chimera | af8a19443518dd4b892c8080ea61b6d87674c73faf1f8f4061d025eec3999649

Analysis

max time kernel
133s
max time network
146s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
03/03/2025, 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New folder/HawkEye.exe
Size

232KB
MD5

60fabd1a2509b59831876d5e2aa71a6b
SHA1

8b91f3c4f721cb04cc4974fc91056f397ae78faa
SHA256

1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838
SHA512

3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a
SSDEEP

3072:BMhIBKH7j7DzQi7y5bvl4YAbdY9KWvwn7XHMzqEOf64CEEl64HBVdGXPKD:BMh5H7j5g54YZKXoxOuEEl64HZAi

Score

10^/10

chimera discovery ransomware spyware stealer

Malware Config

Signatures

Chimera 64 IoCs

Ransomware which infects local and network files, often distributed via Dropbox links.

ransomware chimera

description	flow	ioc	Process
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Microsoft Games\Solitaire\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
	4	bot.whatismyipaddress.com	Process not Found
File created		C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Microsoft Office\Office14\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\OneNote\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Microsoft Games\Hearts\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jre7\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\VideoLAN\VLC\skins\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jre7\lib\images\cursors\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\VideoLAN\VLC\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jre7\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\VideoLAN\VLC\plugins\access\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\7-Zip\Lang\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jre7\bin\server\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\jre\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\7-Zip\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\VideoLAN\VLC\lua\http\images\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Windows Sidebar\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe

Chimera Ransomware Loader DLL 1 IoCs

Drops/unpacks executable file which resembles Chimera's Loader.dll.

ransomware

resource	yara_rule
behavioral21/memory/2296-4-0x0000000010000000-0x0000000010010000-memory.dmp	chimera_loader_dll

Chimera family
chimera
Renames multiple (2005) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 37 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	HawkEye.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	bot.whatismyipaddress.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\MeetingIcon.jpg	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-attach.jar	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\icon.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-last-quarter_partly-cloudy.png	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\gimap.jar	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins_1.1.200.v20131119-0908.jar	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_up.png	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_zh_4.4.0.v20140623020002.jar	HawkEye.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libbluray-j2se-1.3.2.jar	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Civic.xml	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_right.png	HawkEye.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Scene_PAL.wmv	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_settings.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_mid_over.gif	HawkEye.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_settings.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\square_m.png	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher_1.3.0.v20140911-0143.jar	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_zh_4.4.0.v20140623020002.jar	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\currency.js	HawkEye.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask.wmv	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_ja.jar	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\init.js	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous_partly-cloudy.png	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\27.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_settings.png	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-tabcontrol.jar	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\toc.gif	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_snow.png	HawkEye.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Resource.zip	HawkEye.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedZhengMa.txt	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net_1.2.200.v20140124-2013.jar	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\org-netbeans-core_visualvm.jar	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsMacroTemplate.html	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_h.png	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)notConnectedStateIcon.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\44.png	HawkEye.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\js\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\Microsoft.Office.InfoPath.xml	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_right_mouseover.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\XmlFile.zip	HawkEye.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_ja.jar	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\weather.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Median.xml	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous.png	HawkEye.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host.xml	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\settings.js	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-api.jar	HawkEye.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_mainImage-mask.png	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_s.png	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\25.png	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_zh_4.4.0.v20140623020002.jar	HawkEye.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HawkEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5AF50861-F7F9-11EF-9358-7ACF20914AD0} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0afbf31068cdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004adde450b38f6f43a386e8f5aafc84960000000002000000000010660000000100002000000047c9d715b5cc4ef4c7076501c693c3bde64d9a6617f896a956c7556421b280e7000000000e800000000200002000000031115592f77608b94284e908c92085ba1c4cd2baff70393c8f4fcc9ff36657ef20000000a527c5422ecc1b5a41c6b71566d3544e535c21e9204a7d21930e07cb3ed3c9fd400000009fddca2c10e2d0cfdc98f8e4fd8fa13f008fb3faa2a483673f0da64749e48987e1deb9a92fe4f79ec5f6f0643c270d037f5e024d0c5c19c80766615d70d0b9a3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004adde450b38f6f43a386e8f5aafc8496000000000200000000001066000000010000200000006534d6f5a8339b2e0d8354a163a71874ce303117c6dfbc8269676d74d977eb93000000000e8000000002000020000000830e7bd5aafa2acd2f0ba6ac60ab949e5160d6b33440f23543db28c2c6a9ad5d90000000e0d28c1c58ebcb03cb221a0b649538f9fba8070be595cdcabc0c96bc643d57a9a8424a43bcd5b02fdad624d8356147b9c141a9e0099ee6e2f8e2b8af6d4c8365291a5d4f53f835d1160ab0249b4f25eb672eecad584724b0d62921cfb79a886d5407e07b4aaa8aad8efb85a5dd382afeeb98b2be3a0c817f5aca2c828afc51cfd86a49d12268a0c8ea1a86c75d98ca7840000000ca63225d0aa8aa3a8fa316dbba7b2f3dc4f0cb03f926a023e64e07e0f0767bac7951136f03833bf16a6de7a3d124b618ffb5ed0eec94b7dabb1df712940e064e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "447145452"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2296	HawkEye.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1840	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1840	iexplore.exe
1840	iexplore.exe
2136	IEXPLORE.EXE
2136	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 1840	2296	HawkEye.exe	34
PID 2296 wrote to memory of 1840	2296	HawkEye.exe	34
PID 2296 wrote to memory of 1840	2296	HawkEye.exe	34
PID 2296 wrote to memory of 1840	2296	HawkEye.exe	34
PID 1840 wrote to memory of 2136	1840	iexplore.exe	35
PID 1840 wrote to memory of 2136	1840	iexplore.exe	35
PID 1840 wrote to memory of 2136	1840	iexplore.exe	35
PID 1840 wrote to memory of 2136	1840	iexplore.exe	35

