chimera | hxxp://roblox[.]com

Resubmissions

30-01-2025 19:56

250130-ynna3a1mcv 3

30-01-2025 19:50

250130-ykrt3ssrcj 10

Analysis

max time kernel
238s
max time network
238s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
30-01-2025 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://roblox.com

Score

10^/10

chimera discovery macro macro_on_action ransomware spyware stealer

Malware Config

Signatures

Chimera 64 IoCs

Ransomware which infects local and network files, often distributed via Dropbox links.

ransomware chimera

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jre-1.8\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\versions\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe

Chimera Ransomware Loader DLL 1 IoCs

Drops/unpacks executable file which resembles Chimera's Loader.dll.

ransomware

resource	yara_rule
behavioral1/memory/3812-706-0x0000000010000000-0x0000000010010000-memory.dmp	chimera_loader_dll

Chimera family
chimera
Renames multiple (3280) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Downloads MZ/PE file 2 IoCs

flow	pid	Process
163	4668	chrome.exe
163	4668	chrome.exe

Office macro that triggers on suspicious action 1 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

resource	yara_rule
behavioral1/files/0x0007000000023d17-666.dat	office_macro_on_action

Executes dropped EXE 2 IoCs

pid	Process
1164	AgentTesla.exe
3812	HawkEye.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 27 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Music\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	HawkEye.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
163	raw.githubusercontent.com
162	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
180	bot.whatismyipaddress.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\cs-cz\AppStore_icon.svg	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\200.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-400.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraLargeTile.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-16_altform-lightunplated.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sl-si\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\BadgeLogo.scale-125_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_ReptileEye.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_altform-unplated_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Video_Msg_Record.m4a	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pt-BR\View3d\3DViewerProductDescription-universal.xml	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-60_altform-unplated.png	HawkEye.exe
File created	C:\Program Files\VideoLAN\VLC\skins\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fi-FI\View3d\3DViewerProductDescription-universal.xml	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-150_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-30_altform-unplated.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-20_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\info.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\zh-tw_get.svg	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\Lighting.png	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-30_altform-unplated.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-36.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hr-hr\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-80_altform-unplated.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookMedTile.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-24_altform-lightunplated.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarBadge.scale-400.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner_dark.gif	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-48_altform-unplated_devicefamily-colorfulunplated.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSmallTile.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-100_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-40_altform-unplated.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\IC_WelcomeBanner.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\8041_24x24x32.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\en-us\office_strings.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\3px.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-80_altform-unplated_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\faf_icons.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations_retina.png	HawkEye.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-60_altform-unplated_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-24_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookSmallTile.scale-400.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-40.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailLargeTile.scale-125.png	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-200_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_altform-unplated_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Dark.scale-150.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-129.png	HawkEye.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pt-br\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fi-fi\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-40_altform-lightunplated.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSplashLogo.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SplashScreen.scale-100_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml	HawkEye.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HawkEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentTesla.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 16 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1914E704-DF44-11EF-8FEA-72EA04DBEBB0} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133827403064832538"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
4152	iexplore.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1164	AgentTesla.exe
4152	iexplore.exe
4152	iexplore.exe
980	IEXPLORE.EXE
980	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 264 wrote to memory of 4924	264	chrome.exe	84
PID 264 wrote to memory of 4924	264	chrome.exe	84
PID 264 wrote to memory of 2640	264	chrome.exe	86
PID 264 wrote to memory of 2640	264	chrome.exe	86
PID 264 wrote to memory of 2640	264	chrome.exe	86
PID 264 wrote to memory of 2640	264	chrome.exe	86
PID 264 wrote to memory of 2640	264	chrome.exe	86
PID 264 wrote to memory of 2640	264	chrome.exe	86
PID 264 wrote to memory of 2640	264	chrome.exe	86
PID 264 wrote to memory of 2640	264	chrome.exe	86
PID 264 wrote to memory of 2640	264	chrome.exe	86
PID 264 wrote to memory of 2640	264	chrome.exe	86
PID 264 wrote to memory of 2640	264	chrome.exe	86
PID 264 wrote to memory of 2640	264	chrome.exe	86
