chimera | hxxps://sourceforge[.]net/projects/viraltool/files/latest/download

Analysis

max time kernel
427s
max time network
431s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2024 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://sourceforge.net/projects/viraltool/files/latest/download

Score

10^/10

chimera discovery persistence ransomware upx

Malware Config

Signatures

Chimera 64 IoCs

Ransomware which infects local and network files, often distributed via Dropbox links.

ransomware chimera

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\rhp\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jre-1.8\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sl-sl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Microsoft Office\root\vreg\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe

Chimera Ransomware Loader DLL 1 IoCs

Drops/unpacks executable file which resembles Chimera's Loader.dll.

ransomware

resource	yara_rule
behavioral1/memory/2864-10532-0x0000000010000000-0x0000000010010000-memory.dmp	chimera_loader_dll

Renames multiple (3301) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Manager = "C:\\Windows\\system32\\winmants.exe"	Mantas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Manager = "C:\\Windows\\system32\\winmants.exe"	Mantas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Manager = "C:\\Windows\\system32\\winmants.exe"	Mantas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Manager = "C:\\Windows\\system32\\winmants.exe"	Mantas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Manager = "C:\\Windows\\system32\\winmants.exe"	Mantas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Manager = "C:\\Windows\\system32\\winmants.exe"	Mantas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Manager = "C:\\Windows\\system32\\winmants.exe"	Mantas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Manager = "C:\\Windows\\system32\\winmants.exe"	Mantas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Manager = "C:\\Windows\\system32\\winmants.exe"	Mantas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Manager = "C:\\Windows\\system32\\winmants.exe"	Mantas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Manager = "C:\\Windows\\system32\\winmants.exe"	Mantas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Manager = "C:\\Windows\\system32\\winmants.exe"	Mantas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Manager = "C:\\Windows\\system32\\winmants.exe"	Mantas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Manager = "C:\\Windows\\system32\\winmants.exe"	Mantas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Manager = "C:\\Windows\\system32\\winmants.exe"	Mantas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Manager = "C:\\Windows\\system32\\winmants.exe"	Mantas.exe

Drops desktop.ini file(s) 27 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	HawkEye.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
166	camo.githubusercontent.com
169	camo.githubusercontent.com
170	camo.githubusercontent.com
171	camo.githubusercontent.com
172	raw.githubusercontent.com
206	raw.githubusercontent.com
207	raw.githubusercontent.com
165	camo.githubusercontent.com
238	raw.githubusercontent.com
237	raw.githubusercontent.com
168	raw.githubusercontent.com
187	raw.githubusercontent.com
167	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
263	bot.whatismyipaddress.com

