Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 22:25
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://getfilenow.com/lp?id=Argon%20Exploit_37081177&t=ZV5eU2FSQ0xDWA==
Resource
win10v2004-20241007-en
General
-
Target
https://getfilenow.com/lp?id=Argon%20Exploit_37081177&t=ZV5eU2FSQ0xDWA==
Malware Config
Signatures
-
Chimera 44 IoCs
Ransomware which infects local and network files, often distributed via Dropbox links.
description flow ioc Process File created C:\Program Files\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Microsoft Office\root\Office16\Configuration\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Microsoft Office\root\Office16\AugLoop\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jre-1.8\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\server\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\VideoLAN\VLC\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jre-1.8\bin\server\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\dotnet\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Microsoft Office\root\Office16\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\7-Zip\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe 136 bot.whatismyipaddress.com Process not Found File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk-1.8\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk-1.8\jre\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\7-Zip\Lang\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\VideoLAN\VLC\lua\http\requests\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection msedge.exe File created C:\Program Files\Java\jre-1.8\lib\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe -
Chimera Ransomware Loader DLL 1 IoCs
Drops/unpacks executable file which resembles Chimera's Loader.dll.
resource yara_rule behavioral1/memory/5084-694-0x0000000010000000-0x0000000010010000-memory.dmp chimera_loader_dll -
Chimera family
-
Renames multiple (224) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Executes dropped EXE 14 IoCs
pid Process 4116 EternalRocks.exe 3796 EternalRocks.exe 3004 EternalRocks.exe 3332 EternalRocks.exe 4348 EternalRocks.exe 4952 EternalRocks.exe 4732 EternalRocks.exe 2980 EternalRocks.exe 4300 EternalRocks.exe 5052 EternalRocks.exe 4476 EternalRocks.exe 2936 EternalRocks.exe 3940 EternalRocks.exe 5084 HawkEye.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 115 raw.githubusercontent.com 116 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 136 bot.whatismyipaddress.com -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\COPYING.txt HawkEye.exe File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceDaYi.txt HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Bus Schedule.pdf HawkEye.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\ExcelMessageDismissal.txt HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf HawkEye.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt HawkEye.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\jvm.hprof.txt HawkEye.exe File created C:\Program Files\Java\jre-1.8\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt HawkEye.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\LyncBasic_Eula.txt HawkEye.exe File opened for modification C:\Program Files\VideoLAN\VLC\THANKS.txt HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Third Party Notices.txt HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt HawkEye.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt HawkEye.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf HawkEye.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt HawkEye.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt HawkEye.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\jvm.hprof.txt HawkEye.exe File created C:\Program Files\Java\jdk-1.8\jre\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk-1.8\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.txt HawkEye.exe File opened for modification C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt HawkEye.exe File created C:\Program Files\VideoLAN\VLC\lua\http\requests\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt HawkEye.exe File opened for modification C:\Program Files\VideoLAN\VLC\README.txt HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Third Party Notices.txt HawkEye.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt HawkEye.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PowerPointNaiveBayesCommandRanker.txt HawkEye.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_should.help.txt HawkEye.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\Products.txt HawkEye.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_Pester.help.txt HawkEye.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt HawkEye.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt HawkEye.exe File created C:\Program Files\Java\jre-1.8\lib\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientPreview_eula.txt HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.txt HawkEye.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack2019_eula.txt HawkEye.exe File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceArray.txt HawkEye.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\README.txt HawkEye.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt HawkEye.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt HawkEye.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt HawkEye.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Cloud Services.pdf HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf HawkEye.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\List.txt HawkEye.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf HawkEye.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\Added.txt HawkEye.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt HawkEye.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt HawkEye.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_should.help.txt HawkEye.exe File opened for modification C:\Program Files\7-Zip\Lang\tk.txt HawkEye.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt HawkEye.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt HawkEye.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt HawkEye.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HawkEye.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
NTFS ADS 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 51212.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 496215.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 97677.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 389735.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 1244 msedge.exe 1244 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 5080 identity_helper.exe 5080 identity_helper.exe 2340 msedge.exe 2340 msedge.exe 3856 msedge.exe 3856 msedge.exe 4520 msedge.exe 4520 msedge.exe 4520 msedge.exe 4520 msedge.exe 4012 msedge.exe 4012 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3128 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs
pid Process 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5084 HawkEye.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe -
Suspicious use of SendNotifyMessage 26 IoCs
pid Process 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3128 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3128 wrote to memory of 3924 3128 msedge.exe 82 PID 3128 wrote to memory of 3924 3128 msedge.exe 82 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 2376 3128 msedge.exe 83 PID 3128 wrote to memory of 1244 3128 msedge.exe 84 PID 3128 wrote to memory of 1244 3128 msedge.exe 84 PID 3128 wrote to memory of 5064 3128 msedge.exe 85 PID 3128 wrote to memory of 5064 3128 msedge.exe 85 PID 3128 wrote to memory of 5064 3128 msedge.exe 85 PID 3128 wrote to memory of 5064 3128 msedge.exe 85 PID 3128 wrote to memory of 5064 3128 msedge.exe 85 PID 3128 wrote to memory of 5064 3128 msedge.exe 85 PID 3128 wrote to memory of 5064 3128 msedge.exe 85 PID 3128 wrote to memory of 5064 3128 msedge.exe 85 PID 3128 wrote to memory of 5064 3128 msedge.exe 85 PID 3128 wrote to memory of 5064 3128 msedge.exe 85 PID 3128 wrote to memory of 5064 3128 msedge.exe 85 PID 3128 wrote to memory of 5064 3128 msedge.exe 85 PID 3128 wrote to memory of 5064 3128 msedge.exe 85 PID 3128 wrote to memory of 5064 3128 msedge.exe 85 PID 3128 wrote to memory of 5064 3128 msedge.exe 85 PID 3128 wrote to memory of 5064 3128 msedge.exe 85 PID 3128 wrote to memory of 5064 3128 msedge.exe 85 PID 3128 wrote to memory of 5064 3128 msedge.exe 85 PID 3128 wrote to memory of 5064 3128 msedge.exe 85 PID 3128 wrote to memory of 5064 3128 msedge.exe 85