PID 264 wrote to memory of 2640	264	chrome.exe	86
PID 264 wrote to memory of 2640	264	chrome.exe	86
PID 264 wrote to memory of 2640	264	chrome.exe	86
PID 264 wrote to memory of 2640	264	chrome.exe	86
PID 264 wrote to memory of 2640	264	chrome.exe	86
PID 264 wrote to memory of 2640	264	chrome.exe	86
PID 264 wrote to memory of 2640	264	chrome.exe	86
PID 264 wrote to memory of 2640	264	chrome.exe	86
PID 264 wrote to memory of 2640	264	chrome.exe	86
PID 264 wrote to memory of 2640	264	chrome.exe	86
PID 264 wrote to memory of 2640	264	chrome.exe	86
PID 264 wrote to memory of 2640	264	chrome.exe	86
PID 264 wrote to memory of 2640	264	chrome.exe	86
PID 264 wrote to memory of 2640	264	chrome.exe	86
PID 264 wrote to memory of 2640	264	chrome.exe	86
PID 264 wrote to memory of 2640	264	chrome.exe	86
PID 264 wrote to memory of 2640	264	chrome.exe	86
PID 264 wrote to memory of 2640	264	chrome.exe	86
PID 264 wrote to memory of 4668	264	chrome.exe	87
PID 264 wrote to memory of 4668	264	chrome.exe	87
PID 264 wrote to memory of 2748	264	chrome.exe	88
PID 264 wrote to memory of 2748	264	chrome.exe	88
PID 264 wrote to memory of 2748	264	chrome.exe	88
PID 264 wrote to memory of 2748	264	chrome.exe	88
PID 264 wrote to memory of 2748	264	chrome.exe	88
PID 264 wrote to memory of 2748	264	chrome.exe	88
PID 264 wrote to memory of 2748	264	chrome.exe	88
PID 264 wrote to memory of 2748	264	chrome.exe	88
PID 264 wrote to memory of 2748	264	chrome.exe	88
PID 264 wrote to memory of 2748	264	chrome.exe	88
PID 264 wrote to memory of 2748	264	chrome.exe	88
PID 264 wrote to memory of 2748	264	chrome.exe	88
PID 264 wrote to memory of 2748	264	chrome.exe	88
PID 264 wrote to memory of 2748	264	chrome.exe	88
PID 264 wrote to memory of 2748	264	chrome.exe	88
PID 264 wrote to memory of 2748	264	chrome.exe	88
PID 264 wrote to memory of 2748	264	chrome.exe	88
PID 264 wrote to memory of 2748	264	chrome.exe	88
PID 264 wrote to memory of 2748	264	chrome.exe	88
PID 264 wrote to memory of 2748	264	chrome.exe	88
PID 264 wrote to memory of 2748	264	chrome.exe	88
PID 264 wrote to memory of 2748	264	chrome.exe	88
PID 264 wrote to memory of 2748	264	chrome.exe	88
PID 264 wrote to memory of 2748	264	chrome.exe	88
PID 264 wrote to memory of 2748	264	chrome.exe	88
PID 264 wrote to memory of 2748	264	chrome.exe	88
PID 264 wrote to memory of 2748	264	chrome.exe	88
PID 264 wrote to memory of 2748	264	chrome.exe	88
PID 264 wrote to memory of 2748	264	chrome.exe	88
PID 264 wrote to memory of 2748	264	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://roblox.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffd088cc40,0x7fffd088cc4c,0x7fffd088cc58
  2⤵
  PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1944,i,1215004087641330030,5266022717654120271,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2168,i,1215004087641330030,5266022717654120271,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=1712 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:4668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,1215004087641330030,5266022717654120271,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2264 /prefetch:8
  2⤵
  PID:2748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3052,i,1215004087641330030,5266022717654120271,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3088 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3080,i,1215004087641330030,5266022717654120271,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3116 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4380,i,1215004087641330030,5266022717654120271,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3676 /prefetch:1
  2⤵
  PID:4220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4636,i,1215004087641330030,5266022717654120271,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3392,i,1215004087641330030,5266022717654120271,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:2896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5224,i,1215004087641330030,5266022717654120271,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4728,i,1215004087641330030,5266022717654120271,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4724 /prefetch:1
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=208,i,1215004087641330030,5266022717654120271,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4496 /prefetch:8
  2⤵
  PID:4060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4928,i,1215004087641330030,5266022717654120271,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4368 /prefetch:8
  2⤵
  PID:3156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4060,i,1215004087641330030,5266022717654120271,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4564 /prefetch:1
  2⤵
  PID:3236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5448,i,1215004087641330030,5266022717654120271,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5544 /prefetch:8
  2⤵
  PID:908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3868,i,1215004087641330030,5266022717654120271,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4396 /prefetch:8
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4940,i,1215004087641330030,5266022717654120271,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5408,i,1215004087641330030,5266022717654120271,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3876,i,1215004087641330030,5266022717654120271,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  PID:2796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5596,i,1215004087641330030,5266022717654120271,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=1128 /prefetch:8
  2⤵
  PID:2608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4452,i,1215004087641330030,5266022717654120271,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5764 /prefetch:8
  2⤵
  PID:2000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5844,i,1215004087641330030,5266022717654120271,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5852 /prefetch:8
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5876,i,1215004087641330030,5266022717654120271,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5872 /prefetch:8
  2⤵
  PID:5092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5328,i,1215004087641330030,5266022717654120271,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5940 /prefetch:8
  2⤵
  PID:4792
- C:\Users\Admin\Downloads\HawkEye.exe
  "C:\Users\Admin\Downloads\HawkEye.exe"
  2⤵
  - Chimera
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:3812
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Downloads\YOUR_FILES_ARE_ENCRYPTED.HTML"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:4152
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4152 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:980

