35-4505-be1d-f87730337522}\logman.exe\:Zone.Identifier:$DATA	GoldenEye.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2224	msedge.exe
2224	msedge.exe
4416	msedge.exe
4416	msedge.exe
848	identity_helper.exe
848	identity_helper.exe
3852	msedge.exe
3852	msedge.exe
2296	msedge.exe
2296	msedge.exe
3872	msedge.exe
3872	msedge.exe
1788	msedge.exe
1788	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5004	HawkEye.exe
Token: SeShutdownPrivilege	2356	logman.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 4952	4416	msedge.exe	81
PID 4416 wrote to memory of 4952	4416	msedge.exe	81
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 724	4416	msedge.exe	83
PID 4416 wrote to memory of 2224	4416	msedge.exe	84
PID 4416 wrote to memory of 2224	4416	msedge.exe	84
PID 4416 wrote to memory of 3648	4416	msedge.exe	85
PID 4416 wrote to memory of 3648	4416	msedge.exe	85
PID 4416 wrote to memory of 3648	4416	msedge.exe	85
PID 4416 wrote to memory of 3648	4416	msedge.exe	85
PID 4416 wrote to memory of 3648	4416	msedge.exe	85
PID 4416 wrote to memory of 3648	4416	msedge.exe	85
PID 4416 wrote to memory of 3648	4416	msedge.exe	85
PID 4416 wrote to memory of 3648	4416	msedge.exe	85
PID 4416 wrote to memory of 3648	4416	msedge.exe	85
PID 4416 wrote to memory of 3648	4416	msedge.exe	85
PID 4416 wrote to memory of 3648	4416	msedge.exe	85
PID 4416 wrote to memory of 3648	4416	msedge.exe	85
PID 4416 wrote to memory of 3648	4416	msedge.exe	85
PID 4416 wrote to memory of 3648	4416	msedge.exe	85
PID 4416 wrote to memory of 3648	4416	msedge.exe	85
PID 4416 wrote to memory of 3648	4416	msedge.exe	85
PID 4416 wrote to memory of 3648	4416	msedge.exe	85
PID 4416 wrote to memory of 3648	4416	msedge.exe	85
PID 4416 wrote to memory of 3648	4416	msedge.exe	85
PID 4416 wrote to memory of 3648	4416	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://lost-pizza.itch.io/pizza-tower-netword-cool-build
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd6bbd3cb8,0x7ffd6bbd3cc8,0x7ffd6bbd3cd8
  2⤵
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,7940283674120814516,5267863216624273078,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,7940283674120814516,5267863216624273078,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,7940283674120814516,5267863216624273078,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7940283674120814516,5267863216624273078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7940283674120814516,5267863216624273078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7940283674120814516,5267863216624273078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7940283674120814516,5267863216624273078,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,7940283674120814516,5267863216624273078,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,7940283674120814516,5267863216624273078,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3304 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7940283674120814516,5267863216624273078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7940283674120814516,5267863216624273078,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7940283674120814516,5267863216624273078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7940283674120814516,5267863216624273078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:1844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1924,7940283674120814516,5267863216624273078,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  PID:692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1924,7940283674120814516,5267863216624273078,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4660 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7940283674120814516,5267863216624273078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7940283674120814516,5267863216624273078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1832 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7940283674120814516,5267863216624273078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7940283674120814516,5267863216624273078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7940283674120814516,5267863216624273078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1328 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7940283674120814516,5267863216624273078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,7940283674120814516,5267863216624273078,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6752 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,7940283674120814516,5267863216624273078,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6704 /prefetch:8
  2⤵
  PID:2564
- C:\Users\Admin\Downloads\HawkEye.exe
  "C:\Users\Admin\Downloads\HawkEye.exe"
  2⤵
  - Chimera
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5004
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Music\YOUR_FILES_ARE_ENCRYPTED.HTML"
    3⤵
    - Modifies Internet Explorer settings
    PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7940283674120814516,5267863216624273078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,7940283674120814516,5267863216624273078,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6884 /prefetch:8
  2⤵
  PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7940283674120814516,5267863216624273078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,7940283674120814516,5267863216624273078,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7008 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1788
- C:\Users\Admin\Downloads\GoldenEye.exe
  "C:\Users\Admin\Downloads\GoldenEye.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:2940
- - C:\Users\Admin\AppData\Roaming\{3b182ce0-cc35-4505-be1d-f87730337522}\logman.exe
    "C:\Users\Admin\AppData\Roaming\{3b182ce0-cc35-4505-be1d-f87730337522}\logman.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk-1.8\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
0923527f0a12e4d2c68f52e38dae6857

