chimera | hxxps://bonzi[.]link/

Analysis

max time kernel
117s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2025, 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bonzi.link/

Score

10^/10

chimera discovery ransomware spyware stealer

Malware Config

Signatures

Chimera 64 IoCs

Ransomware which infects local and network files, often distributed via Dropbox links.

ransomware chimera

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\js\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Microsoft Office\root\rsod\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe

Chimera Ransomware Loader DLL 1 IoCs

Drops/unpacks executable file which resembles Chimera's Loader.dll.

ransomware

resource	yara_rule
behavioral1/memory/2272-524-0x0000000010000000-0x0000000010010000-memory.dmp	chimera_loader_dll

Chimera family
chimera
Renames multiple (3274) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Downloads MZ/PE file 2 IoCs

flow	pid	Process
143	4528	msedge.exe
143	4528	msedge.exe

Executes dropped EXE 3 IoCs

pid	Process
2272	HawkEye.exe
4304	HawkEye.exe
1516	HawkEye.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 27 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	HawkEye.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
142	raw.githubusercontent.com
143	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
149	bot.whatismyipaddress.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\IC_WelcomeBanner.scale-125.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-256_altform-unplated_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Exchange.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Dark.scale-150.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderWideTile.contrast-white_scale-200.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalMedTile.scale-200_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-200_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fr-ma\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-20_altform-unplated_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\iw_get.svg	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteMediumTile.scale-125.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-32_altform-unplated_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-100_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_newfolder-default.svg	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\Lighting.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-60.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\MicrosoftAdvertising.ini	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\az-Latn-AZ\View3d\3DViewerProductDescription-universal.xml	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluCCFilesEmpty_180x180.svg	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-cn\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-64_altform-unplated.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailLargeTile.scale-400.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\Icons\icon_done.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Dark.scale-150.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-16_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_7.m4a	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\ui-strings.js	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorSmallTile.contrast-black_scale-200.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-32_altform-unplated_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\LargeTile.scale-200.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OrientationControlInnerCircle.png	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-125_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedLargeTile.scale-200_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookSmallTile.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\SmallTile.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\WideTile.scale-100.png	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.scale-125.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-16_altform-lightunplated.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-200_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-16_altform-colorize.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-60_altform-lightunplated.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-256_altform-lightunplated.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\text_2x.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\combine_poster.jpg	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\5.jpg	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\LargeTile.scale-125.png	HawkEye.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\BuiltinResearcher.xml	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\rhp\editpdf-selector.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-gb\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\187.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorWideTile.contrast-black_scale-200.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hr-hr\ui-strings.js	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HawkEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HawkEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HawkEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Microsoft\Internet Explorer\User Preferences	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTTR"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\Version = "5"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000405671fff68845448cd7db2c33d670dc000000000200000000001066000000010000200000003858941f329aa4b93254fa388b905771769421e6a3667992c2584ced0010c32e000000000e8000000002000020000000ae2dd376811a620e9f95d59af12360d9aa9d93c8c39e4080901999a0ddd8984650000000974e9f00eb3a6f0d6293dc91bf2516ddaf6e6e3aeca54a1cbc95861b076925059bc48c66d10a209dacf231eb95f77c3eaaf37649087e1a844ee40e92f83f315db6593040ae495d5291abfc9ca9a6837f400000003915a2d9507348553844006aedb3f79746e42e87ca6a39180850e96e80f5290dedf23ab2a11e35a3d95bd760067889a998da813d76db3a79e144704c81595d1f	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3BAC0D94-EF22-11EF-AD46-F65F9A43AF0C} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL = "http://www.bing.com/favicon.ico"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = 25f4edda8f81db01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000405671fff68845448cd7db2c33d670dc00000000020000000000106600000001000020000000562479f79bd88eda1aa4d7c1fdfc705d46120231a2e854ca333ca5c9769c22b3000000000e8000000002000020000000eda4f9267ea992d66e8b640eb89b313a75538d3c6e353f925ba09e51b02db7dc100000003998194383e8720656c2c05ed148031b4000000029ce8d81fc40e2db66582da7770fd9c1ae82fb22b4c44835289157695284479335ccbf2750e90d2437f4b55e32c2fc54ac43f590a7840004049d31479fbf1b29	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IENTSS"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}"	iexplore.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 413882.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 7044.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4528	msedge.exe
4528	msedge.exe
960	msedge.exe
960	msedge.exe
3812	identity_helper.exe
3812	identity_helper.exe
5096	msedge.exe
5096	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2272	HawkEye.exe
Token: SeDebugPrivilege	4304	HawkEye.exe
Token: SeDebugPrivilege	1516	HawkEye.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
644	iexplore.exe
960	msedge.exe
960	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
644	iexplore.exe
644	iexplore.exe
2672	IEXPLORE.EXE
2672	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 3128	960	msedge.exe	84
PID 960 wrote to memory of 3128	960	msedge.exe	84
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 5036	960	msedge.exe	86
PID 960 wrote to memory of 4528	960	msedge.exe	87
PID 960 wrote to memory of 4528	960	msedge.exe	87
PID 960 wrote to memory of 456	960	msedge.exe	88
PID 960 wrote to memory of 456	960	msedge.exe	88
PID 960 wrote to memory of 456	960	msedge.exe	88
PID 960 wrote to memory of 456	960	msedge.exe	88
PID 960 wrote to memory of 456	960	msedge.exe	88
PID 960 wrote to memory of 456	960	msedge.exe	88
PID 960 wrote to memory of 456	960	msedge.exe	88
PID 960 wrote to memory of 456	960	msedge.exe	88
PID 960 wrote to memory of 456	960	msedge.exe	88
PID 960 wrote to memory of 456	960	msedge.exe	88
PID 960 wrote to memory of 456	960	msedge.exe	88
PID 960 wrote to memory of 456	960	msedge.exe	88
PID 960 wrote to memory of 456	960	msedge.exe	88
PID 960 wrote to memory of 456	960	msedge.exe	88
PID 960 wrote to memory of 456	960	msedge.exe	88
PID 960 wrote to memory of 456	960	msedge.exe	88
PID 960 wrote to memory of 456	960	msedge.exe	88
PID 960 wrote to memory of 456	960	msedge.exe	88
PID 960 wrote to memory of 456	960	msedge.exe	88
PID 960 wrote to memory of 456	960	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://bonzi.link/
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab7dc46f8,0x7ffab7dc4708,0x7ffab7dc4718
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,10517305514654351955,14759653504340023728,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,10517305514654351955,14759653504340023728,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,10517305514654351955,14759653504340023728,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
  2⤵
  PID:456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10517305514654351955,14759653504340023728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10517305514654351955,14759653504340023728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,10517305514654351955,14759653504340023728,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 /prefetch:8
  2⤵
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,10517305514654351955,14759653504340023728,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10517305514654351955,14759653504340023728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10517305514654351955,14759653504340023728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10517305514654351955,14759653504340023728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:3192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10517305514654351955,14759653504340023728,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
  2⤵
  PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10517305514654351955,14759653504340023728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6376 /prefetch:1
  2⤵
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10517305514654351955,14759653504340023728,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10517305514654351955,14759653504340023728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:1
  2⤵
  PID:2952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10517305514654351955,14759653504340023728,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:1
  2⤵
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10517305514654351955,14759653504340023728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:1
  2⤵
  PID:4184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10517305514654351955,14759653504340023728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10517305514654351955,14759653504340023728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10517305514654351955,14759653504340023728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6448 /prefetch:1
  2⤵
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10517305514654351955,14759653504340023728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:1
  2⤵
  PID:1112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10517305514654351955,14759653504340023728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,10517305514654351955,14759653504340023728,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6424 /prefetch:8
  2⤵
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10517305514654351955,14759653504340023728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2116,10517305514654351955,14759653504340023728,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7056 /prefetch:8
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,10517305514654351955,14759653504340023728,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6892 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5096
- C:\Users\Admin\Downloads\HawkEye.exe
  "C:\Users\Admin\Downloads\HawkEye.exe"
  2⤵
  - Chimera
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Downloads\YOUR_FILES_ARE_ENCRYPTED.HTML"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:644
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:644 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2672
- C:\Users\Admin\Downloads\HawkEye.exe
  "C:\Users\Admin\Downloads\HawkEye.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4304
- C:\Users\Admin\Downloads\HawkEye.exe
  "C:\Users\Admin\Downloads\HawkEye.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10517305514654351955,14759653504340023728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2116,10517305514654351955,14759653504340023728,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6724 /prefetch:8
  2⤵
  PID:3472