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4692

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2692

C:\Users\Admin\Downloads\AgentTesla.exe
"C:\Users\Admin\Downloads\AgentTesla.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.xml

Filesize
92KB

MD5
b1f84298a6a2c7e230d9ac6668eeff5f

SHA1
a5bb6f346971a0fd5fdc564843bd9b75f8f824c4

SHA256
bb359b1dd8411fa8f2dc39ac117a5c8dcc767fbb91a57e82c6b8485250f785b0

SHA512
a2ab3f2024de18db7cb6d95a14c396406531b8812ac6b5784c8e269aa297a1c9b0e1eada653bb61777228b2d454efdc9ef418e5b03219482eb7a4b770fe2ca05

Download Submit
C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.xml

Filesize
6.8MB

MD5
73d40e740a6c8804c7f484a8d5087b64

SHA1
681d08690a7208e4e9d35f0e193410eae7593ecb

SHA256
9b04ac30ae4758ffdc18ee1dfa77d312fb8c4583063f99d4198a60c469ab2f3d

SHA512
bc39476420203493308b4222b6b53c35235469b456b4daefa50d4158abedd12fbc1ad1e94c7d088d38ec38a5dc5b290975ad2635038b387bb6d30989cd8f6229

Download Submit
C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe.config

Filesize
2KB

MD5
137061e33d7cfe2874a9b3d5feefa05b

SHA1
55a9303913a742bda534d37e105591d6bdf6a58e

SHA256
5a190c01273df1fda0b42e36a6c521d858263126992c8a604c23e16c6184e115

SHA512
83f89f7696f4016ee27c07f3978e3113e92f876cde3d8c6ed046c4d1013cf9b900440d5b974086f8aa9b8ffa97bc588591053ce58fafeb3aa72c739115f2161f

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
c9c616ae43d8506463d64c3f417f968a

SHA1
66c504904f53ea6de6d5f8405fad0125e23631ef

SHA256
bbf4c6b55b093fdebdb48d5421d3a1d56b38c26108025effc45649cb576a15e7

SHA512
7153967be2de371fcf3c130170ffcc5fa46d7dc0e34e0567e4127bb4ecc6ffe9eff21b8924d0fb7d9013916e50ac89fdbc123ca6cfb967aa2cabeb51bf504ed6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000023

Filesize
214KB

MD5
ba958dfa97ba4abe328dce19c50cd19c

SHA1
122405a9536dd824adcc446c3f0f3a971c94f1b1

SHA256
3124365e9e20791892ee21f47763d3df116763da0270796ca42fd63ecc23c607

SHA512
aad22e93babe3255a7e78d9a9e24c1cda167d449e5383bb740125445e7c7ddd8df53a0e53705f4262a49a307dc54ceb40c66bab61bec206fbe59918110af70bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
560a282e7f017a3cbb0050d57d0a9373

SHA1
3decbb24be775ce21216aaa86e8831cde758e104

SHA256
0b3c7c1cda8e18b92fb1f5e85e85286cdd371090fd358e41067b4363a74b511a

SHA512
6f97b2d2157a8eeaff994c71d9d23163959f3e1e3bb76940c157dfafae4ecf8249cb9943a97e3c5b31fb887d633cee5c0a1eb341c5c2827f12d1118d9dfe65ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
f3da123d0dad21521765feba903ac3c1

SHA1
1f6004204ede74f356e3c791634985983c9665cd

SHA256
c3f66d994ebf1b70628e36ece1b82fc2a3fd045749c457a8df174dde8602756c

SHA512
a3fc022a8cb5a0af14631d2b1b137f42d51f981ebcf6427f6f5ce9836e48576eeb536f32367486dee969cdacb1d5da63f69c6bbe4b0fcff06ef1286208f93467

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
f2f3d51f7753d23be5d25054bb2aa9fb

SHA1
270595bf952597ac907917fa888d52e062c67fac

SHA256
c4751d8be53be31462ded6cc95dff5e89111fe018ed3287e100fdcdcbc1587d2

SHA512
0690dce0336b40c9979d8ae4ad28b897bec342a0e51ad76bd26a350e63d15c45623326c37604d55d1b4d9953b200ceb324ff0c1be05caebe7a00b90fe0e6c67f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7b9a461563fab605ef49ddcd890644d8

SHA1
18f3da48ce7a8583fdd151c00395f20a8351e6e6

SHA256
178b6002076bdd7c714a902b1e7ad1c302b822de563aba62da8defe6d3382597

SHA512
9e378232dd0ef510bc7117c0f018b262fd7b9e7fa73c434f7de8f7779c36106128730b91027e44a384a9af2c1e5118b5f0c5c417e752b353e68c23b7dccc855e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
4d5fbe1d294bb3180969977bd677a3fa

SHA1
e570c3f7fac72f596074ce331039bb0aee4d4d3d

SHA256
e6c7414f4562f61d40420d308381e62d05bed68886d8a164e8fc95a186401203

SHA512
5ee3a6ef4c09e9729023987b98aae37f201e025b0a2ff9618ca4d66dcbd22853082912142989d5657662e886266f968079d8bce2f4dd54264712c958f8adb0a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ee33fcd68d6c09d815f790dff2112a46

SHA1
6361cbc700537b9a9868416446caea7ad5fcfada

SHA256
3187c912e0673664db60870f42467595b712b1cf2041b6aa9dabc16d11f58826

SHA512
de72561658a795cc81404a4da7ca79f903939b5ffa4efcd37512523c10b19cfc9925f3781c7169161405199dea706a493a96f7b7fd6246544184ad03f818ea98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
7133d371a998ac5238cf3fd22b4cf9fa

SHA1
81433e344a9d07c97a2eec7fcf395bab898cf60c

SHA256
9f11c47c13f586a5cd8a5fab2e017cedf216a75f94bf708fb9a3b5dde5465d47

SHA512
f3f14bf69aa9e9db9f0d8938de434ba812fd2b4a859850458c2556b1833bb7b3322dca43e806737931b73c3411d01cccf35bd04e10770f5a8d9b58ff45992000

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
af5ab886710332415bb214ab0085924f

SHA1
98e8552dbde8fefb7ccd17758654785467715f7d

SHA256
4eed8ca4ff113b615d11a6c192197b491a16d161e60299a456d09f03685b831a

SHA512
aefd9bb581372cf9a31e900981570e0719d6285d6aa1e2b7bec53ae04aae7f9cffee99e1dc8f2d0c795e90efad35833bb7e4a52770eb57c26a1089eaefbb4732

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
6477c722f7acab288a8df86f9c85c956

SHA1
8f5ecdcceac38564d38e845e9bdf15da72ecc48b

SHA256
e1a622a64467db8c1d07a03e75b1807d611789adc911cbfbc4075117bd1a34d4

SHA512
443ecd3e2e665b23db9b6e06ef4aedc81d6f0bb3bc0ddb0f20d3e42b8f7173983467d907b1d04ad9f841f4b7f1fde24df7002370860e14fbc9ebcfadaac9ddfb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
92b3813a4d3cb2062ac0c6e58121762d