Drops file in System32 directory 32 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winmants.exe	Mantas.exe
File opened for modification	C:\Windows\SysWOW64\winmants.exe	Mantas.exe
File created	C:\Windows\SysWOW64\winmants.exe	Mantas.exe
File created	C:\Windows\SysWOW64\winmants.exe	Mantas.exe
File opened for modification	C:\Windows\SysWOW64\winmants.exe	Mantas.exe
File opened for modification	C:\Windows\SysWOW64\winmants.exe	Mantas.exe
File created	C:\Windows\SysWOW64\winmants.exe	Mantas.exe
File opened for modification	C:\Windows\SysWOW64\winmants.exe	Mantas.exe
File opened for modification	C:\Windows\SysWOW64\winmants.exe	Mantas.exe
File created	C:\Windows\SysWOW64\winmants.exe	Mantas.exe
File opened for modification	C:\Windows\SysWOW64\winmants.exe	Mantas.exe
File opened for modification	C:\Windows\SysWOW64\winmants.exe	Mantas.exe
File opened for modification	C:\Windows\SysWOW64\winmants.exe	Mantas.exe
File created	C:\Windows\SysWOW64\winmants.exe	Mantas.exe
File opened for modification	C:\Windows\SysWOW64\winmants.exe	Mantas.exe
File created	C:\Windows\SysWOW64\winmants.exe	Mantas.exe
File opened for modification	C:\Windows\SysWOW64\winmants.exe	Mantas.exe
File created	C:\Windows\SysWOW64\winmants.exe	Mantas.exe
File opened for modification	C:\Windows\SysWOW64\winmants.exe	Mantas.exe
File created	C:\Windows\SysWOW64\winmants.exe	Mantas.exe
File opened for modification	C:\Windows\SysWOW64\winmants.exe	Mantas.exe
File created	C:\Windows\SysWOW64\winmants.exe	Mantas.exe
File opened for modification	C:\Windows\SysWOW64\winmants.exe	Mantas.exe
File opened for modification	C:\Windows\SysWOW64\winmants.exe	Mantas.exe
File created	C:\Windows\SysWOW64\winmants.exe	Mantas.exe
File created	C:\Windows\SysWOW64\winmants.exe	Mantas.exe
File opened for modification	C:\Windows\SysWOW64\winmants.exe	Mantas.exe
File created	C:\Windows\SysWOW64\winmants.exe	Mantas.exe
File opened for modification	C:\Windows\SysWOW64\winmants.exe	Mantas.exe
File created	C:\Windows\SysWOW64\winmants.exe	Mantas.exe
File created	C:\Windows\SysWOW64\winmants.exe	Mantas.exe
File created	C:\Windows\SysWOW64\winmants.exe	Mantas.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1320-0-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/files/0x000700000002363c-20.dat	upx
behavioral1/memory/1320-705-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/3044-1474-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1652-1572-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/960-2536-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/3120-2720-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1652-2887-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/5308-3259-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/3120-4128-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/5308-4510-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1156-4622-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/5520-4720-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/5964-5286-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/5368-5932-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/5424-6049-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1484-6351-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/5520-7683-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/4248-7695-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/4656-8880-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/5964-8924-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/5424-9273-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1484-9622-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/5308-9971-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/5684-10474-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/4248-10530-0x0000000000400000-0x0000000000413000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\TracePendingIcon-glyph-E72C.png	HawkEye.exe
File created	C:\Program Files\limewire\shared\rap.exe	Mantas.exe
File created	C:\Program Files\KazaaLite\My shared folders\DivX.exe	Mantas.exe
File created	C:\Program Files\limewire\shared\Nero.Burning.Rom.Install-halo.exe	Mantas.exe
File created	C:\Program Files\limewire\shared\Goodtool.exe	Mantas.exe
File created	C:\Program Files\edonkey2000\incoming\winxp service pack.exe	Mantas.exe
File created	C:\Program Files\Kazaa\My shared folder\ICQ Lite .exe	Mantas.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\hr-hr\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupSmallTile.scale-200.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-36_altform-unplated.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\HelpAndFeedback\BlogThumbnail.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\SpotlightMail_2017-09.gif	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-100_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\Kazaa\My shared folder\bondage.jpg	Mantas.exe
File created	C:\Program Files\KazaaLite\My shared folder\aimbot.exe	Mantas.exe
File created	C:\Program Files\limewire\shared\secret.exe	Mantas.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-24_altform-unplated.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png	HawkEye.exe
File created	C:\Program Files\KazaaLite\My shared folders\keygen.exe	Mantas.exe
File created	C:\Program Files\grokster\my grokster\Grokster.exe	Mantas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorMedTile.contrast-black_scale-200.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-256_contrast-black.png	HawkEye.exe
File created	C:\Program Files\icq\shared files\patch.exe	Mantas.exe
File created	C:\Program Files\icq\shared files\DVD2AVI.exe	Mantas.exe
File created	C:\Program Files\edonkey2000\incoming\lesbian.scr	Mantas.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nb-no\ui-strings.js	HawkEye.exe
File created	C:\Program Files\gnucleus\downloads\password.exe	Mantas.exe
File created	C:\Program Files\icq\shared files\Gamecube Emulator.exe	Mantas.exe
File created	C:\Program Files\icq\shared files\Msn Hack.exe	Mantas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\xboxservices.config	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TinyTile.scale-100_contrast-black.png	HawkEye.exe
File created	C:\Program Files\grokster\my grokster\ZoneAlarm Full Version.exe	Mantas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\MedTile.scale-100.png	HawkEye.exe
File created	C:\Program Files\icq\shared files\Alcohol120-Install.exe	Mantas.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\selector.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxAccountsSmallTile.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreBadgeLogo.scale-200.png	HawkEye.exe
File created	C:\Program Files\morpheus\my shared folder\Gamecube Emulator.exe	Mantas.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-si\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hr-hr\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-72_altform-lightunplated.png	HawkEye.exe
File created	C:\Program Files\gnucleus\downloads\epsxe.exe	Mantas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookWideTile.scale-200.png	HawkEye.exe
File created	C:\Program Files\grokster\my grokster\aimbot.exe	Mantas.exe
File created	C:\Program Files\Kazaa\My shared folder\Windows XP Service Pack Cracked.exe	Mantas.exe
File created	C:\Program Files\limewire\shared\winxp serial.exe	Mantas.exe
File created	C:\Program Files\gnucleus\downloads\Network Cable e ADSL Speed .exe	Mantas.exe
File created	C:\Program Files\limewire\shared\rap.exe	Mantas.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-200_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-96_altform-unplated_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-140.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsLargeTile.scale-125.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96_altform-unplated.png	HawkEye.exe
File created	C:\Program Files\KazaaLite\My shared folders\XBOX.exe	Mantas.exe
File created	C:\Program Files\morpheus\my shared folder\cdkey.exe	Mantas.exe
File created	C:\Program Files\icq\shared files\Nero Burning ROM.exe	Mantas.exe
File created	C:\Program Files\edonkey2000\incoming\Winzip.exe	Mantas.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\s_empty_folder_state.svg	HawkEye.exe
File created	C:\Program Files\limewire\shared\Kazaa 2.05 beta .exe	Mantas.exe
File created	C:\Program Files\grokster\my grokster\FruityLoops Setup.exe	Mantas.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_TileMediumSquare.scale-200.png	HawkEye.exe