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk-1.8\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
5f11fcfcbb46c673e0cde5f2ca8a1931

SHA1
49a53e21c3fcac196ff7a5d18b80fe6138fce1cf

SHA256
cef133da092dfb8a946fe5a39692bc8d5462aa98d1219305c6cff21201cabd50

SHA512
1f808fa217cc6c59d55504c4f5f9b130f47f80b4c8cc67559fd6fc976121028600ea1bcf1ffc41c9a2401442802346a2cb28c197da34296a2a6497d056798f87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\HawkEye.exe.log

Filesize
20B

MD5
b3ac9d09e3a47d5fd00c37e075a70ecb

SHA1
ad14e6d0e07b00bd10d77a06d68841b20675680b

SHA256
7a23c6e7ccd8811ecdf038d3a89d5c7d68ed37324bae2d4954125d9128fa9432

SHA512
09b609ee1061205aa45b3c954efc6c1a03c8fd6b3011ff88cf2c060e19b1d7fd51ee0cb9d02a39310125f3a66aa0146261bdee3d804f472034df711bc942e316

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
25f87986bcd72dd045d9b8618fb48592

SHA1
c2d9b4ec955b8840027ff6fd6c1f636578fef7b5

SHA256
d8b542281740c12609279f2549f85d3c94e6e49a3a2a4b9698c93cca2dce486c

SHA512
0c8a0d1a3b0d4b30773b8519a3d6e63d92973733da818ca9838599a9639e18df18ce31ebf56f46f6bbb7d89d10c726f4d73781e154d115a6068a3be7dd12b314

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
94bd9c36e88be77b106069e32ac8d934

SHA1
32bd157b84cde4eaf93360112d707056fc5b0b86

SHA256
8f49a43a08e2984636b172a777d5b3880e6e82ad25b427fef3f05b7b4f5c5b27

SHA512
7d4933fae6a279cc330fde4ae9425f66478c166684a30cec9c5c3f295289cf83cbdf604b8958f6db64b0a4b1566db102fbcbdcdb6eca008d86d9a9c8b252ff16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3e171806-bd5c-4c9e-be26-c4369701ad9c.tmp

Filesize
6KB

MD5
50a487ce0315e02c02371ed0faf6dc18

SHA1
90f075ec5c6ecf69d511259d4d85a68c1dc7aaaf

SHA256
37339dc7e46f167bdf40b3b3aff7cc71ebe414705fd27036750b431f32dd30f6

SHA512
fe6d230b06955bd328a93dc681e59b003b7d348897fee89f784aa4a74440e98a4f4a5f89ae799f869a7170cdd0aacb87e2f4cbec0f89f24b6e871649c7e04c48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
66KB

MD5
8aca43d81fbcf0101c7e53ff877b02db

SHA1
1bb8d51755ef67dd2e5302f87585b0ef3abc261b

SHA256
c2bec5b217c0428bebcd6337b94dbbf943718f0608bf47edd29ff6bdaadf454d

SHA512
1a0d67dd5725f9864556ef6e26b3f21c3cd74d6b2e2b6577f416df617251d41351881da5e7e5b9d6fb042a5f506383c825cfca20f5526ba0f56bc7ba0719853d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
21KB

MD5
c03d2382e103733e129cd1bc6ea3e72f

SHA1
0c75d41585f89a6b7bf129da1d75fc20f8d44b49

SHA256
a8a5e813f2e3b08e7aaa2bfbf04005314144c5fc89f93ef5af0f5c26d9dd8138

SHA512
f27214c369fc7fe63c4de77116e999e03ab8b0f3d5aae7c215b43accdde567718ddf5f7bb25cb17ea3652640bf6237b9e729380e63f871406cea376d2af42285

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
1aad1005f41422c3c9ec72a0590e54aa

SHA1
d92d3caf24943735925d0580ae86ab69844640f6

SHA256
025e150d70c930cba2d2bf578435663fff86f21b64a7826199f332b35e177fb8

SHA512
aea285753574777d6473521f3f8af4a350ee54642f009242d77cde4bb24af36056e43c1b01e10888138bb6af975f31ca05f902c915d071ab6cbd767aa532f609

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
6d8e88e51ac5097f8744a6e4ca846ba5

SHA1
953398015c55293c5913665287d02dc9cb7a09a0

SHA256
126d22e287a0ec0335a046b761a704b1830e6e11ebbcf5e8067b4e26c973ce24

SHA512
48ef02ae1fa7330199819101e30c114295d791b2e305bcc563ada0ebc64bce14f9145e413baa3fddfc5d5c957e8a561548acf23be92b919c5883dc03b452f8a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
7340fc1e71930166e0b1831f77c4379c

SHA1
dce47301f907a98b5c9eeffba51ab31316df03a2

SHA256
427e4d2d7894ea111907cc2d5f94a41d43ce31acee738ccab2e2e024e0475cc0

SHA512
0f3339e4618c5af588298b9d78c4ff196d2e4f75337fe0b40c475d5152a752b4e72ad2b94968d0611863836d49cf8cab3414d23c49db32e2984f9d1740e0b559

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
79488f45492b6eb661b4abecbf3d78c3

SHA1
75b1f9e830c324fec37143f3115f4a73259337a4

SHA256
1a9ed0fad567f81cbad9ae31df2e05aa40635a2099f1958ecc81d6b6c42529d8

SHA512
f43a9162e45fc1fa71e3950fd2ab8218ef0dc9b4fc60fab58e8a7d84c6b3df7c781fbd1e9c36fa10ae066c4d747a1a6d1de40e1a411a4af8f1306efa1c111ab5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0fdad93e90fa57b224c65c117759632a

SHA1
571ae3c7b06dd07cb2c9517f72dbf8451a365169

SHA256
480b983776568c978e0d54b1ad25fda0502010b5c58d7b95dac04f00e68b3cdc

SHA512
29d3c5cb7c47412c9763d2257563c5e9500ccf12221c5752afab221338adbcdb46e69bbb4cc1d67052cfa8ae839bcdf594b7f7c714a5d2a5339d3f260e7f3116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
841a4a8a5fed36a8d4606523019ceabc

SHA1
239550539e3c5c21b21ba4f0a54168480df26df8

SHA256
ecc4d7dc4f5c342f366c7c4185b9a76cdcbd88828c8be8c4637f9a5231e62cf0

SHA512
ee8161ed5e8a1444f5dd416485f830e49458dff602ab5fdcb13a9aa9f238a29e1ea1c94b04df1998777bc093437496d73e8f0246d8e3a5d88bbe5cc05f79f4e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
51b3b1de59c4116c165a37d6770ef4d4

SHA1
83f0b8137c28bcd6d75de8d3469760f1809de90b

SHA256
d6d3368b711bc75fa7467dbcb15305c6640d7530492b0a4546cbaa330c6cfbd6

SHA512
9d4e03fcccb3da7e9ef79d3711020a0a080ad8e9685fb4c8d474cdaa306075866466662b8ab4f0aa332ca353446fe5388e1bb2054aaeeebfffb86973223ef2aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
23124109cd6b92c889c300a65815dd1d