SHA1
3572695850dddce5ba44240f95813784ae650e5e

SHA256
8ec220d52d70450b946fa17a82abaa0157b305ab7dbefb20f733c060a46a09de

SHA512
4c03dd1f1b620ff4f380ebb985d61c47c3773036e5cb170d4f9db603fa7a6752f76cfa1523ad81f8e7a15e2a0b674a02f03fc853591cd405b2e52796d75d7d36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
40bd815d4ec870952428f92c0c8eb503

SHA1
2b0b94cb9f61b549814da5ce29a87a7851ba1539

SHA256
8e1653425093ccc9d7c64f2b1c9d6be2de3b3b2a7f09d4475fe7623ba1bbff7e

SHA512
1b9a69f81bbd51ec80b8566b661d9790ef975dc49f2e295ee8006ab2d5c06d0998e6412d9d411abdcfe6c148bda0c8fdc36ef83dabce4d557e701276c694e59e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
1622699c77673071834c54dfcca199a4

SHA1
cb2cc7ef0a83f67c1dcae690e4362a081185ebdf

SHA256
97d060177c42ef7856250978b57b473b0dbde98f0ecf94a653259ba4a064e003

SHA512
856cdaf82fe5b82205dbe9d653c0c68b1b0ac651f901afd9731bf64d497844a5498a9bcd002652156a611c98e2539f520b5a6b342927245011dfdec91d37a44f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
0f2f5e88815fcc717e524d4faec2906d

SHA1
819b4f0534c86031ad78b1b48a420c366053ad75

SHA256
b5e157c2ebea0fa60db988d4fcda36d706072727500997a7d03f45413cfe5b31

SHA512
d95800ef6184189f91242b8dab0a99312b28f5dfd84518afde848abfaee13166bf408b2aec502fe29472ced7fe542cb52b3de9b67d04bc3dfbcaad11d6ca03fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
02221545d5419bf77c61bbadb1083e93

SHA1
ffad734d316513e42d90dc99c3c1cdae31125ce3

SHA256
1c62c6e2307285073a94493c3d5079883323a18c2ee3879140346ebd051ec3b8

SHA512
e614698a7fdcfc04c54b8f3d786e0519cdaeb0157eeea745cb2885fba3b6c003e2a9b8ff7eab6b4a4e8638c21afa0166596c8d558785d672f8d7d37d5138d0d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bbed91cbd84997b214306eaa62788cde

SHA1
26efc8eb7d1f2f9da163aad8a139b7bc706e27c1

SHA256
1e5b769f747a2e39afb37534c813cfa9d63880f76809e133d76cb2a53c2255b1

SHA512
b7eab60f695bc1ff224a1e3b959cadb9362b6f03fc4524c1b4e095ed6649272d4b4f62b65dd8a149126ea6962ba3bff298e6a32a944d03824f94f75bb2f0b131

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1eb74039a6e518e243e36c7efbedb143

SHA1
29cb75890c80a72bbfc82719f9eaeb19bd4065a0

SHA256
b437c63575d2cab2dca04911b2032ba4ebfbbadf59f50a38efa3907987882f83

SHA512
794e984b464962bda5a92403abf9a875ce1e12c26a437d51fa33d50001575b9ce465f8d23e18331ee9d7ed716235b449458ce016f4709ab6365655b0224e5a45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8bc43dfec5bbe5d8623031127a53e5c0

SHA1
01ff689256b9d40b1f39572337ddd6ab989c2792

SHA256
3dc663b955f7f9e69ce50b8eda3f1977788c529b35d27bc2bf5461c3b89e9814

SHA512
4435fa9cfede7600c366cfad2fdd2ecd5c9305d570fc68ae606cc0742863e5479ac168a4d8376998a251cf841114879edca837712881fb53965618ccc0564cab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
95cd5f1a17be7a26e1830eb605e95d59