C:\Users\Admin\AppData\Local\Temp\New folder\HawkEye.exe
"C:\Users\Admin\AppData\Local\Temp\New folder\HawkEye.exe"
1⤵
- Chimera
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Desktop\YOUR_FILES_ARE_ENCRYPTED.HTML"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1840 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\jre\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
b48dfa7df64351f1f90fe0e27a8180eb

SHA1
0c072479c6182e5e744abadc0040ddfccb7d0ac5

SHA256
9228c25cd7194f812fc549e8f178f2de7ed175d7aecc4220a8f8aa98188f79a8

SHA512
2afd3d9d10fb8d7afd7c5fa73aca4713ac17cc0a4b82f80aa0973c489483cab40a4ba0fd96475620fad972c53aea0489f37c0f226fe45e7d7172bbc0a68dfea8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
f853c4489b0c078b33f3563929014a79

SHA1
012a7037e4bfcc9bbdf994f2d41212b03e1bad1a

SHA256
cc7890f1b4d0ae86fde0eda80ffe64684d64f1758e0ac3028e66e2c16709e014

SHA512
1d2864ab355cac0bb175b6f051ca18673f54e3a36bf8248d258cc8f4e8c665624a025055f9f8b97ec3879ae6079d95ddbb38f13952fa7ad221300963eee8070f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
880037f8a6387d450399a7516a65fa2b

SHA1
a810e33dacdcec30acf1bf881f78955d5111e2d5

SHA256
794f0790c08db84aeb3560a877481bbf455514f7e12f8971b95060dccbfaf8b0

SHA512
24cf3fb9752729c8b3a84e397db67bf134f62b3849e8c1c7bf924898587c02609cfecbc9a8e532eea0421600f659e62d4e7ac51bd65a67866415a6f36247fb58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
744ae549f56691df66f61800aac8cd0e

SHA1
be7dca8682b55462eabc7614f380ad08b8078303

SHA256
e7e74a3570645c504f5ab732367b491a286d86c7bf84dcccf47ca9d94be8ecb1

SHA512
7d2b291d2ab883ae73a34178a18694c06529d1fe495e61c54eaec5d1c9c79ae4bab468ef6e3f1206e21f7317cedb1154230baa89bb880509ff8b498bf37515ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e0189891feadee0a2f13599e0eedfe78

SHA1
05000a2922811265218ef05ee0a686ce12a8dfe3

SHA256
ceae2e74d2ee97b6bd98587409823d3178ddac1d4e27b4823d2af3ac286006a9

SHA512
6a0f9f6ac9e36fe41b77cf86c4e9c3fb5dd89928999c1df87a018be1214aac0c802182b89704b87cd8952bc6f02438b5f305db0712351f50e2b91584cfb302dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9e48975fbe4e78cd03fba50c77157a87

SHA1
11b0895ec1c71fb59874d888748b4221b5f4c869

SHA256
85a6275e5bde4a998b38e6049a67eeb86d5868adb6aa2cc07eb5a5c50c1df0da

SHA512
886502004bc3414529599eb2990cbbee3b1e561fce23751f1006c58759a20f2984e2e6e72c34cb2ff6117edc5deca94e50278c815a7beca4891067cf5d21071b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
09bd81f14d9a3dee811e1e2f6b809a12

SHA1
ffe98c32741759496cca19900ce19da61cd68ad3

SHA256
5f98dc20c35d581fa18cb89cfccf7c177c4a1a86e62600034e85e809640c5dec

SHA512
24b58a79712ede337dfe0fce36309531f72b06906e12e246e508e545533ac898b6f0e8e0fde94924a68a057cd311b8a453111799e18e71e73b92423e11660d28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fb4606d41417fcde1c8046d883bf30ef

SHA1
1d4ddd93b0b7d5b94b940593792c1a52ee652014

SHA256
e38d0f710f0a23d07cfd98c507e0d101ee34a36e44f3d40f26545b5505b26910

SHA512
eee6a24fa2e9eb482cfbb7bf63b9d7922d4aef7225141a97db1b9ca1a621e8e13d0c15477d268a9edc881de485dc63dac2edaf6da1ec7cb207f4d8e7a794056d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4c79a8d80d56eb550ba808316740bdc4

SHA1
4eb5cf9bbe56ab1fba354ca372d6348b5482959a

SHA256
660badfe41f5077578021b4d32bff4297e693c2af7cb69d34a2245763ac927c1

SHA512
8cdc563f356cb3076da805079b43ce644eacf43a56a72d588b3bf39447f8aea1c5cd9d007e7135fbcf90205f1337a184779b3909a82da0397164c884f80277d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eca4e6aa871164ede52420b2e107fb0b

SHA1
e0ba5ff1e19905d0324e744ac160e86a0a6233ae

SHA256
7dea4047c2b5b17ffd73028c49f83c7ff69920804b2a04f7b7a62d89cc52c7e5

SHA512
466470ddcb26cb9d5858fdf7983db9b62679c7bf14a6a4fe2d552e88364ed2ae6022cc2398d98315bbafeee373c090e03b2e24d697c8c02372d99fbe07860ac5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
76217e3e3af008795c9a2a1278bea63c

SHA1
3d21e984d14b33125afb614f77dfffaf37b76825

SHA256
c39f20c21b6729d79c3c8216d1f7d084d7680169c4e46f796d98339eb7c32a50

SHA512
e99f884d29b63da1eeec13fc6a1cc8201d54d5a64c948ccd514dce3c5e8976894c7fcd42c961c89fa173c0ea6fd208775f62695ead8a862097651917a502d50b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4cc3eaf034a16d733cbac8cf07776119

SHA1
92b5fb31740c967a855a892757cdcce0c9278534

SHA256
25487b3a5e86495b5de40cc2f55e6453bcb28613ef1ebeea56a05b727b83aa3e

SHA512
1d67929693136e2b3a79f6f8c0abc192b3a660dec75897c87d200d617dae49da8d3ca67071bbe1474fcb0206bd843d9325e6e21f2c7e66e79f2a806272956451

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8742f0c681f6c07c315a7c8d97da18e2

SHA1
baf9735e86a9b484826dc539d5466489d78d4edb

SHA256
1cce6964f51c7c6acbfaf0f411eb0063768cba01805dc9fb6348dc631c57a3de

SHA512
fe63b0000b8869d0cc367fe212b42ecc2baea1b87ef4fae55e07b43b2a5048be58ccf5774a066ddafcf0a769026ce40dee63bd80ef3d604b85df4d18607bc251

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
23d002e25d16d3624b012f52d4d3cd1f