SHA1
1979c10d20d9dc232ff28219813f968bc0b9ec6d

SHA256
48b99c30e11a04f362daf0498dad33f42e9f0de10be9bbda02d6f758a08caa8c

SHA512
9b2b4c28badfffa7bf006311ba8adbd1061f0f37372cfff7f949642e511c393f0c10a241fd3039a324c95ce79be0a44552542b83d595383edb80b4b6be51ab1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
026e0c65239e15ba609a874aeac2dc33

SHA1
a75e1622bc647ab73ab3bb2809872c2730dcf2df

SHA256
593f20dfb73d2b81a17bfcc1f246848080dfc96898a1a62c5ddca62105ed1292

SHA512
9fb7644c87bdd3430700f42137154069badbf2b7a67e5ac6c364382bca8cba95136d460f49279b346703d4b4fd81087e884822a01a2a38901568a3c3e3387569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
228fefc98d7fb5b4e27c6abab1de7207

SHA1
ada493791316e154a906ec2c83c412adf3a7061a

SHA256
448d09169319374935a249b1fc76bcf2430b4e1436611f3c2f3331b6eafe55a2

SHA512
fa74f1cc5da8db978a7a5b8c9ebff3cd433660db7e91ce03c44a1d543dd667a51659ba79270d3d783d52b9e45d76d0f9467458df1482ded72ea79c873b2a5e56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2dedb259-69bf-4748-86f8-5c71c3b4d8fa.tmp

Filesize
5KB

MD5
501e16dbf4da822db79a0ea54da44d42

SHA1
3bf90ff15efab6583513cb2f0192caa221a50204

SHA256
c9607681d9f68af1a74ebbb9dda19237e348ca7a361b8d36892959b157da20f8

SHA512
6b7136d1b74e5e0021b94ef704d42f0fa335696d294ea66dc2836bad24a81e59dc947bf21e43a8938d1c930df4e905ffcabee03ebc6051167af8ce67e00e6204

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
cc886498f5b6179517b5849f12df8b1e

SHA1
b76cce0ff702f8240a51bcb3cbae540ee82bc41d

SHA256
7fb1f8d8a878e9cc2d797784f887f4858e419c0903573b40c28f738002634d4a

SHA512
e28c05b5a46842f6cce6ad17eb747a09de2ef6ac2708c623a21ade7d83a0b5849e353860f36ca4c68af27a154a0368b1de1d9678009594ce93e2903e5cf2e681

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
b6012e0c231bfe38588ed1186fcf4cbe

SHA1
745a57e8fe3c4ba9f1f08267b55303edf288a78d

SHA256
3a6b687d36604a5710398f2910dd1f1aaa86701d3a4a1de53b2d914bee320eff

SHA512
4de6fe422cafa427639277b04023ccd116e492d739353939484d3fcb84acbcbb1b001dce4a8202ea92c2e2f792d8d3d8c0780b686a57b0d148a702610018bea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8bb0905c5576c66fb917ca247ebfb0ec

SHA1
1b34bc747131ed075dae7c09a8d962c923f44459

SHA256
55cbbe86f32ba45743de1169c28670f9da029503bab58959f4f6b81bb8edab4b

SHA512
ce3850fe5f52f54551f79a083f02999f17a1d746c5a78ebd1f50807835a3b17026253f702b0971a714042430a33abeb98ee343db0096c0e33760c66213f01d2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7590ca983f6a3e7c034d1393fcd2ed8e

SHA1
a1b17239e492cabf41f9178c52dfe2d8b6e07c9e

SHA256
ba08ddad7636d7bf764fdafb87c330b2a683f812ee674ec00f35c820fecd6321

SHA512
0ca021da2b12b0ae14a8ca7b79e5960e27e8324fbb36014b95c8fdb5a217fcef1aac7d7aef785b1c6e518fd7a06202f25b288c7572901b03252cd3e47ecbd013

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7b66193c26443378f1bffaaa2ea1f788

SHA1
97ac42ceeec82e9a2cf5cd98631f52c07ddd06ce

SHA256
c83b4ffc725308bfb5372f42b751f30bcec2978c92ed04d6aac9b63879d3d20a

SHA512
c40047fa2bb066c18d0d20f9b8889cd978a203179665e96710934560e57656c2ec3a1fe027004e852e969fd71670c52958c2ed1525a069cc0a77b97678300c34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b5e48e0c8c01dadba712fc4b82cb8111

SHA1
fef957c4f0429fa4d5c4ff197a414e2c5ddf488a

SHA256
16eb3fc2e82fcf6812e1acf4c68ed82d7074bd027dc0a761fdb80141c74e4ca7

SHA512
c06d17559b2b3c943ef0cf6e0ce43a11ca1edeed5172df055916376cf7d301e2c0a010102aac92954236d0d39643499520f851f21f473c8f6f833bf0956cf3d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
703B

MD5
f59a4158e66b4481865fd3c84aba3650

SHA1
dd7f6dc0a2d0d672ba6e0998b8f1b7a1e194ec42

SHA256
05c4e3b6373280ac892d28cccebb8024281c22fdc13de08d77334bb9e018e649

SHA512
5822c33f71ab58f759b530defa135f86e9f4f3ef70c9e7676e38c8459e933e7106aa8df1088589a1a8d34ca0155136f30135059671802b817f4b148ab5ebf45f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2fe74eca47efa10b8164ac1848f61ef2

SHA1
79eb97bb50839166cd444f646e0c304c17c85666

SHA256
7ec796eecb1cf228e16cec62085695c8dc64ba53b19c704bf757eb4d67ccd697

SHA512
f72bc199d61a7e9abe6c88334c0fa8d3c4139caf391f126b158d6cac037becf133298505a38312db81c7df220045a129f57f4b97cc142c6e2b0380835deb2bf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a0c18dc6ad3cce8fbfaf17d39db95010

SHA1
c40ffe9e3f707d1a3d936248d329bfdda76d719b

SHA256
4b286f78f0bff5e18b5f58baacadbc968dd78cfa5afa80f1ccc4eeeaa35058d7

SHA512
66fe3df87e0b872109ca4a36cba8d4fb5f246de51ab7b88722394e7621950229f842154228921980bee62790a665747f4f958115d5e64c01352e0f7abb3b1cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57fdb9.TMP

Filesize
535B

MD5
19283c08d6949e89615925dafc29d26f

SHA1
643b756d861d78de7a33ebd42428b79f9e96ec4a

SHA256
f97b4f8deef45a83617f7d20050f8ac6c3ebba3a21af6b02464c721a635eb370

SHA512
4c94336ce200a4fb10cdfa18201398dec9598f6deff74359d4473a32289bd522b32d581799606a092a6333b28009bf5c27aae10de04b7fb55760608ff1193717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7aaa0318c0bcd67463a609f55ff67b7d

SHA1
bfce2ef029b2e53185bc889929c26f2a4fd5d3f8

SHA256
fbb0bf491413045d5d42347c8a5ddf655bc79b553b4d702a223392a2afba5f91

SHA512
c1b74d11b50718f1843f74e70f5918aeac058b854f3a177384faa2d29a5d8f48d84d657d714d3c0f7896b54db7bac08e4e8a58259c5b0d2a6a0f4a4885584568

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
821a5b82387ea88f1b4e4641234d0f67

SHA1
0d32790eb7deb15baac79b7efc201b4e2e27818b

SHA256
c1d4cbd43160ea58c2597dd3ccf2ed943585782f40715c5d6a75f51beaee46f7

SHA512
7ac151a7497225e45642a539cc1887abbd1c2eddc50b24bd3cb6c86d8a5f2c97782c360b372c4d5d3d5d772178654cc71d88527f5a4bf45e09d71a4a0ecc3814

Download Submit
C:\Users\Admin\Downloads\GoldenEye.exe:Zone.Identifier

Filesize
242B

MD5
57136f5c2a3f52106b8f84ff9868f01d

SHA1
85fb8c78b72ca52c65de4a1ad888ff5cba2ab69a

SHA256
edbb571ca6f64d756983b866af8eb9997b023822434b28ff0ed024d37a096db1

SHA512
e56812e827ad581cd22ba8a22f2c25def23c04956a3be1715edbf5860afe5485772d18b64cc638a7917d3692b45375948451fac0b822bb7c6cbb2392146bf1c8

Download Submit
C:\Users\Admin\Downloads\HawkEye.exe:Zone.Identifier

Filesize
212B

MD5
90fa19dce57b5d2efe777b14b793c6ef

SHA1
cfab181379393cac45f63f22d65829fc65717821

SHA256
bd770b19f284b932b0642c9fbea3fe962470928eebc5fbd5611afd3dfa790102

SHA512
f39a577b06933a632c6434e68a77f47acaf02fb286a05438bc3f8e95f8abf5c626bf4d8ccc98998066e31108bcae3d671491d4ce8bcae3f20072fd65369c9380

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 530125.crdownload

Filesize
254KB

MD5
e3b7d39be5e821b59636d0fe7c2944cc

SHA1
00479a97e415e9b6a5dfb5d04f5d9244bc8fbe88

SHA256
389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97

SHA512
8f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 854979.crdownload

Filesize
232KB

MD5
60fabd1a2509b59831876d5e2aa71a6b

SHA1
8b91f3c4f721cb04cc4974fc91056f397ae78faa

SHA256
1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838

SHA512
3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a

Download Submit
memory/5004-538-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/5004-542-0x00000000011C0000-0x00000000011DA000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads