chimera | 1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838

Analysis

max time kernel
300s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2023 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Chimera.exe
Size

232KB
MD5

60fabd1a2509b59831876d5e2aa71a6b
SHA1

8b91f3c4f721cb04cc4974fc91056f397ae78faa
SHA256

1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838
SHA512

3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a
SSDEEP

3072:BMhIBKH7j7DzQi7y5bvl4YAbdY9KWvwn7XHMzqEOf64CEEl64HBVdGXPKD:BMh5H7j5g54YZKXoxOuEEl64HZAi

Score

10^/10

chimera ransomware spyware stealer

Malware Config

Signatures

Chimera 64 IoCs

Ransomware which infects local and network files, often distributed via Dropbox links.

ransomware chimera

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files\Java\jdk-1.8\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\js\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe

Chimera Ransomware Loader DLL 1 IoCs

Drops/unpacks executable file which resembles Chimera's Loader.dll.

ransomware

resource	yara_rule
behavioral2/memory/1224-3-0x0000000010000000-0x0000000010010000-memory.dmp	chimera_loader_dll

Renames multiple (3274) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 27 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	Chimera.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Chimera.exe
File opened for modification	C:\Program Files\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Public\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	Chimera.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	Chimera.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	bot.whatismyipaddress.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-125_contrast-white.png	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-20_altform-unplated_contrast-white.png	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16.png	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailSmallTile.scale-125.png	Chimera.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\osmux.x-none.msi.16.x-none.tree.dat	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_contrast-white.png	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-96.png	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreMedTile.scale-200.png	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-125.png	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupWideTile.scale-100.png	Chimera.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ca-es\ui-strings.js	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.scale-150.png	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxSmallTile.scale-200.png	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\NavigationIcons\nav_icons_gameDVR.targetsize-48.png	Chimera.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\nub.png	Chimera.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_1.m4a	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\CortanaCommands.xml	Chimera.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pl-pl\ui-strings.js	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-48_altform-unplated_contrast-black.png	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-96_altform-lightunplated_devicefamily-colorfulunplated.png	Chimera.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\dd_arrow_small2x.png	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\eu-ES\View3d\3DViewerProductDescription-universal.xml	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookSmallTile.scale-125.png	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-64.png	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_altform-unplated_contrast-white.png	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.contrast-black_scale-200.png	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageMedTile.scale-100.png	Chimera.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\selector.js	Chimera.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_nl_135x40.svg	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-48_altform-unplated_contrast-white_devicefamily-colorfulunplated.png	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-125_contrast-white.png	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ms-MY\View3d\3DViewerProductDescription-universal.xml	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_2019.904.1644.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_AppList.targetsize-16_altform-unplated.png	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailSmallTile.scale-150.png	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-20_altform-unplated.png	Chimera.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_48.png	Chimera.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-100.png	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\Default.png	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxAccountsStoreLogo.scale-100.png	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSmallTile.scale-400.png	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeWideTile.scale-150.png	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp4.scale-200.png	Chimera.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip	Chimera.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-256_altform-unplated.png	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\WideTile.scale-125.png	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-32_altform-lightunplated.png	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarMediumTile.scale-125.png	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeLargeTile.scale-125.png	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\SplashScreen.scale-200.png	Chimera.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\cloud_secured_lg.png	Chimera.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\plugin.js	Chimera.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\plugin.js	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MediumTile.scale-100_contrast-white.png	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\AppIcon.scale-100.png	Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W5.png	Chimera.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80faa32f6304da01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "777085424"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c035c92f6304da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31065187"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c79fe21d651d6c4bb8d4cd4060a2fb91000000000200000000001066000000010000200000004d35257ee4dc2d9fa95633e28927c6fbe45da7f713ebe3b0afd48b69c8e928f5000000000e8000000002000020000000fefd21558c4b7c46d3820241919643e171db95ecf791415f881995a19d5ba40d20000000d7e81dc0e060ffdf1a5145dccbe3aafbf50014f04d3508beb08ac7a31408873440000000317b85d3bd25d716bb471bb810a6c5e3296dc45c194b20ade996ef7d98084f0ab54153b722f7273826a30a88ef54f5aba7d8bf4332a39b0b2c5cbb4db83322c0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "404687642"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31065187"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "777085424"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "781290760"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{59E90331-7056-11EE-88E4-CA574F33442A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31065187"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c79fe21d651d6c4bb8d4cd4060a2fb91000000000200000000001066000000010000200000007c95ba64ff9eb084f16e4c02c3ef7f995a56d6f3ccbbd67dae21a35108c364f0000000000e80000000020000200000007bf77a100649dafb7f8ba1026cae33c5d7c39e5127f9e7aaf5a950f8f01ea4b6200000003899d54217786fa97e5092f2112c661a88275266d4e6444ec57760641d33a5064000000000b169d38c0cd8e70a07be6c7318773a2c49a3486ce1ef08e68c16e5ddf8ce1d49ef0f221fa32a8b715300be26158fe099ce9c257fc821b3bb96d0abc62195a3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133423961430646092"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1792	chrome.exe
1792	chrome.exe
1692	chrome.exe
1692	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1224	Chimera.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
3772	iexplore.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3772	iexplore.exe
3772	iexplore.exe
924	IEXPLORE.EXE
924	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 1728	1792	chrome.exe	98
PID 1792 wrote to memory of 1728	1792	chrome.exe	98
PID 1792 wrote to memory of 1888	1792	chrome.exe	102
PID 1792 wrote to memory of 1888	1792	chrome.exe	102
PID 1792 wrote to memory of 1888	1792	chrome.exe	102
PID 1792 wrote to memory of 1888	1792	chrome.exe	102
PID 1792 wrote to memory of 1888	1792	chrome.exe	102
PID 1792 wrote to memory of 1888	1792	chrome.exe	102
PID 1792 wrote to memory of 1888	1792	chrome.exe	102
PID 1792 wrote to memory of 1888	1792	chrome.exe	102
PID 1792 wrote to memory of 1888	1792	chrome.exe	102
PID 1792 wrote to memory of 1888	1792	chrome.exe	102
PID 1792 wrote to memory of 1888	1792	chrome.exe	102
PID 1792 wrote to memory of 1888	1792	chrome.exe	102
PID 1792 wrote to memory of 1888	1792	chrome.exe	102
PID 1792 wrote to memory of 1888	1792	chrome.exe	102
PID 1792 wrote to memory of 1888	1792	chrome.exe	102
PID 1792 wrote to memory of 1888	1792	chrome.exe	102
PID 1792 wrote to memory of 1888	1792	chrome.exe	102
PID 1792 wrote to memory of 1888	1792	chrome.exe	102
PID 1792 wrote to memory of 1888	1792	chrome.exe	102
PID 1792 wrote to memory of 1888	1792	chrome.exe	102
PID 1792 wrote to memory of 1888	1792	chrome.exe	102
PID 1792 wrote to memory of 1888	1792	chrome.exe	102
PID 1792 wrote to memory of 1888	1792	chrome.exe	102
PID 1792 wrote to memory of 1888	1792	chrome.exe	102
PID 1792 wrote to memory of 1888	1792	chrome.exe	102
PID 1792 wrote to memory of 1888	1792	chrome.exe	102
PID 1792 wrote to memory of 1888	1792	chrome.exe	102
PID 1792 wrote to memory of 1888	1792	chrome.exe	102
PID 1792 wrote to memory of 1888	1792	chrome.exe	102
PID 1792 wrote to memory of 1888	1792	chrome.exe	102
PID 1792 wrote to memory of 1888	1792	chrome.exe	102
PID 1792 wrote to memory of 1888	1792	chrome.exe	102
PID 1792 wrote to memory of 1888	1792	chrome.exe	102
PID 1792 wrote to memory of 1888	1792	chrome.exe	102
PID 1792 wrote to memory of 1888	1792	chrome.exe	102
PID 1792 wrote to memory of 1888	1792	chrome.exe	102
PID 1792 wrote to memory of 1888	1792	chrome.exe	102
PID 1792 wrote to memory of 1888	1792	chrome.exe	102
PID 1792 wrote to memory of 4532	1792	chrome.exe	101
PID 1792 wrote to memory of 4532	1792	chrome.exe	101
PID 1792 wrote to memory of 2452	1792	chrome.exe	100
PID 1792 wrote to memory of 2452	1792	chrome.exe	100
PID 1792 wrote to memory of 2452	1792	chrome.exe	100
PID 1792 wrote to memory of 2452	1792	chrome.exe	100
PID 1792 wrote to memory of 2452	1792	chrome.exe	100
PID 1792 wrote to memory of 2452	1792	chrome.exe	100
PID 1792 wrote to memory of 2452	1792	chrome.exe	100
PID 1792 wrote to memory of 2452	1792	chrome.exe	100
PID 1792 wrote to memory of 2452	1792	chrome.exe	100
PID 1792 wrote to memory of 2452	1792	chrome.exe	100
PID 1792 wrote to memory of 2452	1792	chrome.exe	100
PID 1792 wrote to memory of 2452	1792	chrome.exe	100
PID 1792 wrote to memory of 2452	1792	chrome.exe	100
PID 1792 wrote to memory of 2452	1792	chrome.exe	100
PID 1792 wrote to memory of 2452	1792	chrome.exe	100
PID 1792 wrote to memory of 2452	1792	chrome.exe	100
PID 1792 wrote to memory of 2452	1792	chrome.exe	100
PID 1792 wrote to memory of 2452	1792	chrome.exe	100
PID 1792 wrote to memory of 2452	1792	chrome.exe	100
PID 1792 wrote to memory of 2452	1792	chrome.exe	100
PID 1792 wrote to memory of 2452	1792	chrome.exe	100
PID 1792 wrote to memory of 2452	1792	chrome.exe	100

C:\Users\Admin\AppData\Local\Temp\Chimera.exe
"C:\Users\Admin\AppData\Local\Temp\Chimera.exe"
1⤵
- Chimera
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1224
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Music\YOUR_FILES_ARE_ENCRYPTED.HTML"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3772
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3772 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc75689758,0x7ffc75689768,0x7ffc75689778
  2⤵
  PID:1728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2264 --field-trial-handle=1940,i,6687519792113726512,1110219587709088436,131072 /prefetch:8
  2⤵
  PID:2452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1940,i,6687519792113726512,1110219587709088436,131072 /prefetch:8
  2⤵
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1772 --field-trial-handle=1940,i,6687519792113726512,1110219587709088436,131072 /prefetch:2
  2⤵
  PID:1888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3272 --field-trial-handle=1940,i,6687519792113726512,1110219587709088436,131072 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3252 --field-trial-handle=1940,i,6687519792113726512,1110219587709088436,131072 /prefetch:1
  2⤵
  PID:408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4652 --field-trial-handle=1940,i,6687519792113726512,1110219587709088436,131072 /prefetch:1
  2⤵
  PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4640 --field-trial-handle=1940,i,6687519792113726512,1110219587709088436,131072 /prefetch:8
  2⤵
  PID:904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4952 --field-trial-handle=1940,i,6687519792113726512,1110219587709088436,131072 /prefetch:8
  2⤵
  PID:832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 --field-trial-handle=1940,i,6687519792113726512,1110219587709088436,131072 /prefetch:8
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5248 --field-trial-handle=1940,i,6687519792113726512,1110219587709088436,131072 /prefetch:8
  2⤵
  PID:836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4500 --field-trial-handle=1940,i,6687519792113726512,1110219587709088436,131072 /prefetch:1
  2⤵
  PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5748 --field-trial-handle=1940,i,6687519792113726512,1110219587709088436,131072 /prefetch:8
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5756 --field-trial-handle=1940,i,6687519792113726512,1110219587709088436,131072 /prefetch:1
  2⤵
  PID:1776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5436 --field-trial-handle=1940,i,6687519792113726512,1110219587709088436,131072 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 --field-trial-handle=1940,i,6687519792113726512,1110219587709088436,131072 /prefetch:8
  2⤵
  PID:1244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3404 --field-trial-handle=1940,i,6687519792113726512,1110219587709088436,131072 /prefetch:1
  2⤵
  PID:4012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5276 --field-trial-handle=1940,i,6687519792113726512,1110219587709088436,131072 /prefetch:1
  2⤵
  PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3464 --field-trial-handle=1940,i,6687519792113726512,1110219587709088436,131072 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5232 --field-trial-handle=1940,i,6687519792113726512,1110219587709088436,131072 /prefetch:1
  2⤵
  PID:3892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=3972 --field-trial-handle=1940,i,6687519792113726512,1110219587709088436,131072 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=3880 --field-trial-handle=1940,i,6687519792113726512,1110219587709088436,131072 /prefetch:1
  2⤵
  PID:4044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=4504 --field-trial-handle=1940,i,6687519792113726512,1110219587709088436,131072 /prefetch:1
  2⤵
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=6084 --field-trial-handle=1940,i,6687519792113726512,1110219587709088436,131072 /prefetch:1
  2⤵
  PID:1660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=6416 --field-trial-handle=1940,i,6687519792113726512,1110219587709088436,131072 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=5592 --field-trial-handle=1940,i,6687519792113726512,1110219587709088436,131072 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=6568 --field-trial-handle=1940,i,6687519792113726512,1110219587709088436,131072 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6496 --field-trial-handle=1940,i,6687519792113726512,1110219587709088436,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=4608 --field-trial-handle=1940,i,6687519792113726512,1110219587709088436,131072 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5824 --field-trial-handle=1940,i,6687519792113726512,1110219587709088436,131072 /prefetch:8
  2⤵
  PID:3948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6904 --field-trial-handle=1940,i,6687519792113726512,1110219587709088436,131072 /prefetch:8
  2⤵
  PID:4832

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3704

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1876

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4 0x49c
1⤵
PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk-1.8\jre\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
fba6f1a64649287656ed4ca11b217cb5

SHA1
316f4a776d62fef56b91d520da05998cf4c77a2c

SHA256
08ebabdde206968ddb9777b99d69f141f670e37e7b296b267029c728d1c19d11

SHA512
1469aa5a1a2933a45b573c771ad29288699e702e9a82fab74d1b24c94ee3563c42d683725d07709bca48b4254a8c9b164317f82e2cf8ac26e703d8e945acff95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
81ce6b94570fc5f95716b1e012b3a365

SHA1
c5a2678d90dca86c3c2671c3a9669b11f35cf9e5

SHA256
abb8204637fc415705d5549449827389bfbe7ba0ae41b56d7037ef4b7a794258

SHA512
57b3296a42f705474e5855d225b0ff3030661f861e9ede28e951ca469d532a67a957a921cc9d8bb5ed5de55ec16a544a8d0e171cd1a95e04fb05fe7c5be3994b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
6146410e6b80276b2c9190199e9fdcea

SHA1
db2b144ea8b01c01caa98a140daebccc6f49f0a9

SHA256
40fbd0997bc7c7116bb74432cdaaf7fe3f0ee9f1d8acf267458c1e637a2d736c

SHA512
b9004878de568b2b315b09206a8b18195981ac9ab594e6e8c1330f652a42ab32fc81aa244011ee75eabd3bc9596df57de43b77df4122b085c5f55412a533f5b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000019

Filesize
21KB

MD5
2fb5861c1c5389691176213481faf681

SHA1
8016b3be891783532002792b3370660be1c9447e

SHA256
8e9a3cb6da5e6cb0dd3db4d225738da151e702bf3f675df3e5431fe9dac00410

SHA512
867fe16f8e94338ab1046c9b9d7be6d637cdc0015a98f7d8ded606816a3a23e3f8c70d33b5d5cf75580be03f4dcd54d7cfa970d8570eb273ade006ea2b71042b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
ae5f8f46cd98f0e106dfd29a54b06aea

SHA1
bbc791bfed466a0c6736280584be26a320bdc095

SHA256
5c4e6b9a35c0636400f01df16b3452551eb128b3d1993fa382aa65b6b3122f49

SHA512
0cb94e9d392b3aa0fe66ebb6dcc48d2311d07f0f2761b069606864f2b89cdbd0d4b65a51538330582a190e98b45488ecce31b81121f812271acbfd79279efb68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
ad70fdc5cdd8b1bc0502350ea6c78d3e

SHA1
1a904f0c4d31689dc51679999b4818cbde1189a9

SHA256
c1e00434cde4481dace17e800a254db99d84696a4d6817267dd61b4003553635

SHA512
aba9ddb55cdc802b05d68f594ac29750828e2e63b4dfc9418fd3818d2c67906ebfcf824ad24e3dd946d1c34ed86e6a478dbbc328a5654ddb2031c617d2940620

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
560c9bffbf04e57552482158620fcb23

SHA1
c63630819aff6efce41c9d976ee84e5167f94268

SHA256
0c764f8c139ea20442a893919cc35f8713802661a74be9ee4658fa6353ae3529

SHA512
0ff05947a6f3643f1d601d8fcaf810d76a8ed10f38fec63a08a8018f26cd9a1bb2bbc341f9134c81f2837f14c8d860b6d492dddc95db0fcfbdb116695b771cd4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
9594adb2159c6087eabd31c65bde17ad

SHA1
9e65132c73c79fd4debd4485bccbcef92934e057

SHA256
cec804cdf652cf7d1f211505b2762f14c18a2cde96b34f9a856a8bf39ca480bf

SHA512
91fbca575fa9a0dcbee248b0343377c2c80584c58899c7be3581374fe6f12e40afe095885d112b09c4a52370e5804ec0c4dd26fa7a207166718a6867536124c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
136ebcf3567703484159f65a2449e595

SHA1
7313a517cfea8e16bd62296a1f1fdc6d7110c363

SHA256
8dd7202097c4ca480d2288c8d9e62f9af44fce674e3a2eed6691e76ea91a73fe

SHA512
fdbc2b38334180cfcba085958983e442e1b4186e83e1b42f35a1ef1740d6d2a343dba4f63f9e7f29546c4c572a59134d5e3b24298c8f774be156cd32608a5314

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
aa302f66e8ad2c4db3cbe9aaeae83b21

SHA1
f443db104f46f59b9c938dd338abbcd8f2ad9570

SHA256
7b162709d6fae8cd30c26076d1662dc0f32b3c4d9d9ad8f7228e3345f3013b52

SHA512
6446996e7d22b4871c46d8120c03f496c57d00378e04b90cd81bd6548a8a2ff9142493ac2bb792d043fcf1b2460208aa107401894de75efd427305b7f1cbb366

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
699B

MD5
6ad1305faa9316f8377b89af7eb78199

SHA1
3ff6919da32aa2cbb69ddf3dcbfb66289fa6663d

SHA256
bb3c941d31d8cdeaf008f1608dd4bca85ea8f4cc086009b57996ac463dfd85e0

SHA512
45e5c74deef29a68a833cf68b67f5251d80ec344deadb6e7e6a1403cb2630b7e98fbf37d5aac7a06a8d6e9d15ddeafbfe109b8483c36b7f2bf458544e98a3d27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
699B

MD5
6a7ad20689d1c41eab0c6c0bed53d8c7

SHA1
646a3a9dbcbedb5f87855fa0deebec081bd51e85

SHA256
24502b33d7323c7b8f1cdc16be77586cd122a264643303efc5ccec2d81513ed6

SHA512
0e8763cba6f82a5911cc7d4eb68d687c58ca2fa6e29313852a33a52d66188ec20a2a322c4f1760d2d80742d4b88a1b0c2bf203f92bd36ccf248f3d02cf232b92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
870B

MD5
ce3a02c215dc74fb944086e29f7837f5

SHA1
73f67847255c74cbc765a2bc70639ea12a83171a

SHA256
80e5095ec60efa38c5fc041b6fbe273f1fbda25f852c525353130ad3a6d14b68

SHA512
7f94c670071bb2e85a592d17d5a534311bb0a4fdd54aa8c2870c92eb8241dc201d8e4e80936b7a6c816ccb14bd5f12d41acb8ad887b75622175b1aedb4337d1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0280e77bf32051bc184de0bd03438497

SHA1
0713ddddd36d4c9847a61cfb3ee4fb85e7a1145b

SHA256
8c7827b5b2630b035c6b2257103ee55e07c25765937825fbb82a24d194bb7671

SHA512
37a278f5f61e3c423bcbc099c6582f52f2898189dac18e4167da36585ba7386c59fd4a1428a2328f11d6d4466d0fdd5edadd4a2ecd7424215f85202372973196

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e99fd5f695ba1685d440c3aa95006a92

SHA1
505b9e2780f14edebc5961df927a36466726b45d

SHA256
d4e25a69aefbc62566ea37b4bc5b66b86a1038a6cc8f200fc7eb96a9621834c1

SHA512
bb3ae8293b41156600e6bc8fe59360bb9af907f5e9edc1f0fd7a45a3178a2de0683ba0b77e0a40a5da549f90dc01375de8c5f80ee66b4856c64f50a38f99c92e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9f36bf6a37026943e76c72cb34b7b9c7

SHA1
36250e5003c028e3c3ba472c7f6fa24eddbfe35f

SHA256
7d22b02056c48131181440652a8c44f246c84df248b6543dc06469292c8e2846

SHA512
3a52ea044ea44432bb1a9281ba72997572c467edb03581a4efb84b8b8b7019cdd64ce95281a940747567ac511ef75292811a013be9ca51ad4eb9c13177598ffc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0be620ceb019d41ce4ac322f7d4606fe

SHA1
5c7be8ba20c6aacc94c12c7b572518d8e0856fe8

SHA256
a8d678560788d45bdd60a9f56f58aa5b8e875f724f1576981a2d03ab81000445

SHA512
facab75a984d83ffae96d45f4c68426880eb5e5f823aa0f7362e134cf54dbe0d1a1b62ee29f3546daacb9f6c2eef9a06263a0a61e064fcdd8d6c61fe0e59a1ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
0db02b5f8ef7c42e20b41413e0a706fe

SHA1
20849faa0f3bd0604e33b63eb078fa9045f6e017

SHA256
0cdcc1c6bdeee527c1bcae8b119b3a8e13d71e960edb65764cef1fd5cff91005

SHA512
b5bda28a924dadc2289aec0724cb57ed03ec405edda4bc14d721a77bffdedd98c94df10818661d677564ee19b34e0dbb15dad7cf2a7c3f2882a609781e278bd8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
39b55000d6780965f265d63556dfd5e4

SHA1
dff1f11108ea0578dbf6fa04f34b54c27534cd0d

SHA256
501fea5fcf449e14c7f0d296dded6b3d4f2e17ec0e6e8551e863c7d7ade826a9

SHA512
4d2648e5c35659e435bf1412af2e4063e8d78d194a82273fe674f4ac9c8f3a06898e637b77ce6e901689be1f54797f2bb7c8302c3ae8b57ea3428ef88307d565

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
72e0747b3c5739f00926e48cb543e2e6

SHA1
a357ebe562d1ee78f68795053316115673e78574

SHA256
7b16e5fd6017011eded607494250933a25f7fa38a482ba91ed7a83c8c2122c09

SHA512
80f7a6da6cb25795774f2255365a7f9fc6344305f455d8257bea0a074dd5f6afef6f1a3e4c1d5d99e1ba032a712300aae6687dbb081231634430cb02ce8abd9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
5dd4ccd6908532c8cb35406bcb271c78

SHA1
886f723fa5347487f0ab6f7452c3cdbfaf64f377

SHA256
89f607e5b4f14d25d119105c2b432c387e9ef7af50997dc310348a77f880f05f

SHA512
c3d5987690948518857a49c31ac8ec555f1fbe458f9bc867799d9e6bd1a23375fb17d767f21bca49b8b9d81b32be98430e297d7585adf86a79cf1dc773b160df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
c7f35e179f95359fb7946256e1a4b2c2

SHA1
8bab34600574f56e2f167698d685d1dc4811db0d

SHA256
99073dc440ab50e3df184ca188c190238e15cb2f3a8e69f0d5b81b2dc2f2e423

SHA512
7cbb2c35d3acaeece7e3860a734dcd2e36b1f65e4398f15c0ba12fad2525aa9245307850737feef16e1a7641255058ad3a604a58be7a1846e7e128faa21a0e9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
4519a51e2f923320014a25ebb23726af

SHA1
40eab14223f2d35fc76c18938c1be12cbae93987

SHA256
ebbeea986d2b341e33d47ccf8e37ce9a3d31a958bbde1f93face3eb6b22061d1

SHA512
1cae9e52855dfb9ed4e2a04725d880a5cf5cd46b076606170924acf789798246c749778abb1e3e20785e65bfb53494af8fe62e140931ac37347944ceb8358103

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
c72635f45272bd7af22f2b25a788a2be

SHA1
33d1478db64ce1bb1846b1c7457c14be27ee5bce

SHA256
1fc04ce45f8ab032c07301a6ae2a73b13364b64d0fa22ad34238dd4f96908044

SHA512
2feeb9f6551f28eea51c0c915ff33bd91af6dc84e2601fcbb52e95175b0e7d2ba33d600f28eb246cd3e502ecfc5a9b0113983c84281683480812d3f894647cdd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
214KB

MD5
b5fb3cf54898114123d8b3767fbdcb54

SHA1
17c9e4bca2481a4e2df02c3f05ae3efe5b1a80a5

SHA256
1aba96afbfa34d4ac922e79fd99b063072b1722e513441ef79ce1fe79c4300bd

SHA512
a4426ff992d5ad3a0ee2b483e543f895e29ddc08d10bc244b56758045c59fe264156d49bc3d8bfd2711a8e5ead22271b4570d3ff99564afe1fd05b0410f5b992

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
214KB

MD5
bccf12a4840efced6c0c7a2b4a188002

SHA1
eb22088af502f3cddaf4e95c91ed73176985d40e

SHA256
056842a863638252c7c109187bccebc3f70c44557c18f250f2289032775b2b55

SHA512
53f93bb74955b9dade9be79ff1d1fc0fc6c8d8e92d8d64f45617b7652a590a1f90536dc77f0dce2457293a67e075f7bae9bd2b3b09d2f24e5087cfb70a8bf26d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
105KB

MD5
f932b0cc79008ee5e0324e177adcb46a

SHA1
1fb1f3466c6e5c670442a524c148673ada5f4076

SHA256
843df6c30d5b8dfb7a110fcf6594abeadf70459d07d8a312e2b393b03ccb4ed7

SHA512
ab5bdc688f1943faf5e12ca241e53698bf968ce6a9b626d51d9c4595db5e6844f8acda712f630f58c53a6b5d30c6a00e01bdd2af4c61a9a144f10c54de1f1409

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
105KB

MD5
e6c0003da8a6acb6f4720bb08e16907b

SHA1
bc27a84e2060ffce19c732a9202c8a443b5fe72a

SHA256
8a7231e7924f6ef65e103496a6e59c8329208ca6ebc7ac09ee1a4af8c76a38b8

SHA512
72e6c0e0b9b302ce42819dbd20d60912f99e1b8afccabfa521598eabea0b5fa0eede70908269ff2a409a527738427029db61310d18871ce2386bfa31815ee2ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5a51bb.TMP

Filesize
99KB

MD5
f4af35129447191659ca2910ba0a4500

SHA1
7fd21f612891c5238adff642917437bf025d62b7

SHA256
0b43849d287aa151eb12d834e5fa5acb038e4f137d629c43846a80a68d59ef3f

SHA512
4dab755ee3a6059abf225bf8adb369ff8635311e5b0bd9165c370b2325e02450b63d0ba3760a3d001434403e2754b0db143471fc42bd0c851b0cacaf952b5d74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\80UBY5GD\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\Favorites\Links\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
fba6f1a64649287656ed4ca11b217cb5

SHA1
316f4a776d62fef56b91d520da05998cf4c77a2c

SHA256
08ebabdde206968ddb9777b99d69f141f670e37e7b296b267029c728d1c19d11

SHA512
1469aa5a1a2933a45b573c771ad29288699e702e9a82fab74d1b24c94ee3563c42d683725d07709bca48b4254a8c9b164317f82e2cf8ac26e703d8e945acff95

Download Submit
C:\Users\Admin\Favorites\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
fba6f1a64649287656ed4ca11b217cb5

SHA1
316f4a776d62fef56b91d520da05998cf4c77a2c

SHA256
08ebabdde206968ddb9777b99d69f141f670e37e7b296b267029c728d1c19d11

SHA512
1469aa5a1a2933a45b573c771ad29288699e702e9a82fab74d1b24c94ee3563c42d683725d07709bca48b4254a8c9b164317f82e2cf8ac26e703d8e945acff95

Download Submit
C:\Users\Admin\Music\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
fba6f1a64649287656ed4ca11b217cb5

SHA1
316f4a776d62fef56b91d520da05998cf4c77a2c

SHA256
08ebabdde206968ddb9777b99d69f141f670e37e7b296b267029c728d1c19d11

SHA512
1469aa5a1a2933a45b573c771ad29288699e702e9a82fab74d1b24c94ee3563c42d683725d07709bca48b4254a8c9b164317f82e2cf8ac26e703d8e945acff95

Download Submit
memory/1224-9-0x0000000005820000-0x000000000583A000-memory.dmp

Filesize
104KB

Download
memory/1224-0-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/1224-8-0x00000000016A0000-0x00000000017A0000-memory.dmp

Filesize
1024KB

Download
memory/1224-3-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1224-2-0x0000000001B60000-0x0000000001B70000-memory.dmp

Filesize
64KB

Download
memory/1224-1-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/1224-10-0x0000000005820000-0x000000000583A000-memory.dmp

Filesize
104KB

Download
memory/1224-11-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/1224-57-0x00000000016A0000-0x00000000017A0000-memory.dmp

Filesize
1024KB

Download