SHA1
67a9cd6a0a5800b939e3daf683e474f7533d054f

SHA256
b1b6095c2684ae4687b45abd5dda147794546aa6cc0af71686536faaec3e9717

SHA512
e0ae8808761b9040f020f1d500b30fca948fd150e191d9198f06eb0ed4073a806cd89a0f04af0769701384c4e591c5b17ba870fc84434ceaf5cd9af3f4a00980

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
290482e58371e31c3acee7912585d976

SHA1
8c141ccd79c6398fe29ddfba5a4e299125165a93

SHA256
e651aadd63d3d7af1801e988498c49789c640daf3c28dc9b6fd96a1815a63722

SHA512
63a28c23ee3553b855a5d2558551f9bb611d12e5969d9a8204f37660a32f1351b6e8ba1a96e6c0acfeb613dda066bcf6fee2969cb9204b4e878103ee02e32ab9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
78577a565588df3ed5151a0103c6d859

SHA1
eb2dcd7bdfd69d707aa4443c4dbe5e36a22749b1

SHA256
5b78e41f5cf34e13df556576257d8992c038973d8dae74ebe53f1f13668bd50c

SHA512
bf0d03c2b4b4a29deb778d86865a9083b77b7d8bc874807e312b2be8b13312e2943fd949be6a65beab4965f7146397b69ea2034ae5a9868707565aa2aa34ff76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b2d06a53a5c4b12da41baa90aff182e1

SHA1
5ff826a2c79ff0919f448b9fe82596147b248417

SHA256
8a50b1ec657d909e1fa9205a61dc4f92b95b7e323bb61f84b1bfb3882e000c10

SHA512
621c4b993188e0e1e9e90416e90e1428a3e55cb3dfb39aa6b299a48767e79b56f6492cafc5949ed79a7eaa7d9aed954211affe37097d8b1090b1c01a52a26a10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5a862f23fefc1f8317f961176b4650ab

SHA1
a72af05e1fc38783c900fbca7511879bdd937e48

SHA256
14b8e4ee0b6aa545338d01c73256fa92dde35d596587f64d3223707f6080a5b0

SHA512
9a8c60056c107197a6a80432b4f210deeb405bbda02063d5ef1ea96d483e0bb82735d1346594259358caa6543dafe49c4d0f5504e7267a47da5f15654a136ed0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9a2e95142f9944b4ca1d257213e31cea

SHA1
c3b997ab860eafab97fc523604049bf16b323094

SHA256
d8323596a0348621c4386201a4002cb60e81b7c6d67bfe547c63ed1186d0aec2

SHA512
2f473f0a0f1a60aabaf9e3b1bb5f09a5e10078dfe04ded85a2d932a45c80fbb79227e4cfabe484c9f4a01c4c80ee76d906f14b056c6a03d8ddee3d048355ef09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1545baab6407342bee6727a88effea38

SHA1
2e30a04a65ba30ea741c6a880ec507153608afbb

SHA256
30541fb7a2b092f16c1c4089510e9c994a5803199852f332a6896454bfc1f4a8

SHA512
0e50dbc46b032bfde42c2f2ce67753e451673f55ba0743cda6d3ac5fc6a478b6605cc1db29117b9b1a9b1d05c6cc0f1567006ec2c9cdd5d9dfa6446e680880fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c28c85e4e8b5c0e52ee1b800a82d7e87

SHA1
5721a5c168ed690f4e1c54e5eb90c9c5fd79dce8

SHA256
a2547425128c9bfc679a847b7255ce0c46ee3ff43676b4d9c41907867b673b08

SHA512
3f988d63d49f36b12d5b7ea37ae3eaa194c21ba55043a9da4198c317666ddc81ab7708782252c9f997124546e1dca63e32ae5133d03798f52ed5694a85441f22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ecc9e49b905c10867a2404c4ca458ea0

SHA1
41d6855515e1cd4629f3fb89af43895332a18dc7

SHA256
2d3fc3d1c51bc871bb557a91e3fdf688e318a5cc3ac4738c5eaddf421434cd7d

SHA512
89580da9595b0be628542ec8322732ee19db81333c128770f989c5d2bd60820c5d48764e30ee36e7ea0c06ba8aa02173026529a94bdc6d6ff28ae2e49a6e7697

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1d9833a11263de688bcffe4e22a98a4b