SHA1
b96cdfc730641d2ce79105524b535b92cadc5ce9

SHA256
5b47b4488584397dc17e940a261e40e57d555e214d603378240d177e17ab80ba

SHA512
c87e61db28081a92a4f7bcd59732e9abb9561a8149075b7900f566e174e4d8baab4ec5855caa405997bc080b7844f33815053aa6f9cacd8fde2dfd364da1cea8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e42053e3f7bd352e55e3d84ddafe2902

SHA1
589a4cdc2ca7fd292f55a4a07bcc748ce28073b7

SHA256
bbbd1dae7104404f4a9343bf710f9a9c424d00989252667408847fdb21373cd5

SHA512
63e3d7d1015b1d68542a7f55a34595312059689c279f86b115c9845a678d60f571dbac2bf4a8f4143131a5a36eeb5fae7132aad04dc393438902c8e90c93ad66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
135b8fa070a81b4c0ff207a742f456b3

SHA1
b5697f99abc5fbda92d3bd704b9f27c88ad48456

SHA256
e19d1691ce12bc73f762c6bd9ccbe179c969f82ae72ad843fa76ff525788bfb1

SHA512
e3c82c4e6fc5a8d9f8fe02214af0348e0261ee3a054468ced901de4dbaafc5f0c828a322e641723226f88094cae654f6aa1a0e8ac46cc96579f3c3acca596421

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe588690.TMP

Filesize
204B

MD5
a5b5ad755e96f99d42fe0765ca3c68eb

SHA1
fb7fe40d549f411130c7c9c531079affdd72aee0

SHA256
275667e168dfdd688b55dba8f0c02a0b7f01ec26efb4af06f885024dd35dece4

SHA512
f77ed998eb85b892b7d1ababdc9fc2025c00369ed3252674fb560d77b7bbe8f25eeaf8c4bc65cba478d45b328cc037e9bb18196f842e8898ced5fb71e5032540

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
500cbca19ade9ba651414f433d87001e

SHA1
c4c51b4048ef8551acd30f18f65e63d54101a322

SHA256
e7a2efe90c4bca3c1a3d4c17d4d03ad39c5cb9957202a2354acbc31018dca7e5

SHA512
d1ab7bdc608ef26fcd9ef3b7a0018111481756fcd8b9f3d3bfb5b7df1eb30d328a08fea50bedee391ae6b4382aa36744633be74f0ddaacaa445613de904fcbf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2b72f1513e35ac626bf2e3fa94a62a22

SHA1
e448f1eb06f5a9403ac7bf302e9f2d30385512b7

SHA256
b760616a8066f4b99ea5651b20d586bba1d55be93f515bc6a3a8e901c9468bd9

SHA512
d1e8926fbfab9c9cf66d233678f6bb38f93ad7eaf7c205794fcd656e0320408dbb660ebc821a497f1cb34a32bb5942c272405d28f4ea5b94ee5ae78b3911e1fa

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 413882.crdownload

Filesize
232KB

MD5
60fabd1a2509b59831876d5e2aa71a6b

SHA1
8b91f3c4f721cb04cc4974fc91056f397ae78faa

SHA256
1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838

SHA512
3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 7044.crdownload

Filesize
28KB

MD5
8e9d7feb3b955e6def8365fd83007080

SHA1
df7522e270506b1a2c874700a9beeb9d3d233e23

SHA256
94d2b1da2c4ce7db94ee9603bc2f81386032687e7c664aff6460ba0f5dac0022

SHA512
4157a5628dc7f47489be2c30dbf2b14458a813eb66e942bba881615c101df25001c09afb9a54f88831fa4c1858f42d897f8f55fbf6b4c1a82d2509bd52ba1536

Download Submit
memory/2272-524-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2272-528-0x00000000050B0000-0x00000000050CA000-memory.dmp

Filesize
104KB

Download