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mantas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mantas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HawkEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mantas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mantas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mantas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mantas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mantas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mantas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HawkEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HawkEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mantas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mantas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mantas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mantas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mantas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mantas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HawkEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mantas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mantas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HawkEye.exe

Modifies Internet Explorer settings 1 TTPs 43 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135694"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4177438058"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c00000000020000000000106600000001000020000000cee66d23aecc2476b83659678692c44d77dece17d94349857841f56762527858000000000e8000000002000020000000cf3f683e86ea4b66d5144e48f2906e213353c4fd922ca5dd2b3d2839ec8e0f53200000003fe6d2b4803e51f17912631ee0a7235687b7d2ab354af60b6df7d9703ba22d634000000076dc969046c123bc8804d2083a552b1153186bba1dc656fc1b9768bc58f18680320f6cf8fab4038bcae7ca2c04ecd1e8d35f677d8d821753ed4fb671281e222f	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{246BAEF7-83C2-11EF-A2A4-C63D5579F9B2} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4175250475"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c000000000200000000001066000000010000200000007af1da807c1ccd158db59f49e66be70594aaec5b173aea4918b91d1f01e30e56000000000e80000000020000200000007a8cfafa26b94b70eb1e872db5a33a8aa7c5f877b7f3e75dd1d8c358828a5cc2200000000e0f8209498afa7a1fe5247bae0b7b22a72781a9527a867452ebb542042e5095400000003aeaef2f670145689e89639edc8e17f5b40c2ae617283fc4d0aa6d7b1deb9d6fed53af18f7c604a03d8d021ec2f0ad99891ead761fadba9c17ac44156255c203	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e08d15face17db01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0b91cface17db01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70eccb09cf17db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\mega.nz\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135694"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\mega.nz\ = "65"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c0000000002000000000010660000000100002000000061b67ee7d7f967d46afba83d8bb683b741cdee964bb47d9ebaf5d5789c2e0a33000000000e800000000200002000000038fd334a43e01d6076d30ceffc8f2b0a29d356a8b517641a3d46a8b5fa903897200000002511f1f905b337a90436633fd33c67d3d5ad07f79be7984248b3489898d4026f40000000e0f8b68e4fd2046e0c3892c3eea4345a2d3bf91d000dbc76ca411c78c08bf86c3f9157a81fa451f9d56fe61c4c558f54adeda0a8589425eba7ae96becb0310e0	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "65"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\mega.nz\Total = "65"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4175250475"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\DOMStorage\mega.nz	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31135694"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\mega.nz	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1668	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2864	HawkEye.exe
Token: SeDebugPrivilege	5816	HawkEye.exe
Token: SeDebugPrivilege	696	HawkEye.exe
Token: SeDebugPrivilege	5292	HawkEye.exe
Token: SeDebugPrivilege	5204	HawkEye.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1668	NOTEPAD.EXE
2200	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2200	iexplore.exe
2200	iexplore.exe
3980	IEXPLORE.EXE
3980	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2200	2864	HawkEye.exe	161
PID 2864 wrote to memory of 2200	2864	HawkEye.exe	161
PID 2200 wrote to memory of 3980	2200	iexplore.exe	162
PID 2200 wrote to memory of 3980	2200	iexplore.exe	162
PID 2200 wrote to memory of 3980	2200	iexplore.exe	162

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://sourceforge.net/projects/viraltool/files/latest/download
1⤵
PID:1452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3816,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=4328 /prefetch:1
1⤵
PID:348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4032,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=4176 /prefetch:1
1⤵
PID:3128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5444,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=5456 /prefetch:8
1⤵
PID:4992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5460,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=5512 /prefetch:8
1⤵
PID:2236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --field-trial-handle=5916,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=5940 /prefetch:1
1⤵
PID:4012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5888,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=4324 /prefetch:1
1⤵
PID:1484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=6080,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=6092 /prefetch:1
1⤵
PID:2504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=5472,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=5636 /prefetch:8
1⤵
PID:3888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6520,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=6592 /prefetch:8
1⤵
PID:4988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=6792,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=6784 /prefetch:1
1⤵
PID:940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5824,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=6084 /prefetch:8
1⤵
PID:1172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --field-trial-handle=4912,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=4980 /prefetch:1
1⤵
PID:2208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --field-trial-handle=6484,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=5420 /prefetch:1
1⤵
PID:1080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --field-trial-handle=6044,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=6712 /prefetch:1
1⤵
PID:2660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --field-trial-handle=6848,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=6888 /prefetch:1
1⤵
PID:5076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=7132,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=7068 /prefetch:8
1⤵
PID:5064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --field-trial-handle=7140,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=7164 /prefetch:1
1⤵
PID:4896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --field-trial-handle=7436,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=7404 /prefetch:8
1⤵
PID:4472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=7664,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=7608 /prefetch:8
1⤵
PID:3684

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --field-trial-handle=4592,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=1524 /prefetch:1
1⤵
PID:4604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --field-trial-handle=7060,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=7220 /prefetch:8
1⤵
PID:2664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=7236,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=6972 /prefetch:8
1⤵
PID:3352

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:1668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --field-trial-handle=7264,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=7224 /prefetch:1
1⤵
PID:864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --field-trial-handle=7356,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=6836 /prefetch:1
1⤵
PID:4924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --field-trial-handle=7196,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=5536 /prefetch:1
1⤵
PID:3320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=7496,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=7776 /prefetch:8
1⤵
PID:1572

C:\Users\Admin\Downloads\Mantas.exe
"C:\Users\Admin\Downloads\Mantas.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1320

C:\Users\Admin\Downloads\Mantas.exe
"C:\Users\Admin\Downloads\Mantas.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3044

C:\Users\Admin\Downloads\Mantas.exe
"C:\Users\Admin\Downloads\Mantas.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:960

C:\Users\Admin\Downloads\Mantas.exe
"C:\Users\Admin\Downloads\Mantas.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1652

C:\Users\Admin\Downloads\Mantas.exe
"C:\Users\Admin\Downloads\Mantas.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3120

C:\Users\Admin\Downloads\Mantas.exe
"C:\Users\Admin\Downloads\Mantas.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1156

C:\Users\Admin\Downloads\Mantas.exe
"C:\Users\Admin\Downloads\Mantas.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5308

C:\Users\Admin\Downloads\Mantas.exe
"C:\Users\Admin\Downloads\Mantas.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5368

C:\Users\Admin\Downloads\Mantas.exe
"C:\Users\Admin\Downloads\Mantas.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5520

C:\Users\Admin\Downloads\Mantas.exe
"C:\Users\Admin\Downloads\Mantas.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4656

C:\Users\Admin\Downloads\Mantas.exe
"C:\Users\Admin\Downloads\Mantas.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5964

C:\Users\Admin\Downloads\Mantas.exe
"C:\Users\Admin\Downloads\Mantas.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5424

C:\Users\Admin\Downloads\Mantas.exe
"C:\Users\Admin\Downloads\Mantas.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1484

C:\Users\Admin\Downloads\Mantas.exe
"C:\Users\Admin\Downloads\Mantas.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5308

C:\Users\Admin\Downloads\Mantas.exe
"C:\Users\Admin\Downloads\Mantas.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5684

C:\Users\Admin\Downloads\Mantas.exe
"C:\Users\Admin\Downloads\Mantas.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --field-trial-handle=7660,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=7012 /prefetch:1
1⤵
PID:6056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=6408,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=7188 /prefetch:8
1⤵
PID:6000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --field-trial-handle=6232,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=7048 /prefetch:8
1⤵
PID:5840