SHA1
c8819fa101c6b6cc8bd8c7fd5ccdbc3b33d061e8

SHA256
6dea8d1ee96ec0e868146ded3df5b3dca510703152ddbcc00505d25131d3d5fc

SHA512
3ed006fb939472eed4f7eed8798cdddc3f5ff5b033313d2587f0fe3e7775ec50cc8ee9e7a7d3babb16372cedbc21d174da7be738814177c9034ff787d4c27a0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3828f8612c26325ad8a9c7094e278ada

SHA1
18a911d3783c824daed1f7044a4ea1fedbc28378

SHA256
6ddde99bbbda1405fd2a118eb27b9ac4f4d47be42a04c9f7fac66b074d8b7fed

SHA512
7dcca008000f4babbf3afc84a7af6ff4541dc9575cc84fd6a636b3ea86a9ca040f284150e135c8f2d547a081b886302c966aa4a44d2a6716157cda1577333722

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7b3178f64500aa3063f07765f73ab734

SHA1
8664ceea182e9ac41cf98feae524ae4ba79b5646

SHA256
87241d36aac4fd8eb301c6e5457449e24744d0a421efda6b50ba65db9faa1f1e

SHA512
7f1d854087758588ba0463b563cd55410e0e418b0b16792cef46093200888a38e85c20bc0ede8114ef3dc7c8363b6cba8623bf31a620ce57785b028ec77c628c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
49e31404d8616df329634cafce399768

SHA1
b828fd698ed611825a060417fb653d38884c5aff

SHA256
c9f2d8d7fa1b930c4944da8b4d520f6bbeec9002c13b16cd78f0a557418beeef

SHA512
77d47467ed29e0b6128ab10b3296be657333ccb3da530e32bef2451f8e28159bb94aa6bd15e9bb0ae96cce7d5e650a5bef067b0838707111d73bcc50e5c75e7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c31941255d410ab8953ff2938668e14a

SHA1
89c8949c5f61902899e3264e4be63b6208057e4c

SHA256
54e7315b57c6c258a0cafa69d507c9a5ff242a3de9b71bdfba964fd2602e6b82

SHA512
452b89ea0acac5e2b62ceaf24b72e8e0725fa35e3cbe8209d5a36faf928fdbecaf26a5cdef0f93232717c97e6cddad3b51eaaaf78fd052e95fbc7070a1318ae6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
0695d70a424f10f962164ac5a71600bf

SHA1
49044144d507efa21161537092e017d3da19e783

SHA256
cf926ae5fffc90ec5b86a193fead5b0e5675f45e55b809d7369651ad907e095a

SHA512
32455000ed2f6fd78c79bebf289eda21eda92551da04950332092d9aca30e5023a322d746811fa81c28ae130d08ec48975ca3cd5f4716d56a704c375c2d6e10e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
b3702902e16cb786d8586a1b2587c31a

SHA1
89d2e4fd3203acfbbd68872fe13ece3212517b31

SHA256
6dcc34e4353d6e2b2c03a84b28a49041eaf22435cd76fe9ea11f331c25926bba

SHA512
02d0db8e8fc8ee7b7317da0df61a3a82c2f1f50156fb43abef0268b673937ca2655b97e308213d6b6c74138af52173581aaaff885243fa419ccc0a31fe734cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9F9B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA157.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
memory/2296-4-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2296-2-0x0000000074590000-0x0000000074B3B000-memory.dmp

Filesize
5.7MB

Download
memory/2296-0-0x0000000074591000-0x0000000074592000-memory.dmp

Filesize
4KB

Download
memory/2296-9-0x0000000074590000-0x0000000074B3B000-memory.dmp

Filesize
5.7MB

Download
memory/2296-10-0x00000000005B0000-0x00000000005CA000-memory.dmp

Filesize
104KB

Download
memory/2296-11-0x0000000074590000-0x0000000074B3B000-memory.dmp

Filesize
5.7MB

Download
memory/2296-3-0x0000000074590000-0x0000000074B3B000-memory.dmp

Filesize
5.7MB

Download
memory/2296-1-0x0000000074590000-0x0000000074B3B000-memory.dmp

Filesize
5.7MB

Download