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://getfilenow.com/lp?id=Argon%20Exploit_37081177&t=ZV5eU2FSQ0xDWA==1⤵
- Chimera
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff97a0846f8,0x7ff97a084708,0x7ff97a0847182⤵PID:3924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:22⤵PID:2376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:82⤵PID:5064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:12⤵PID:3400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:12⤵PID:860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 /prefetch:82⤵PID:5112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:12⤵PID:3260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:12⤵PID:3812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:12⤵PID:4340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:12⤵PID:4420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:12⤵PID:2080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:12⤵PID:2624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:12⤵PID:4024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:12⤵PID:4800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3760 /prefetch:12⤵PID:1748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:12⤵PID:3492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:12⤵PID:4392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3076 /prefetch:12⤵PID:1144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1752 /prefetch:82⤵PID:2468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:12⤵PID:3312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6676 /prefetch:82⤵PID:2188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:12⤵PID:2560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6760 /prefetch:12⤵PID:1288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:12⤵PID:3912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6812 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:12⤵PID:3492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6540 /prefetch:82⤵PID:4328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6532 /prefetch:82⤵PID:4480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3764 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3856
-
-
C:\Users\Admin\Downloads\EternalRocks.exe"C:\Users\Admin\Downloads\EternalRocks.exe"2⤵
- Executes dropped EXE
PID:4116
-
-
C:\Users\Admin\Downloads\EternalRocks.exe"C:\Users\Admin\Downloads\EternalRocks.exe"2⤵
- Executes dropped EXE
PID:3796
-
-
C:\Users\Admin\Downloads\EternalRocks.exe"C:\Users\Admin\Downloads\EternalRocks.exe"2⤵
- Executes dropped EXE
PID:3004
-
-
C:\Users\Admin\Downloads\EternalRocks.exe"C:\Users\Admin\Downloads\EternalRocks.exe"2⤵
- Executes dropped EXE
PID:3332
-
-
C:\Users\Admin\Downloads\EternalRocks.exe"C:\Users\Admin\Downloads\EternalRocks.exe"2⤵
- Executes dropped EXE
PID:4348
-
-
C:\Users\Admin\Downloads\EternalRocks.exe"C:\Users\Admin\Downloads\EternalRocks.exe"2⤵
- Executes dropped EXE
PID:4952
-
-
C:\Users\Admin\Downloads\EternalRocks.exe"C:\Users\Admin\Downloads\EternalRocks.exe"2⤵
- Executes dropped EXE
PID:4732
-
-
C:\Users\Admin\Downloads\EternalRocks.exe"C:\Users\Admin\Downloads\EternalRocks.exe"2⤵
- Executes dropped EXE
PID:2980
-
-
C:\Users\Admin\Downloads\EternalRocks.exe"C:\Users\Admin\Downloads\EternalRocks.exe"2⤵
- Executes dropped EXE
PID:4300
-
-
C:\Users\Admin\Downloads\EternalRocks.exe"C:\Users\Admin\Downloads\EternalRocks.exe"2⤵
- Executes dropped EXE
PID:5052
-
-
C:\Users\Admin\Downloads\EternalRocks.exe"C:\Users\Admin\Downloads\EternalRocks.exe"2⤵
- Executes dropped EXE
PID:4476
-
-
C:\Users\Admin\Downloads\EternalRocks.exe"C:\Users\Admin\Downloads\EternalRocks.exe"2⤵
- Executes dropped EXE
PID:2936
-
-
C:\Users\Admin\Downloads\EternalRocks.exe"C:\Users\Admin\Downloads\EternalRocks.exe"2⤵
- Executes dropped EXE
PID:3940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6172 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5384 /prefetch:82⤵PID:2972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:12⤵PID:3496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6304 /prefetch:82⤵PID:3908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6936 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4012
-
-
C:\Users\Admin\Downloads\HawkEye.exe"C:\Users\Admin\Downloads\HawkEye.exe"2⤵
- Chimera
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5084
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5096
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2032
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5180677b113596ce34077f1b4a4c65748
SHA191913ded7e0e7d13d7c94d51bab7bb0e01cbb748
SHA256c10182f9cd79ac81442631f32a5b95d0fd75552e12a61796d9de4a252e1a490d
SHA512f1a5328dfe1d871de39fadef69f300f8dfa93022a83e4094b254d2d949ee2b4d59fb70e854118405880c232dd60a5b688aef351cf5d7fcf11354c7f0e5d22f49
-
Filesize
20B
MD5b3ac9d09e3a47d5fd00c37e075a70ecb
SHA1ad14e6d0e07b00bd10d77a06d68841b20675680b
SHA2567a23c6e7ccd8811ecdf038d3a89d5c7d68ed37324bae2d4954125d9128fa9432
SHA51209b609ee1061205aa45b3c954efc6c1a03c8fd6b3011ff88cf2c060e19b1d7fd51ee0cb9d02a39310125f3a66aa0146261bdee3d804f472034df711bc942e316
-
Filesize
152B
MD556a4f78e21616a6e19da57228569489b
SHA121bfabbfc294d5f2aa1da825c5590d760483bc76
SHA256d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb
SHA512c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b
-
Filesize
152B
MD5e443ee4336fcf13c698b8ab5f3c173d0
SHA19bf70b16f03820cbe3158e1f1396b07b8ac9d75a
SHA25679e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b
SHA512cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd
-
Filesize
5.0MB
MD5c52f20a854efb013a0a1248fd84aaa95
SHA18a2cfe220eebde096c17266f1ba597a1065211ab
SHA256cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30
SHA51207b057d4830d3e2d17c7400d56f969c614a8bae4ba1a13603bb53decd1890ddcfbaad452c59cc88e474e2fd3abd62031bf399c2d7cf6dc69405dc8afcea55b9a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5cc5b7a92802b41af603d6bb9e304ac79
SHA131177b7926d1a7ba267c8f026a3eb9d4ebc7c492
SHA256f251b57c059d5782ec4e531ecd29a9140f9cfc1148ac18e6680e5fb2ea2cea9b
SHA5120b3b23c60d801643d03336083a69a4ddd54f33c355d134ab6652a91599285bd72fa35a2e86c55ffe747b87d5fc98a5483b18991c665360ac1d99bb2225d886a0
-
Filesize
1KB
MD593855eece96d6f0a1764096e966e515c
SHA1c547d76fd87d57156922a251c1d86f7b30f49e6e
SHA2561da392b046bb901596e3ed52c464c8c83098f849891263f47a165d3225e785e3
SHA512f762f35590dc76aeae39d476ea2f83037c7dc75c576e5c4beeea885477ca09ba7a576fed44364702dc3f7e8385db7c3fcfdd8cb946921fdb56700453b3d17db6
-
Filesize
1KB
MD5c124060abb8af1a08a86410a6274a932
SHA18149d743684fa82d0abc7bbfe8a1f29c966a3a69
SHA256caf1013db76bcbbabf94bbb73db3f29ddae05b1c5c63f9231153be34b642c984
SHA51266d5e840e8c431793246519db39ee3b7b64dde1641c31e3ab090467aba0a7f6052c5203e7f9eb4ffa4fdadc9b494f45662f76aff17a93fea03e8e8f5ae813d8a
-
Filesize
6KB
MD506f3b9ea910c09554b2515da077a0869
SHA1681781093837fe170652af75536f8310203bd258
SHA2561edca97c2a6300df98bcdda6572c1d8bba8f3dc7325b5c1a8ef9e946b732987a
SHA5122ff57bdc72eb0646392427032fba92890bf9b1d8351af2f507d1ab911e3b40929d2699f6c6a4601fef3f9d81105258e2c5f7820d6bd28fe3a3a189217c45fe28
-
Filesize
7KB
MD5beb50faf74dfef73b7d76feb00366aad
SHA142c1cb9d3e3275bf8dcb968b436801c73c560cb6
SHA256711fa46f07f435935dc9dee77597bba995c4705970e257a925e9f94138ab8b45
SHA51213e722cd94ad0071ed8ccb365d0e16157faee6436ed5b1928ccf7d7c383d74c1eab0ae2533df11566b2e7d8d6798aab1588a207c0f4d5d7a9353b31d2181fe7e
-
Filesize
6KB
MD52fc98fccc76f41702454f781d8d40c8c
SHA11984a9a337a853fbff458e35a9f9223391047bd3
SHA25627222e99b09cbf1759c93212cd9857f4e0babd9c0804d52fbab0a41fcca332be
SHA5122c714aa9f2cf25d1e9a03714c6f4472d4b2ddec165cac3e57fc1a4b94c0a614a5108284ebf7f4c5849a969c2db955991dbb15fc9735912e1852476392d795ff2
-
Filesize
7KB
MD56fc53c1188366b45705b40cdccf11479
SHA197ca439fc73fc9fa104d25a63c93c824befe9aab
SHA2561003c4a73b35691795b20af4bb5b7ac0acc12090a32c29ab7349daab25b970a0
SHA5121cc2eb26e81179b602d97f3b2159de948516d436c28dc1934746f6556241f4861dfd27e098ef38c9afee86f566c33f2b04e4dbc1402b80ad8c1213426f379817
-
Filesize
5KB
MD55ccb69f7f4f5df2a8a57e948f7ab1909
SHA1d3ceada6af61c5851fd3bd4fbc95f3c2fcb65395
SHA256b33b7209571b261315a671b4172dc92e905e62368d5bae254dc8d40a0aba7748
SHA512767a4d0d3f1610cc644fd0665cb01302dcfce0b813c1bbb18542db709d5472f740c7bebd296e45822dbfc3b571e9ce4893ababf461d3bba6a2d2bf3d18b47ead
-
Filesize
1KB
MD59997e223929b137d7b6530c00d904c46
SHA14e6db618533e6d7df02c2477d86ab3040f590271
SHA25662885340a513014889bc8f696a9eeeb0df4f988853e99d19a1484de7090ea8cd
SHA5122982776d30d56d851cba8de9e5eb500a77a5338ec26840cd34484a35fe9dc64983e45a03e331e52f40dbebf8811c16a89a879c4913dc680ad0dbecc5311c33a4
-
Filesize
1KB
MD5712ddfeddc1cfaa4df62c4664176fcf4
SHA112d1143a34d4aff252753be6d17a9c49254e38b3
SHA256f252281eed85342039f4cc233e855c3003475d256f271bd6d3a21c3a83417d08
SHA512ac7d59b88bb3e0941fcc1db405ae769fc2cc1caf88114445e9b31c2ff123ea985ebf17a475d0a00c1f992a35c410b5ef85d4ce2a7b33251e852937a93956d7e6
-
Filesize
1KB
MD5d8d09d0d797cf36f0b2d7ae09cf28d6f
SHA1d87299c886291f517a4177fac0c9d26a65291f0a
SHA2561b376d014cb39e779fc64738ff56213b8d5ab358e43928f2b35bbd005691b600
SHA512786a2860b43fec59a77fac5977189c1c1f005e34bc757fa755866024e7893bf9e2f71ae2839b8a4f215b177aa40a999d7b778ae0d7f083578070d026130184a1
-
Filesize
1KB
MD59b546cc2b27a37d4c83985de9e1d0ead
SHA14c3782a57725053f842888c17730603bb83980bb
SHA2568eff6753a8cea2111ef7827624a586efb2b88df71614829349b253be0e29fdda
SHA512a75afc692fd05c39f4952ba45146cfd749198f53a3ef864d611d17d6e4a76970440eb5bbe06908691eb17d603f16e9507718fcddde13f315a6a31b8bc44f4bd8
-
Filesize
1KB
MD5847ee395884e6b08f193bfa26a533f6a
SHA187b005df9ce585edc1cb414143562604244f926d
SHA2568cce66f36dc227c3cddde6514a83f35286a2abaaa1ae0a7a5af2d8a89434e17e
SHA51283d5ce7650f8dc0b0ee679ad257d7ae961bb70f03a6ef13d6038274dc505e32b6e4b054f79a1789abb8cf9e729009078f1a19d50bb707dd9a33ac3cbe326f113
-
Filesize
1KB
MD570dfe04c46b5a77e8ca938f20b7f48e3
SHA11fb0c92d10dbb79eb1a201ba261d1f3282c14f33
SHA256c7252d790700350774b9f34684976f8c8f0508445f67db123fb46056034cce9c
SHA5121e2188e51ca3be043fd39b5fd1920adad4ba30d0437e63a50fa09c0c5856942da28522336180d268050db34a5f3a40deb4a36477870367417695abc779d665f0
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5f299219e1470213c252f6cc7a8cab57f
SHA110ea3ebf9b3cacee279f53e0ce9b8056714fbe7d
SHA25647c20974cb1b0b330a77f996b87214fea382ce475bd4f9e2ef3ee988a0a90476
SHA512f7b8a5f3a5340bdc9354e759930f371d5cde03859e7eeb92246e9650cd44a8e848b0671ab48c128789c5dbfed20330d8c7caf985373fe3e84752ae9a401501b0
-
Filesize
11KB
MD5522a13c08d74802b112fd380ddc788af
SHA150ba87653da52ba2e08d1aec113159806086863c
SHA256b8dd7195d1303fb51bdc7bc72208a448932b255bcdb744d9e1d5f69e981c1e8d
SHA512121a8b00d94f65671b8d78d4725efecac6946d1de7ad05a87492d2025ffda3838e41f2a64aabc9298aa5fd463ecb588777382d38e9dd7bf1b677b7398688b52b
-
Filesize
10KB
MD5bd643e8fc4f19ba343420cdec44f6208
SHA18fbdbefab46517a30d12df93796f1f5e6201b46a
SHA256fb1e85da58af39d8465478dc1c732561f604c7fa085b28bc4b0c034506805f3a
SHA512fa31d8da511e063af7572abcc6a82d3f44ee0edcb632089260cb87a55b6536b81415ab84a1c1fd6f3889518c8d6aa3bc3bec2225ec2b480391df5d936edf2ada
-
Filesize
232KB
MD560fabd1a2509b59831876d5e2aa71a6b
SHA18b91f3c4f721cb04cc4974fc91056f397ae78faa
SHA2561dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838
SHA5123e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a
-
Filesize
3KB
MD56f5767ec5a9cc6f7d195dde3c3939120
SHA14605a2d0aae8fa5ec0b72973bea928762cc6d002
SHA25659fe169797953f2046b283235fe80158ebf02ba586eabfea306402fba8473dae
SHA512c0fbba6ecaef82d04157c5fcf458817bf11ce29cdaf3af6cac56724efcf4305565c6e665cdcf2106c675ba0574c60606be81d9baafe804fc7d2d3a50fed0baf6