C:\Users\Admin\Downloads\HawkEye.exe
"C:\Users\Admin\Downloads\HawkEye.exe"
1⤵
- Chimera
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Downloads\YOUR_FILES_ARE_ENCRYPTED.HTML"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2200 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3980

C:\Users\Admin\Downloads\HawkEye.exe
"C:\Users\Admin\Downloads\HawkEye.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5816

C:\Users\Admin\Downloads\HawkEye.exe
"C:\Users\Admin\Downloads\HawkEye.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:696

C:\Users\Admin\Downloads\HawkEye.exe
"C:\Users\Admin\Downloads\HawkEye.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5292

C:\Users\Admin\Downloads\HawkEye.exe
"C:\Users\Admin\Downloads\HawkEye.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --field-trial-handle=7616,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=7192 /prefetch:1
1⤵
PID:828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=6108,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=7128 /prefetch:8
1⤵
PID:5636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --field-trial-handle=5516,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=7504 /prefetch:8
1⤵
PID:5856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5760,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=8020 /prefetch:8
1⤵
PID:3116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk-1.8\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
3df12eb5c281a33a104ce055695c128e

SHA1
baa71c48a1ad9fad705dfc52b2f4ad386fa0871d

SHA256
770b64ab134fb64dbbb52049103d8f59bf9e14754f80372b7446f1c71eb22e86

SHA512
89fcf1446e87578c78b23458a08a2dc2f59962bae4f000308af2b261a6fc4677fd5d873bd11767e82e03814ff8792adea5cb6133107dafa02bd25a301d36727c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0KP8BKDN\favicon[1].ico

Filesize
6KB

MD5
72f13fa5f987ea923a68a818d38fb540

SHA1
f014620d35787fcfdef193c20bb383f5655b9e1e

SHA256
37127c1a29c164cdaa75ec72ae685094c2468fe0577f743cb1f307d23dd35ec1

SHA512
b66af0b6b95560c20584ed033547235d5188981a092131a7c1749926ba1ac208266193bd7fa8a3403a39eee23fcdd53580e9533803d7f52df5fb01d508e292b3

Download Submit
C:\Users\Admin\Documents\DebugStart.doc

Filesize
502KB

MD5
06aae6ce57d35405950949f8647aaeef

SHA1
1ba26bcd624dea14989f7e0a87b094559da00fdc

SHA256
66f661c7f1d264e9dcbed5095e69f6fd4222ccd59b2dea36f786c4ce760d5bd5

SHA512
b05f2012db5d1d6369840a8003c9a1056d06f4de916a415a0e5da636ddfbe32a074b85098eb67802e598e678feec7a05edb6b4c439ead37f5960d02aa2a0707d

Download Submit
C:\Users\Admin\Documents\LimitUninstall.htm

Filesize
611KB

MD5
1537b654afbfe36dd546b9ad84e4fbdc

SHA1
5b362adcca40505e05cd4defa69dd0b3da9313fa

SHA256
b54a1a1c78c3d98b721d5b1954d0ec2186a781487acff8a1035cd6012087798a

SHA512
5c3837a44517a0a9455c4bab7781c04e5e2f62017c082adb27269cb902e5275fb90ee875e7ee80df4cd8fe1dd77272d9aa1372e0d83c79735313073089138243

Download Submit
C:\Users\Admin\Documents\RedoUse.txt

Filesize
236KB

MD5
a0d740bfe5f3e81a851a8f5dca9df371

SHA1
bd8eeeee0c42a94181c6003230921d922e7bdc18

SHA256
d09b810b9a7ed1abaa40570a94738123b1b17b0b4548ec57d33f91f24c30dfdc

SHA512
04b59401f96a65c0d1d40c8626d5eccfb5c5b886318b8bed2b656e85cbbf21304f21d0316c15a278979fddaa6eaa9a59b9dce11e4070b619a14f4d2243dc756f

Download Submit
C:\Users\Admin\Documents\RemoveStart.html

Filesize
405KB

MD5
438d5277d67280b7b5530a7d2ceefd6e

SHA1
8e99d186919d55513a464ee1dcae3fbe15198dc4

SHA256
1ac7e00f9b25adb0612b2d061b87c6bc100f57066dd684d6143d4a77d7557ad9

SHA512
63c40e86fa52ba3325071689bc1f138c0b52cf04ed9f618493b1ff328f23a923a55712e78090048a4fa5a64cddbbf1b3596696fae4f7cb4dcf84308d7712a46e