SHA1
572d20d2cdb6b0d5383085645891327750fac1a1

SHA256
4f85c9706f8f09829474f26dc7dae4f385f4650543073433fa98d61aec34a3dd

SHA512
18454f2e7cc02e96ec80d65146b015bc4bd0ed25cd1a008d90584e2c45cdbd3ac93a6765d10d165a4161fb6f59bee2c04da4448c9b17ecacffcb2bd172468a07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
46ad6ce66165b00f70a6080b3e841b47

SHA1
82f008a6ac88c9fe72fd679473ea25b8d7033b02

SHA256
6b6168535da30eadac53fb74b6b36ff2043482cdfbe2c2c9fb0851596389a2ac

SHA512
85dd8497ee0a98d08dbd0f056c115e6291cb3098a74d5914b2e8cf77bc774f2977cd4f1346675ee4b902cf2c3ea0945dc2e2b300582a9accdc32131caec2c54a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1747d01ba8a77366dca905301e8e90f9

SHA1
13612fd77b14386b6e75dbc7fa63023c506cb474

SHA256
c029b0d8362ea9afa553bf0da7ecb06cc2b0a978950eddc4299d2898b6741836

SHA512
6ee5ecf181f5ec13f6096d48295092991112614c3cd2ec5378786cf3db32b028fc814e8c8cdea8a5a964149f063c9479fadd0e5df86b9b6cbab958a94cbb261f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
06d6460a6fc3a273a7622aceb7e8204f

SHA1
bd7bc139fb188ef32a8a3468afe9bd9b17fdc079

SHA256
371bf6fa4bdbc54b80466f705a28ab0af925bf73c7ac6361ce8de907a3f0d413

SHA512
c326adf5edf8c3d0186ec78244fa02a648ca7a51c1970d0fc5362833aed62bbd462f5b11a1053bd7d47461cf6d71947bd88897f5d7dc1125e1c303e31c05bab1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
209KB

MD5
4569b2013e09bcab85bd3bcfe17aa92b

SHA1
3936c1f81c49cbac17a63f6d655771342f3afdc1

SHA256
b86adfb4c264c0e8f433359f754cc5929f39d8c15fd8a4c443b5a5c5ea785c16

SHA512
e51d6eb892ee87bb243ae4bf9d7415d6644b712854565782c8986a55842489377cd9ae0ea559978e7a4e617e4e021c21a05986dae4abcaf48af65b2ed9284f0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
125KB

MD5
dfba71fefcc6eca3d5977814ad0e7629

SHA1
f7af20ff56cd1bc1be2060657a53b1efdcfc4649

SHA256
8727f1fe9bb53485030f6d5b0aba280da39d8cc307ea68f910826173fa3f6595

SHA512
4384262e5b35cc698fa3f45138069141580879cafc069f0e39deaa6aefc8dfe2435abde70b9b3ccb79ba7ac7334f1c385218a3150b20bb0e20f13ca268c4f9c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
124KB

MD5
66931375ae001cf4c76c45ccf21421cc

SHA1
85caab5b956e988aef2f3612410db7880be79682

SHA256
090accdccda14230c530c2a0e0d14a66a6ea8d3682d35dd72fa1811f08c8c0e8

SHA512
3f501860be64105c22ec487b78bebbafa59438b726168d3dc121ab0199840197803cc1689ed331be1a63eabd91b980441067dd9cd7a4f14cdb07dd8a7e752f48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
124KB

MD5
db9b3ee14b111e7ce5e373096800bb24

SHA1
07ea6fdba8cbb45c43c4ccb3257917f10edb737b

SHA256
bf55a64b1badd16bc05b268c6a0d8362619827d1940e4fdddb10cda6b8d1ea6d

SHA512
39d4a81868b99903c73f77731e9294b3d4268cbf2d9e1c2e9eec669a84d69d9a21c6bd89980ee502bbc864b8644b521abebb06554cde596904512f4b4c44ff12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
124KB

MD5
b6fe9d01747c46932679310ef0d1b233

SHA1
7426a369a11b0f7568f7c2656a8cc8d45a425803

SHA256
1e8da2013c459af2be108d92250943025a6e2f6f53ed061759c7842890f83254

SHA512
9c13ff9f1015f6fa87eb0459e2c6fc4e024595e4e52e6cd42dc9ba459dd3a600c189ea29c20cefba8283960225373f8f3ecd3e05c1566bc26cc719222597da30

Download Submit
C:\Users\Admin\Downloads\AgentTesla.exe

Filesize
2.8MB

MD5
cce284cab135d9c0a2a64a7caec09107

SHA1
e4b8f4b6cab18b9748f83e9fffd275ef5276199e

SHA256
18aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9

SHA512
c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f

Download Submit
C:\Users\Admin\Downloads\HawkEye.exe

Filesize
232KB

MD5
60fabd1a2509b59831876d5e2aa71a6b

SHA1
8b91f3c4f721cb04cc4974fc91056f397ae78faa

SHA256
1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838

SHA512
3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a

Download Submit
C:\Users\Admin\Downloads\Kakwa.doc

Filesize
72KB

MD5
d19e7e765df07cbe74e8b5a2d084e85c

SHA1
0b7b70233572c7d6c40b09d5ca96fa76bde190c8

SHA256
4ef2e6695b84d2b350ac3b91d5428495daf22639a9aac4a681a1c58acef9c9e8

SHA512
9ced5c53cd7846a5ddd99266e8424fe65f299d300f7b167ab1747f1b975b9038c38663abfb065f5455805b557ca1b7aed357404ca2da976bb355d264f6e5f80c

Download Submit
C:\Users\Admin\Downloads\Kakwa.doc

Filesize
72KB

MD5
9a039302b3f3109607dfa7c12cfbd886

SHA1
9056556d0d63734e0c851ab549b05ccd28cf4abf

SHA256
31ca294ddd253e4258a948cf4d4b7aaaa3e0aa1457556e0e62ee53c22b4eb6f0

SHA512
8a174536b266b017962406076fe54ec3f4b625517b522875f233cd0415d5d7642a1f8ff980fb42d14dab1f623e3f91a735adefa2b9276d1622fa48e76952d83c

Download Submit
C:\Users\Admin\Downloads\smb-7teux2sm.zip

Filesize
31KB

MD5
c28e52d6f37f64d79d4f43fbde9c300a

SHA1
c55ff6edc8b7d6f03032226fd9cd4daa416b97e3

SHA256
542189e321cb0c3a7d0b25ebdb4d9926e0770e49c30791264855b0b9152a95ab

SHA512
f60b247d92fa8e5b1c4e009dff64d32309c9d77343428fc3686885ea409644808d7302428447c23c4dd6137ea326f072628a2df6f5e8e19a729824afd8cc51b9

Download Submit
C:\Users\Admin\Downloads\smb-b_8ti77_.zip

Filesize
52KB

MD5
99ec9f463bdedd73f4cd4074ac369ba9

SHA1
9d493c9328b415cbfc8048a10d8a1f62cb25479c

SHA256
370dbbcf8dcdeacf63a821d3a006c01da79fed3c309f88ec3c8b7764924645da

SHA512
807b7454aa71d40c3cc487049b20b996e742d70da666c934d3f1785e6df05fb77f558608b7aafcdbc7ebe30a3554150129fc09e63eeadee5c4d7eac201dce274

Download Submit
C:\Users\Admin\Downloads\smb-b_8ti77_.zip

Filesize
53KB

MD5
f88e36b4c986af52e18a7a0b5a757b5b

SHA1
1e27045b8297e59effc99af1b2ce5bcb04ab5ae7

SHA256
0eba5edf93429c63b665bd95f67000d2f5a0559add7e1b390e7fd67602edee54

SHA512
44ff65ee471133d670377e5a56f4379c79135928fb5362edd73c5af7c3bbc9dca09836db3c6f75b75de823ee9d792f341d76fc9ff54bfcdc7919839fa55e2f0d

Download Submit
memory/3812-1386-0x0000000000EB0000-0x0000000000EC0000-memory.dmp

Filesize
64KB

Download
memory/3812-711-0x0000000004EE0000-0x0000000004EFA000-memory.dmp

Filesize
104KB

Download
memory/3812-706-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/3812-705-0x0000000000EB0000-0x0000000000EC0000-memory.dmp

Filesize
64KB

Download