chimera | 984dfc64c10f96c5350d6d9216a5d7abfece1658dfc93925f7a6b0c80817c886

Resubmissions

22/10/2024, 00:20

241022-amwdaavhka 10

22/10/2024, 00:16

22/10/2024, 00:12

22/10/2024, 00:09

22/10/2024, 00:06

Analysis

max time kernel
130s
max time network
132s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
22/10/2024, 00:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WaveInstaller.exe
Size

2.3MB
MD5

215d509bc217f7878270c161763b471e
SHA1

bfe0a2580d54cfa28d3ff5ef8dc754fdc73adcd9
SHA256

984dfc64c10f96c5350d6d9216a5d7abfece1658dfc93925f7a6b0c80817c886
SHA512

68e615dfcb1b7770ad64175438a913744c14bdd3af93b339c2b526271bdd0d23334e78d049fdae8ca9fe66672a8cf252ebf891be9ab6c46a3d8f1fb00fa8c83b
SSDEEP

49152:LinbT3qpTDQSmanAmwJAaDMg33U2pLOiniT:LinKpTJmWAmmAMP8in

Score

10^/10

chimera danabot banker botnet defense_evasion discovery persistence ransomware spyware stealer trojan upx

Malware Config

Extracted

Family

danabot

51.178.195.151

51.222.39.81

149.255.35.125

38.68.50.179

51.77.7.204

rsa_pubkey.plain

Signatures

Chimera 64 IoCs

Ransomware which infects local and network files, often distributed via Dropbox links.

ransomware chimera

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\rhp\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe

Chimera Ransomware Loader DLL 1 IoCs

Drops/unpacks executable file which resembles Chimera's Loader.dll.

ransomware

resource	yara_rule
behavioral1/memory/4200-385-0x0000000010000000-0x0000000010010000-memory.dmp	chimera_loader_dll

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 1 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

resource	yara_rule
behavioral1/files/0x000700000001acdb-1540.dat	family_danabot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Downloads\\Birele.exe"	Birele.exe

Renames multiple (3271) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocklisted process makes network request 3 IoCs

flow	pid	Process
94	2228	rundll32.exe
130	2228	rundll32.exe
133	2228	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
4372	AgentTesla.exe
4200	HawkEye.exe
528	DanaBot.exe
2252	Birele.exe

Impair Defenses: Safe Mode Boot 1 TTPs 5 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	Birele.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	Birele.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	Birele.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	Birele.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	Birele.exe

Loads dropped DLL 3 IoCs

pid	Process
2428	regsvr32.exe
2228	rundll32.exe
2228	rundll32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\Downloads\\Birele.exe"	Birele.exe

Drops desktop.ini file(s) 28 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\desktop.ini	WaveInstaller.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	WaveInstaller.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	WaveInstaller.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	WaveInstaller.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	WaveInstaller.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	WaveInstaller.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	WaveInstaller.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	WaveInstaller.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	WaveInstaller.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	WaveInstaller.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	WaveInstaller.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	WaveInstaller.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	WaveInstaller.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	WaveInstaller.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	WaveInstaller.exe
File opened for modification	C:\Program Files\desktop.ini	WaveInstaller.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	WaveInstaller.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	WaveInstaller.exe
File opened for modification	C:\Users\Public\desktop.ini	WaveInstaller.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	WaveInstaller.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	WaveInstaller.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	WaveInstaller.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	WaveInstaller.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	WaveInstaller.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	WaveInstaller.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	WaveInstaller.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	WaveInstaller.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	WaveInstaller.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
79	raw.githubusercontent.com
83	raw.githubusercontent.com
84	raw.githubusercontent.com
78	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
86	bot.whatismyipaddress.com

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000001aea2-4612.dat	upx
behavioral1/memory/2252-5322-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/2252-5480-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/2252-8390-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/2252-8389-0x0000000000400000-0x0000000000438000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\no.png	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\pg_60x42.png	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-96_altform-unplated.png	WaveInstaller.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunjce_provider.jar	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\DailyChallenges\LobbyTiles\Freecell_bp_809.jpg	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\Pin\155x105.png	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Preview.scale-100_layoutdir-RTL.png	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeSmallTile.scale-400.png	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\WideTile.scale-100.png	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-40_altform-unplated.png	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\LargeTile.scale-100.png	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ja-jp\ui-strings.js	WaveInstaller.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\PlayStore_icon.svg	WaveInstaller.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\s_listview_18.svg	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-24.png	WaveInstaller.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\javafx-mx.jar	WaveInstaller.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-tool-view.js	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\2653_24x24x32.png	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\9.jpg	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\164.png	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-72_altform-unplated_contrast-black.png	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\klondike\Mining_For_Gold_.png	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\Weather_SplashScreen.scale-100.png	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionLargeTile.scale-100.png	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\OneConnectWideTile.scale-100.png	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\MedTile.scale-100.png	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe\Assets\Office\StickySelection.scale-140.png	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\8498_40x40x32.png	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\326_24x24x32.png	WaveInstaller.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\HeartbeatConfig.xml	WaveInstaller.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_nothumbnail_34.svg	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\rhp\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-125_8wekyb3d8bbwe\Lumia.ViewerPlugin\Assets\IconOpenInCinemagraph.contrast-white_scale-125.png	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-100.png	WaveInstaller.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\add_reviewer.gif	WaveInstaller.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-48_altform-unplated_contrast-white.png	WaveInstaller.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\download-btn.png	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Livetiles\MicrosoftSolitaireAppList.targetsize-40_altform-unplated.png	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Beach\mask\11s.png	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OneConnectAppList.targetsize-96.png	WaveInstaller.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Pyramid\Goal_1.jpg	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Premium_base.jpg	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_2017.209.105.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-24.png	WaveInstaller.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-en_us.gif	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7989_20x20x32.png	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\heart.png	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailSmallTile.scale-400.png	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\jumbo_background.jpg	WaveInstaller.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_download_audit_report_18.svg	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe\Assets\Office\clone.scale-140.png	WaveInstaller.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\1849_32x32x32.png	WaveInstaller.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentTesla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DanaBot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HawkEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Birele.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5088	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2131597123"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2130971996"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31138840"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000064fb51dd8974c04399cf2e142f4cb5440000000002000000000010660000000100002000000097d81d99be9cecf4da400e35c213bd085c40e4653a827009c0d8e2ea6449cba7000000000e8000000002000020000000b3071146f162e1f51f5f9d14eff99d5e0c3272cee678935dd4b31f181c5605f4200000005779034d85448b314921b36411e11d82f319d8f6fc75d78a8ade31db94a440e8400000004bb56d3b659cb563f75df55a5c5d487784ae1a947bf2aefde4815c06f24a64d4276dbd9258608104a88f1844fa8922a6e0fb30a1f1d51264e6696be284e78ce5	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31138840"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 902bd87f1824db01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31138840"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80e6dc7f1824db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2130971996"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31138840"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2131597123"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000064fb51dd8974c04399cf2e142f4cb54400000000020000000000106600000001000020000000d569c23be46d92ceb148c2ab5330ff5c7b0c27099ce60984a6421a162256b8ab000000000e80000000020000200000004f451929a522239d7553127eccf6b952e2827c8a27623a39b5437311bd503246200000004173ef96df73d3b6d9c53e270ec7bdeaaba52c00ba590803b8589a475cecb9e240000000e1c23ca81c7d929baf65e487ca4249bef88141f4eeabcc7c159ebec012a7e889e272493ed0a43b75b4f326d1c01a090256ebd6d420b588cf7bdff60b832b483b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AA7D7E30-900B-11EF-B03F-6AD6A3DEF400} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133740300336234684"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance	iexplore.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
2388	chrome.exe
2388	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1352	chrome.exe
Token: SeCreatePagefilePrivilege	1352	chrome.exe
Token: SeShutdownPrivilege	1352	chrome.exe
Token: SeCreatePagefilePrivilege	1352	chrome.exe
Token: SeShutdownPrivilege	1352	chrome.exe
Token: SeCreatePagefilePrivilege	1352	chrome.exe
Token: SeDebugPrivilege	4956	WaveInstaller.exe
Token: SeShutdownPrivilege	1352	chrome.exe
Token: SeCreatePagefilePrivilege	1352	chrome.exe
Token: SeShutdownPrivilege	1352	chrome.exe
Token: SeCreatePagefilePrivilege	1352	chrome.exe
Token: SeShutdownPrivilege	1352	chrome.exe
Token: SeCreatePagefilePrivilege	1352	chrome.exe
Token: SeShutdownPrivilege	1352	chrome.exe
Token: SeCreatePagefilePrivilege	1352	chrome.exe
Token: SeShutdownPrivilege	1352	chrome.exe
Token: SeCreatePagefilePrivilege	1352	chrome.exe
Token: SeShutdownPrivilege	1352	chrome.exe
Token: SeCreatePagefilePrivilege	1352	chrome.exe
Token: SeShutdownPrivilege	1352	chrome.exe
Token: SeCreatePagefilePrivilege	1352	chrome.exe
Token: SeShutdownPrivilege	1352	chrome.exe
Token: SeCreatePagefilePrivilege	1352	chrome.exe
Token: SeShutdownPrivilege	1352	chrome.exe
Token: SeCreatePagefilePrivilege	1352	chrome.exe
Token: SeShutdownPrivilege	1352	chrome.exe
Token: SeCreatePagefilePrivilege	1352	chrome.exe
Token: SeShutdownPrivilege	1352	chrome.exe
Token: SeCreatePagefilePrivilege	1352	chrome.exe
Token: SeShutdownPrivilege	1352	chrome.exe
Token: SeCreatePagefilePrivilege	1352	chrome.exe
Token: SeShutdownPrivilege	1352	chrome.exe
Token: SeCreatePagefilePrivilege	1352	chrome.exe
Token: SeShutdownPrivilege	1352	chrome.exe
Token: SeCreatePagefilePrivilege	1352	chrome.exe
Token: SeShutdownPrivilege	1352	chrome.exe
Token: SeCreatePagefilePrivilege	1352	chrome.exe
Token: SeShutdownPrivilege	1352	chrome.exe
Token: SeCreatePagefilePrivilege	1352	chrome.exe
Token: SeShutdownPrivilege	1352	chrome.exe
Token: SeCreatePagefilePrivilege	1352	chrome.exe
Token: SeShutdownPrivilege	1352	chrome.exe
Token: SeCreatePagefilePrivilege	1352	chrome.exe
Token: SeShutdownPrivilege	1352	chrome.exe
Token: SeCreatePagefilePrivilege	1352	chrome.exe
Token: SeShutdownPrivilege	1352	chrome.exe
Token: SeCreatePagefilePrivilege	1352	chrome.exe
Token: SeShutdownPrivilege	1352	chrome.exe
Token: SeCreatePagefilePrivilege	1352	chrome.exe
Token: SeShutdownPrivilege	1352	chrome.exe
Token: SeCreatePagefilePrivilege	1352	chrome.exe
Token: SeShutdownPrivilege	1352	chrome.exe
Token: SeCreatePagefilePrivilege	1352	chrome.exe
Token: SeShutdownPrivilege	1352	chrome.exe
Token: SeCreatePagefilePrivilege	1352	chrome.exe
Token: SeShutdownPrivilege	1352	chrome.exe
Token: SeCreatePagefilePrivilege	1352	chrome.exe
Token: SeShutdownPrivilege	1352	chrome.exe
Token: SeCreatePagefilePrivilege	1352	chrome.exe
Token: SeShutdownPrivilege	1352	chrome.exe
Token: SeCreatePagefilePrivilege	1352	chrome.exe
Token: SeShutdownPrivilege	1352	chrome.exe
Token: SeCreatePagefilePrivilege	1352	chrome.exe
Token: SeShutdownPrivilege	1352	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
3860	iexplore.exe
3860	iexplore.exe
3860	iexplore.exe
3860	iexplore.exe
3860	iexplore.exe
3860	iexplore.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe
1352	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3860	iexplore.exe
3860	iexplore.exe
3936	IEXPLORE.EXE
3936	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 1876	1352	chrome.exe	75
PID 1352 wrote to memory of 1876	1352	chrome.exe	75
PID 1352 wrote to memory of 3348	1352	chrome.exe	77
PID 1352 wrote to memory of 3348	1352	chrome.exe	77
PID 1352 wrote to memory of 3348	1352	chrome.exe	77
PID 1352 wrote to memory of 3348	1352	chrome.exe	77
PID 1352 wrote to memory of 3348	1352	chrome.exe	77
PID 1352 wrote to memory of 3348	1352	chrome.exe	77
PID 1352 wrote to memory of 3348	1352	chrome.exe	77
PID 1352 wrote to memory of 3348	1352	chrome.exe	77
PID 1352 wrote to memory of 3348	1352	chrome.exe	77
PID 1352 wrote to memory of 3348	1352	chrome.exe	77
PID 1352 wrote to memory of 3348	1352	chrome.exe	77
PID 1352 wrote to memory of 3348	1352	chrome.exe	77
PID 1352 wrote to memory of 3348	1352	chrome.exe	77
PID 1352 wrote to memory of 3348	1352	chrome.exe	77
PID 1352 wrote to memory of 3348	1352	chrome.exe	77
PID 1352 wrote to memory of 3348	1352	chrome.exe	77
PID 1352 wrote to memory of 3348	1352	chrome.exe	77
PID 1352 wrote to memory of 3348	1352	chrome.exe	77
PID 1352 wrote to memory of 3348	1352	chrome.exe	77
PID 1352 wrote to memory of 3348	1352	chrome.exe	77
PID 1352 wrote to memory of 3348	1352	chrome.exe	77
PID 1352 wrote to memory of 3348	1352	chrome.exe	77
PID 1352 wrote to memory of 3348	1352	chrome.exe	77
PID 1352 wrote to memory of 3348	1352	chrome.exe	77
PID 1352 wrote to memory of 3348	1352	chrome.exe	77
PID 1352 wrote to memory of 3348	1352	chrome.exe	77
PID 1352 wrote to memory of 3348	1352	chrome.exe	77
PID 1352 wrote to memory of 3348	1352	chrome.exe	77
PID 1352 wrote to memory of 3348	1352	chrome.exe	77
PID 1352 wrote to memory of 3348	1352	chrome.exe	77
PID 1352 wrote to memory of 3348	1352	chrome.exe	77
PID 1352 wrote to memory of 3348	1352	chrome.exe	77
PID 1352 wrote to memory of 3348	1352	chrome.exe	77
PID 1352 wrote to memory of 3348	1352	chrome.exe	77
PID 1352 wrote to memory of 3348	1352	chrome.exe	77
PID 1352 wrote to memory of 3348	1352	chrome.exe	77
PID 1352 wrote to memory of 3348	1352	chrome.exe	77
PID 1352 wrote to memory of 3348	1352	chrome.exe	77
PID 1352 wrote to memory of 5000	1352	chrome.exe	78
PID 1352 wrote to memory of 5000	1352	chrome.exe	78
PID 1352 wrote to memory of 3200	1352	chrome.exe	79
PID 1352 wrote to memory of 3200	1352	chrome.exe	79
PID 1352 wrote to memory of 3200	1352	chrome.exe	79
PID 1352 wrote to memory of 3200	1352	chrome.exe	79
PID 1352 wrote to memory of 3200	1352	chrome.exe	79
PID 1352 wrote to memory of 3200	1352	chrome.exe	79
PID 1352 wrote to memory of 3200	1352	chrome.exe	79
PID 1352 wrote to memory of 3200	1352	chrome.exe	79
PID 1352 wrote to memory of 3200	1352	chrome.exe	79
PID 1352 wrote to memory of 3200	1352	chrome.exe	79
PID 1352 wrote to memory of 3200	1352	chrome.exe	79
PID 1352 wrote to memory of 3200	1352	chrome.exe	79
PID 1352 wrote to memory of 3200	1352	chrome.exe	79
PID 1352 wrote to memory of 3200	1352	chrome.exe	79
PID 1352 wrote to memory of 3200	1352	chrome.exe	79
PID 1352 wrote to memory of 3200	1352	chrome.exe	79
PID 1352 wrote to memory of 3200	1352	chrome.exe	79
PID 1352 wrote to memory of 3200	1352	chrome.exe	79
PID 1352 wrote to memory of 3200	1352	chrome.exe	79
PID 1352 wrote to memory of 3200	1352	chrome.exe	79
PID 1352 wrote to memory of 3200	1352	chrome.exe	79
PID 1352 wrote to memory of 3200	1352	chrome.exe	79

C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
1⤵
- Chimera
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4956
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Music\YOUR_FILES_ARE_ENCRYPTED.HTML"
  2⤵
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3860
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3860 CREDAT:82945 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe36159758,0x7ffe36159768,0x7ffe36159778
  2⤵
  PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=480 --field-trial-handle=1876,i,15600256651997387031,6189372942204525505,131072 /prefetch:2
  2⤵
  PID:3348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1888 --field-trial-handle=1876,i,15600256651997387031,6189372942204525505,131072 /prefetch:8
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2084 --field-trial-handle=1876,i,15600256651997387031,6189372942204525505,131072 /prefetch:8
  2⤵
  PID:3200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2860 --field-trial-handle=1876,i,15600256651997387031,6189372942204525505,131072 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2868 --field-trial-handle=1876,i,15600256651997387031,6189372942204525505,131072 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4500 --field-trial-handle=1876,i,15600256651997387031,6189372942204525505,131072 /prefetch:1
  2⤵
  PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4668 --field-trial-handle=1876,i,15600256651997387031,6189372942204525505,131072 /prefetch:8
  2⤵
  PID:1552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4688 --field-trial-handle=1876,i,15600256651997387031,6189372942204525505,131072 /prefetch:8
  2⤵
  PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4808 --field-trial-handle=1876,i,15600256651997387031,6189372942204525505,131072 /prefetch:8
  2⤵
  PID:2540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4728 --field-trial-handle=1876,i,15600256651997387031,6189372942204525505,131072 /prefetch:8
  2⤵
  PID:4736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 --field-trial-handle=1876,i,15600256651997387031,6189372942204525505,131072 /prefetch:8
  2⤵
  PID:868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3708 --field-trial-handle=1876,i,15600256651997387031,6189372942204525505,131072 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3868 --field-trial-handle=1876,i,15600256651997387031,6189372942204525505,131072 /prefetch:1
  2⤵
  PID:3708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3852 --field-trial-handle=1876,i,15600256651997387031,6189372942204525505,131072 /prefetch:8
  2⤵
  PID:3796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5456 --field-trial-handle=1876,i,15600256651997387031,6189372942204525505,131072 /prefetch:8
  2⤵
  PID:432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5484 --field-trial-handle=1876,i,15600256651997387031,6189372942204525505,131072 /prefetch:8
  2⤵
  PID:3544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5828 --field-trial-handle=1876,i,15600256651997387031,6189372942204525505,131072 /prefetch:8
  2⤵
  PID:920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1488 --field-trial-handle=1876,i,15600256651997387031,6189372942204525505,131072 /prefetch:8
  2⤵
  PID:4208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5952 --field-trial-handle=1876,i,15600256651997387031,6189372942204525505,131072 /prefetch:8
  2⤵
  PID:4284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=972 --field-trial-handle=1876,i,15600256651997387031,6189372942204525505,131072 /prefetch:8
  2⤵
  PID:3824
- C:\Users\Admin\Downloads\AgentTesla.exe
  "C:\Users\Admin\Downloads\AgentTesla.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5904 --field-trial-handle=1876,i,15600256651997387031,6189372942204525505,131072 /prefetch:8
  2⤵
  PID:832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5800 --field-trial-handle=1876,i,15600256651997387031,6189372942204525505,131072 /prefetch:8
  2⤵
  PID:1204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 --field-trial-handle=1876,i,15600256651997387031,6189372942204525505,131072 /prefetch:8
  2⤵
  PID:1020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6048 --field-trial-handle=1876,i,15600256651997387031,6189372942204525505,131072 /prefetch:8
  2⤵
  PID:3660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4024 --field-trial-handle=1876,i,15600256651997387031,6189372942204525505,131072 /prefetch:8
  2⤵
  PID:1624
- C:\Users\Admin\Downloads\HawkEye.exe
  "C:\Users\Admin\Downloads\HawkEye.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1928 --field-trial-handle=1876,i,15600256651997387031,6189372942204525505,131072 /prefetch:8
  2⤵
  PID:3280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=964 --field-trial-handle=1876,i,15600256651997387031,6189372942204525505,131072 /prefetch:8
  2⤵
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6104 --field-trial-handle=1876,i,15600256651997387031,6189372942204525505,131072 /prefetch:8
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5756 --field-trial-handle=1876,i,15600256651997387031,6189372942204525505,131072 /prefetch:8
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1496 --field-trial-handle=1876,i,15600256651997387031,6189372942204525505,131072 /prefetch:8
  2⤵
  PID:4996
- C:\Users\Admin\Downloads\DanaBot.exe
  "C:\Users\Admin\Downloads\DanaBot.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:528
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\DOWNLO~1\DanaBot.dll f1 C:\Users\Admin\DOWNLO~1\DanaBot.exe@528
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2428
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\DOWNLO~1\DanaBot.dll,f0
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6072 --field-trial-handle=1876,i,15600256651997387031,6189372942204525505,131072 /prefetch:8
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2148 --field-trial-handle=1876,i,15600256651997387031,6189372942204525505,131072 /prefetch:8
  2⤵
  PID:4204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3172 --field-trial-handle=1876,i,15600256651997387031,6189372942204525505,131072 /prefetch:8
  2⤵
  PID:800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5448 --field-trial-handle=1876,i,15600256651997387031,6189372942204525505,131072 /prefetch:8
  2⤵
  PID:1552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1928 --field-trial-handle=1876,i,15600256651997387031,6189372942204525505,131072 /prefetch:8
  2⤵
  PID:3208
- C:\Users\Admin\Downloads\Birele.exe
  "C:\Users\Admin\Downloads\Birele.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Impair Defenses: Safe Mode Boot
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2252
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1064 --field-trial-handle=1876,i,15600256651997387031,6189372942204525505,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2388

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1796

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.xml

Filesize
92KB

MD5
7e7e6561fd9356aed879eafde3bbb824

SHA1
2b1014ea033c87b94dedc71af8b8bcffe9d91b15

SHA256
7badf0c14cffea69748f25d76ef0395088c30ffb6eca5bf84a55cad7913ff0b9

SHA512
a291ca3f8213589a854a362d3cd1efebd5e51a258233d4e484d3d2c6e99e87f3c1069f2f791f70f98ce0cd6073bd0add6c3d924b0a80393617ede9a5fd578b2c

Download Submit
C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.xml

Filesize
6.8MB

MD5
ab0f78622bafec57550aa600b2cdb886

SHA1
80b6f4d8e4988b8d62970eed3e379b3cf7372e6a

SHA256
8aef0a9402fbe9ad054f0ae7828450c73946e8139cc30e52dda8f69a13030d9b

SHA512
d1bd157eb1062762673a7bc938f7270ae5944def152d723166a0c6fcd4b794bd8fb878c3b02022ac5ba8beb551472dfbbf7503e5fa361ecda498d58bb5d616be

Download Submit
C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe.config

Filesize
2KB

MD5
9f88bc7e12368610871b991186d4b4d9

SHA1
a0b26c3856d8ee74b50de84b50ead40ccd07ef28

SHA256
9502b45542ae017f8e7159bc96b73979a277399c2b16c1ecf542dcf50ac35576

SHA512
ae4d3b6df5429b3c31ea1faeca033470bbd25f6330fb32ddd51231cec954b7e2ad66146ab8a4004b9a8132e1eb3b8eaa9848803ab4796a0129ccc8e94476b25d

Download Submit
C:\Program Files\Java\jdk-1.8\jre\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
187d8fa057a36d12abcb003a238fc578

SHA1
9628a55fb146fc9e784b730a3ce4715ba62f9021

SHA256
80604c6be2728d8c7f29a319957cdc4b929335aca81bd7e36bf38ed08e64d42b

SHA512
4fabf6ad01a67c40960c74010f6cea4214951aaed3b21c256d894dd6f5c7f0344818f56bf5ae4d8915fabcec2698576a0045be47cb44ec260694b7e1e55cac56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
b909bfd2e03c49d34587e9cdb145c04b

SHA1
15db2aad70670817c64517672f68195503395aa4

SHA256
827c003c6df276ce196f529c9eec8e8e9432a77d7fbf305bf4610b958ab0cc62

SHA512
a89285a7493a5e06117c06b68849e9652e9f1a92c13ff9268c6a718369236637d557ec4f97edf36bb655d155e3f15756834fde9bb4f08b43e135e90b25e9c72e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
c8e8367124c4a549cad622c9cdac5d05

SHA1
7dcb7f0256c0cddd22aa5ba9ec126145175ff23b

SHA256
836b1246a809cf194b27756f15d98772a90001067b80e7fa94d3435b9101242e

SHA512
cfdfb6fb5a79b0fec34a72ece3499787d4d366491ad8cc6bcccf96256ebd9dff782669f646ed1fc9054ddbf078b7486c497420e35f4a707868ff5b7b5e818d8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
4efa0eec9ed2d07409c9fb5b5fcb5f40

SHA1
88aaec4c4548d02013577430437ed90fc2264c97

SHA256
60dee4b2055414f61c32d2c415c28c5ce21b11829966932daa613d98810bad66

SHA512
e8b2864366f0efc2ba68ef0dad2a368b3244ff5e2dd69442901af79b7958de8e727360004bfa5368aae6d41e80d99f7296ed52bdb0f4ae80a4f4aabf542a0579

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
20d7f91733240bfae30177fa1842d2f7

SHA1
3911626294c2086d946cedba3540e98b39308d27

SHA256
fd740bb62833e4d8c01ad9733fd86f31c90a0d1fd68a29f7cd74d061e0237ed1

SHA512
dadfafa7e07290a915480d715931b5663955c0be57fcccb3fe756dd3744a77f62cf7aada5c64d07957809c664ac8f6bf467883bde0b21fa70c61e7aa713faad5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
380d7208bcaf4b4fec41ccbefd552daf

SHA1
f97b1cec0c4bf307b3f84821ac5e0832a9a8bcd9

SHA256
f5b851289d65ca1b27d2f787b9904023875ab9aae06c77c49974308e4ff80027

SHA512
82c40dd108ad06da0398134562a2c80af7df9e0658991c55ccdce5dbac189e855d4cf9acf1fb17d2eb23365221d5a11b2378f95b97b16834331e3c8553f4d25a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
913c30d92295bb48e19f2ace6bb86b6a

SHA1
c87e779ae65c30db54492814ba849b87930a2eb0

SHA256
ad3b92da2d5bc1a83da129e910347903dd1193e554d78cd72fd8e42272920d47

SHA512
7e5953a0cd9a47705f4a527c85d1c995fa0512a169966d00adde4828c64f2e9aa2307fbfd298a6e1fcd6fdd8698933dd3593aba14d9e89ab25f23b69ebf06060

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e8b1eaf141c384508cecca73ec070eb8

SHA1
2d2a3f5ee78fd82fff0073a978681a67951ebbe6

SHA256
93b77d3f2ac815a28da0b79b1580663901ae39ac862b35d6d5e68b8dee9b2a55

SHA512
b7ee6dc1d6967e0f2eb7a016fa556737ed965985a4a7292347a0b7f1c474de4260cfc8212e4e5903bbf7c16651de0c0530672e1e54aba875454a5722309dc363

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
29d6f289845ff896701034b149db638a

SHA1
6eb4648a773d7d722ceb7d80a7b79a0087a0e351

SHA256
106d4ca9ea2857258f06ed34d4c2d965cb631ce722ff9a0b2cd8f65b9be729f2

SHA512
2f63d0dde839b8eef902f9a2c114071e3f1f0fd09c73f1237f22c5ae6703a5415aaf9effe742021954424b2d0080e51c164e83e32ecf67c939858e3b4855095f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b79e0db5d7bcd055673d8fae14340a49

SHA1
0b892620cb2e33a87e6a6919b7f864dcb1d27bf5

SHA256
c63590330e0f811f6571efc4ea452fed787896ba861204b56fe956e5dc84d5df

SHA512
634d3493b569fb4cd5ff8e993ac23169146eb7c248c4910ef2bc3f7c2952cbb6a2c3bacb8dc3f17bda941b7359e244c6320f2fa79e15312bd1ebc06196e659b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
befd6a46a92fc01080ba31c72aa85dcd

SHA1
6f37d47a5aae4bf509f609087ff859a1a5e75a42

SHA256
ddc505f440f9d45a44b115556e774b443b28910dc2ceae8ed82343a99b17891e

SHA512
14e942cf24eec9b82f09590449e8e15ffd8c604cd49fdaa2700a23f7b637267a86f6b293d379db58de1ce22cd26ecdad4e33f9d8743d0b5c382c0f20f94215d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
a46712dea26d3a6820f99bedb464373a

SHA1
33b0a0b618c08618f188bdbb54c4e2a0521a3c87

SHA256
e689b20f59210b983f297adbb453f01dff4140bc7f473138776769c5f0980eb1

SHA512
bb2020c62f9449780da8b963a2caf300cefdb08d8c91c159fe34c0964222c26afbbdac8b15c2e7eb726b050d7d7cc014f272d03187cb7478e5eca775ac340d6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c66db3adf00a4619eee50c293b9af361

SHA1
7826a2b2d15dbe9ca9a03d05e31ee1333d09f8b9

SHA256
061d845bc806c443c75ca4bc32b0f8eeb4fa00e8e3da7fcb6780d733f5a4610f

SHA512
f7e5825c03275ca03ab87e057840ed2b9df140f8cb4581f7d118f6e3813fedbf859394fbb2c9714b650f0f8f019d31e24951df354ce3b52b842dd05167596245

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
12565a5a1b4938ace57e65d8f6e957e5

SHA1
e0d9cb0b8b77747245a62bc5e7486ec2d7d318b6

SHA256
1437614f8b3963aa4f4602f40c375296b9b4154c0477c941857d8d385a00ea0e

SHA512
c379c81d740881e9265970080284cb45a1ff4f694c8ed539d79247b68eda0147aae32dac68dac40a2084d2eda3972f5e6be40807e41c64d9276d169be8e3fbe6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2bf7c1d1b39e44c8fe5a4c4cc15fdd1a

SHA1
8222d290c708dc5864769244306a3bb1058f749d

SHA256
d3ed259d922431174a7091b2bd8f42f57c21dfe34883aab93b4028c6efd2a12e

SHA512
b2c50afa8e51c089b7aa0442d5df22939c4c93e14f1c0f349867400903913974a2dacd91b3d051f72901b1e7e59219b392b6b67b3451aa8a2f4e13478c8cb182

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ea01890c2ed42c1d1868a55501f274b6

SHA1
d4b241a20aee051152e492c9f6ccf167356ed902

SHA256
bb07feca5eb0fce435cb9810ed05d6decd6098926894c296608c25bebeebb690

SHA512
7564871db30962ed30c0e277aa39823e936fa9a90a588f6afd116284196f1380b64ba7f723fa155ec64c6885cb7f506d60855006838e9ed6b6e604fe862bc7ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0aaf623ef644005fcc8fac0ed8ff944f

SHA1
8cc8bb9804f890335a31ad8a7ced1c085934ca3b

SHA256
5c84cf843c0187f8a69f2da378b5b2fb680f9db38c3733b7964c3eca718598ba

SHA512
123f1b59db489ca36a0a2674022c38bb8772a16cf5d795098a2ff9c7411da6ffb1d4b2c4a10964dec5e50544a14c57512c4a4f8ec7e732f3715eaf796b689e61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d01dae349491e64222c94f3a27f0d0eb

SHA1
ed8ea6a87e01057e100239e11d92449bd2c4d693

SHA256
4a26d4ab6653ac9c57138ed617b65c53ad83730acf73a21aca1944705c72a949

SHA512
5522ade07694bf4f730f127f162c0020af0288ab3f3fc08cf0c580a871c8e2a727d8fece40ae481eedd152de55edccfb05d542dd04a48f97bb49357ddf3df14e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
a2041e9e6c75fcabc45c9028ec2fe79f

SHA1
0dcbc055be0251dc2773d3114a19b48c0d92f889

SHA256
8796f3a14902f9cb2660d06064e2faad5578f4906233d393b1374f2ed61e10f9

SHA512
23afced352addc4ce42f0d0f8b8d8ff44d48eb370446b45e27c488025117b5969472edd4ab36bd49208817420422a121d94dd07d7b0911e3f142e5260742dc1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
311KB

MD5
9f27384bf9dac89cc14fb4ecaaca4bd3

SHA1
95bf4087bb5d29bf897f60c376a40559fb0632a3

SHA256
7cad5b68822e6e2654faad6587ec823b652b01616bedf42d2c177fd3afe407c3

SHA512
87953eaa8d225312b86bc7afc91468cd41939f8bb0ad5fb7b2c2ab390af4ce77a91a8371fa3d6858c256aeb91a03d9e55244c04e3a7bcabb74c6414103d1cdcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
111KB

MD5
14b8498a51d379ce6e9deb6c1a6f2e96

SHA1
20ff624a3da6cb0a1bda8f2acd53ea83dc49f394

SHA256
9970c260a1775f2ed98405a6f5b1a427769a42f1cfe8c32f719e101ae974bd9c

SHA512
0be849fd5819a642581fa0e4f9ede820065291aad097a8134e1b2349360be00013b8c834fa22abd67034102302c37825f6a40d421e6c69136c3fbb09e786c4a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
98KB

MD5
263029ff4434064dee950e8c2caf08f9

SHA1
bd694af7ca7e619591420c154cf49e60e9879878

SHA256
75b192b9162164b28cf140bee3c556deec43041c594e6b82a79f23755d723874

SHA512
3d1b51ee28e5424f0ef5e084d5b35894a8c88f9ae7c655a2e14b0cca0d714caf84baa50ab6c69463dddf348564583d570e79e40b7951536900f4c4ef4875dcdd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57d254.TMP

Filesize
93KB

MD5
67305ea3b9379f6ae924a3083e4b530c

SHA1
384be23adb699b5c3728b83f0ff37d54f9766f2b

SHA256
20c3a5bc4ccc0a1e8ccfeedbc82404a7df5f1c18010e80ba4ba26d7747024e79

SHA512
cbe3440e9f31835cc93da5c54fa3c496215222c631f793d1a732651063445317ba86fae7a1a3311b0486150a30dca5f7c017a2ce3cc5cf0358f12f135727125f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver5857.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe

Filesize
949KB

MD5
495df8a4dee554179394b33daece4d1e

SHA1
0a67a0e43b4b4e3e25a736d08de4cec22033b696

SHA256
201263498c60fa595f394650c53a08d0b82850349123b97d41565e145ddf2f42

SHA512
ce3bef1038741f7a0f90cc131a4a1883fd84b006654024d591f5451e73166b4cae546e307c358b5b90aa0e6517bf7b6098f1f59a3ecc01598d4feb26e6b6af33

Download Submit
C:\Users\Admin\DOWNLO~1\DanaBot.dll

Filesize
2.4MB

MD5
7e76f7a5c55a5bc5f5e2d7a9e886782b

SHA1
fc500153dba682e53776bef53123086f00c0e041

SHA256
abd75572f897cdda88cec22922d15b509ee8c840fa5894b0aecbef6de23908a3

SHA512
0318e0040f4dbf954f27fb10a69bce2248e785a31d855615a1eaf303a772ad51d47906a113605d7bfd3c2b2265bf83c61538f78b071f85ee3c4948f5cde3fb24

Download Submit
C:\Users\Admin\Downloads\AgentTesla.exe

Filesize
2.8MB

MD5
cce284cab135d9c0a2a64a7caec09107

SHA1
e4b8f4b6cab18b9748f83e9fffd275ef5276199e

SHA256
18aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9

SHA512
c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f

Download Submit
C:\Users\Admin\Downloads\Birele.exe

Filesize
116KB

MD5
41789c704a0eecfdd0048b4b4193e752

SHA1
fb1e8385691fa3293b7cbfb9b2656cf09f20e722

SHA256
b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23

SHA512
76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea

Download Submit
C:\Users\Admin\Downloads\DanaBot.exe

Filesize
2.7MB

MD5
48d8f7bbb500af66baa765279ce58045

SHA1
2cdb5fdeee4e9c7bd2e5f744150521963487eb71

SHA256
db0d72bc7d10209f7fa354ec100d57abbb9fe2e57ce72789f5f88257c5d3ebd1

SHA512
aef8aa8e0d16aab35b5cc19487e53583691e4471064bc556a2ee13e94a0546b54a33995739f0fa3c4de6ff4c6abf02014aef3efb0d93ca6847bad2220c3302bd

Download Submit
C:\Users\Admin\Downloads\HawkEye.exe

Filesize
232KB

MD5
60fabd1a2509b59831876d5e2aa71a6b

SHA1
8b91f3c4f721cb04cc4974fc91056f397ae78faa

SHA256
1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838

SHA512
3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a

Download Submit
memory/528-1533-0x0000000000400000-0x0000000000AAD000-memory.dmp

Filesize
6.7MB

Download
memory/2228-8613-0x0000000004600000-0x000000000486B000-memory.dmp

Filesize
2.4MB

Download
memory/2228-6237-0x0000000004600000-0x000000000486B000-memory.dmp

Filesize
2.4MB

Download
memory/2228-1590-0x0000000004600000-0x000000000486B000-memory.dmp

Filesize
2.4MB

Download
memory/2252-8389-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2252-5480-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2252-8390-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2252-5322-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4200-385-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/4956-37-0x000000007398E000-0x000000007398F000-memory.dmp

Filesize
4KB

Download
memory/4956-5-0x0000000073980000-0x000000007406E000-memory.dmp

Filesize
6.9MB

Download
memory/4956-38-0x0000000073980000-0x000000007406E000-memory.dmp

Filesize
6.9MB

Download
memory/4956-4-0x0000000073980000-0x000000007406E000-memory.dmp

Filesize
6.9MB

Download
memory/4956-3-0x0000000009270000-0x00000000092A8000-memory.dmp

Filesize
224KB

Download
memory/4956-7692-0x000000000B290000-0x000000000B326000-memory.dmp

Filesize
600KB

Download
memory/4956-7719-0x000000000A4C0000-0x000000000A4E6000-memory.dmp

Filesize
152KB

Download
memory/4956-7727-0x0000000008D90000-0x0000000008D98000-memory.dmp

Filesize
32KB

Download
memory/4956-7754-0x000000000B580000-0x000000000B5F2000-memory.dmp

Filesize
456KB

Download
memory/4956-7757-0x000000000A550000-0x000000000A55A000-memory.dmp

Filesize
40KB

Download
memory/4956-7758-0x000000000A560000-0x000000000A56A000-memory.dmp

Filesize
40KB

Download
memory/4956-39-0x0000000073980000-0x000000007406E000-memory.dmp

Filesize
6.9MB

Download
memory/4956-402-0x000000000A590000-0x000000000A5AA000-memory.dmp

Filesize
104KB

Download
memory/4956-0-0x000000007398E000-0x000000007398F000-memory.dmp

Filesize
4KB

Download
memory/4956-391-0x000000000A590000-0x000000000A5AA000-memory.dmp

Filesize
104KB

Download
memory/4956-389-0x0000000008A50000-0x0000000008A66000-memory.dmp

Filesize
88KB

Download
memory/4956-2-0x0000000073980000-0x000000007406E000-memory.dmp

Filesize
6.9MB

Download
memory/4956-1-0x0000000000010000-0x000000000025A000-memory.dmp

Filesize
2.3MB

Download
memory/4956-40-0x0000000073980000-0x000000007406E000-memory.dmp

Filesize
6.9MB

Download