Download Submit
C:\Users\Admin\Documents\SelectUnregister.html

Filesize
478KB

MD5
6af1cac6c32943976753935433852d48

SHA1
0392b01e7dd3d2873fd57c01eecfb5149221658f

SHA256
3195dbfb4abed36287e19beaa580466bf2e19cb322ea99486a29a18b676abcdf

SHA512
4440f36b86e06d0f5e5353c674c3ae4f0041feb6a996b6fd7ae47f571c38e0296a4fc671fc42f555b5b074a3eeab3846af77ba61ea5684da03d2af182780bd6c

Download Submit
C:\Users\Admin\Documents\SubmitConnect.htm

Filesize
321KB

MD5
4bddadb58d048981ee9096a5036781ce

SHA1
b4f0e0c6f90418e4a21ff7d5a8fb0a8a2abe6620

SHA256
e47329cf18c3daccb1c3fccc60e5a26ae3f30685c0b46a626f6530aaa5b5d598

SHA512
61151f6898144e5f19931f2f33780cab5666fac0f9e25e8ff1feb0f17281322677feaaa411af28310146774f6d089450737841f17ae22119023d15f6ff0d9c69

Download Submit
C:\Users\Admin\Documents\SyncDisable.html

Filesize
357KB

MD5
983a182ad52634dd3d9519a54686ecf7

SHA1
eaa31fca5604410503eb8b14fcaa0b6dec8564fe

SHA256
066ac7fbd8b403cb9b3e0cb1b40153ffa0b5c1456b9e4e12c8a0ec2a8574b82a

SHA512
b746d48fb919d270b104c7b109f2b9532e236ded36364c0f3149bda16adce389b2c522205e13ee594623d6163c532fbf066a57b557734a04a09f0aeb8fd2db60

Download Submit
C:\Users\Admin\Documents\UnblockProtect.html

Filesize
490KB

MD5
ad4e1ce054392fde2b4c8062c5d02344

SHA1
710c64b8cf45865857be862c64ca1c5c41ebc0cc

SHA256
d3a814fe324539e611ae99e4bb1b89af15cddeeae41351aa9f4350cc0f4d77bc

SHA512
4cf41fc7c8fe5cd1515b8c8dc5537a86f2b4f55f19eb1e85ec3ccefbcea26c7e733ab93a6d5e6e52eef529d3478b9cc999958f301b81966fa548f6b597c34984

Download Submit
C:\Users\Admin\Documents\install.exe

Filesize
40KB

MD5
53f25f98742c5114eec23c6487af624c

SHA1
671af46401450d6ed9c0904402391640a1bddcc2

SHA256
7b5dec6a48ee2114c3056f4ccb6935f3e7418ef0b0bc4a58931f2c80fc94d705

SHA512
f460775308b34552c930c3f256cef1069b28421673d71e3fa2712b0467485861a98285925ae49f1adea1faf59265b964c873c12a3bb5de216122ac20084e1048

Download Submit
C:\Users\Admin\Documents\sweet.jpg

Filesize
23KB

MD5
58b1840b979ae31f23aa8eb3594d5c17

SHA1
6b28b8e047cee70c7fa42715c552ea13a5671bbb

SHA256
b2bb460aa299c6064e7fc947bff314e0f915c6ee6f8f700007129e3b6a314f47

SHA512
13548e5900bddc6797d573fcca24cec1f1eefa0662e9d07c4055a3899460f4e135e1c76197b57a49b452e61e201cb86d1960f3e8b00828a2d0031dc9aa78666a

Download Submit
memory/960-2536-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1156-4622-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1320-705-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1320-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1484-6351-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1484-9622-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1652-1572-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1652-2887-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2864-10536-0x00000000049B0000-0x00000000049CA000-memory.dmp

Filesize
104KB

Download
memory/2864-10532-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/3044-1474-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3120-4128-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3120-2720-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4248-7695-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4248-10530-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4656-8880-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/5308-9971-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/5308-3259-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/5308-4510-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/5368-5932-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/5424-9273-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/5424-6049-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/5520-4720-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/5520-7683-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/5684-10474-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/5964-5286-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/5964-8924-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads