chimera | hxxps://getfilenow[.]com/lp?id=Argon%20Exploit_37081177&t=ZV5eU2FSQ0xDWA==

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/01/2025, 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://getfilenow.com/lp?id=Argon%20Exploit_37081177&t=ZV5eU2FSQ0xDWA==

Score

10^/10

chimera discovery ransomware spyware stealer

Malware Config

Signatures

Chimera 44 IoCs

Ransomware which infects local and network files, often distributed via Dropbox links.

ransomware chimera

description	flow	ioc	Process
File created		C:\Program Files\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Microsoft Office\root\Office16\Configuration\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Microsoft Office\root\Office16\AugLoop\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jre-1.8\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk-1.8\jre\bin\server\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\VideoLAN\VLC\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jre-1.8\bin\server\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\dotnet\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk-1.8\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Microsoft Office\root\Office16\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\7-Zip\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
	136	bot.whatismyipaddress.com	Process not Found
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Microsoft Office\root\Office16\MSIPC\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk-1.8\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Java\jdk-1.8\jre\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\7-Zip\Lang\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\VideoLAN\VLC\lua\http\requests\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created		C:\Program Files\Microsoft Office\root\Office16\1033\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
Key created		\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	msedge.exe
File created		C:\Program Files\Java\jre-1.8\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe

Chimera Ransomware Loader DLL 1 IoCs

Drops/unpacks executable file which resembles Chimera's Loader.dll.

ransomware

resource	yara_rule
behavioral1/memory/5084-694-0x0000000010000000-0x0000000010010000-memory.dmp	chimera_loader_dll

Chimera family
chimera
Renames multiple (224) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Executes dropped EXE 14 IoCs

pid	Process
4116	EternalRocks.exe
3796	EternalRocks.exe
3004	EternalRocks.exe
3332	EternalRocks.exe
4348	EternalRocks.exe
4952	EternalRocks.exe
4732	EternalRocks.exe
2980	EternalRocks.exe
4300	EternalRocks.exe
5052	EternalRocks.exe
4476	EternalRocks.exe
2936	EternalRocks.exe
3940	EternalRocks.exe
5084	HawkEye.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
115	raw.githubusercontent.com
116	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
136	bot.whatismyipaddress.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\COPYING.txt	HawkEye.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceDaYi.txt	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Bus Schedule.pdf	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\ExcelMessageDismissal.txt	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf	HawkEye.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt	HawkEye.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\jvm.hprof.txt	HawkEye.exe
File created	C:\Program Files\Java\jre-1.8\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\LyncBasic_Eula.txt	HawkEye.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\THANKS.txt	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Third Party Notices.txt	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt	HawkEye.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf	HawkEye.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	HawkEye.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\jvm.hprof.txt	HawkEye.exe
File created	C:\Program Files\Java\jdk-1.8\jre\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk-1.8\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.txt	HawkEye.exe
File opened for modification	C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt	HawkEye.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	HawkEye.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\README.txt	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Third Party Notices.txt	HawkEye.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PowerPointNaiveBayesCommandRanker.txt	HawkEye.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_should.help.txt	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\Products.txt	HawkEye.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_Pester.help.txt	HawkEye.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	HawkEye.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	HawkEye.exe
File created	C:\Program Files\Java\jre-1.8\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientPreview_eula.txt	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.txt	HawkEye.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack2019_eula.txt	HawkEye.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceArray.txt	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\README.txt	HawkEye.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	HawkEye.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt	HawkEye.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Cloud Services.pdf	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\List.txt	HawkEye.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\Added.txt	HawkEye.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	HawkEye.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	HawkEye.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_should.help.txt	HawkEye.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	HawkEye.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	HawkEye.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	HawkEye.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	HawkEye.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HawkEye.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 51212.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 496215.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 97677.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 389735.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1244	msedge.exe
1244	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
5080	identity_helper.exe
5080	identity_helper.exe
2340	msedge.exe
2340	msedge.exe
3856	msedge.exe
3856	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4012	msedge.exe
4012	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3128	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5084	HawkEye.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3128	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 3924	3128	msedge.exe	82
PID 3128 wrote to memory of 3924	3128	msedge.exe	82
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 2376	3128	msedge.exe	83
PID 3128 wrote to memory of 1244	3128	msedge.exe	84
PID 3128 wrote to memory of 1244	3128	msedge.exe	84
PID 3128 wrote to memory of 5064	3128	msedge.exe	85
PID 3128 wrote to memory of 5064	3128	msedge.exe	85
PID 3128 wrote to memory of 5064	3128	msedge.exe	85
PID 3128 wrote to memory of 5064	3128	msedge.exe	85
PID 3128 wrote to memory of 5064	3128	msedge.exe	85
PID 3128 wrote to memory of 5064	3128	msedge.exe	85
PID 3128 wrote to memory of 5064	3128	msedge.exe	85
PID 3128 wrote to memory of 5064	3128	msedge.exe	85
PID 3128 wrote to memory of 5064	3128	msedge.exe	85
PID 3128 wrote to memory of 5064	3128	msedge.exe	85
PID 3128 wrote to memory of 5064	3128	msedge.exe	85
PID 3128 wrote to memory of 5064	3128	msedge.exe	85
PID 3128 wrote to memory of 5064	3128	msedge.exe	85
PID 3128 wrote to memory of 5064	3128	msedge.exe	85
PID 3128 wrote to memory of 5064	3128	msedge.exe	85
PID 3128 wrote to memory of 5064	3128	msedge.exe	85
PID 3128 wrote to memory of 5064	3128	msedge.exe	85
PID 3128 wrote to memory of 5064	3128	msedge.exe	85
PID 3128 wrote to memory of 5064	3128	msedge.exe	85
PID 3128 wrote to memory of 5064	3128	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://getfilenow.com/lp?id=Argon%20Exploit_37081177&t=ZV5eU2FSQ0xDWA==
1⤵
- Chimera
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff97a0846f8,0x7ff97a084708,0x7ff97a084718
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:860
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 /prefetch:8
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:2080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:2624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3760 /prefetch:1
  2⤵
  PID:1748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3076 /prefetch:1
  2⤵
  PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1752 /prefetch:8
  2⤵
  PID:2468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
  2⤵
  PID:3312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6676 /prefetch:8
  2⤵
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1
  2⤵
  PID:2560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6760 /prefetch:1
  2⤵
  PID:1288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6812 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:1
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6540 /prefetch:8
  2⤵
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6532 /prefetch:8
  2⤵
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3764 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3856
- C:\Users\Admin\Downloads\EternalRocks.exe
  "C:\Users\Admin\Downloads\EternalRocks.exe"
  2⤵
  - Executes dropped EXE
  PID:4116
- C:\Users\Admin\Downloads\EternalRocks.exe
  "C:\Users\Admin\Downloads\EternalRocks.exe"
  2⤵
  - Executes dropped EXE
  PID:3796
- C:\Users\Admin\Downloads\EternalRocks.exe
  "C:\Users\Admin\Downloads\EternalRocks.exe"
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Users\Admin\Downloads\EternalRocks.exe
  "C:\Users\Admin\Downloads\EternalRocks.exe"
  2⤵
  - Executes dropped EXE
  PID:3332
- C:\Users\Admin\Downloads\EternalRocks.exe
  "C:\Users\Admin\Downloads\EternalRocks.exe"
  2⤵
  - Executes dropped EXE
  PID:4348
- C:\Users\Admin\Downloads\EternalRocks.exe
  "C:\Users\Admin\Downloads\EternalRocks.exe"
  2⤵
  - Executes dropped EXE
  PID:4952
- C:\Users\Admin\Downloads\EternalRocks.exe
  "C:\Users\Admin\Downloads\EternalRocks.exe"
  2⤵
  - Executes dropped EXE
  PID:4732
- C:\Users\Admin\Downloads\EternalRocks.exe
  "C:\Users\Admin\Downloads\EternalRocks.exe"
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Users\Admin\Downloads\EternalRocks.exe
  "C:\Users\Admin\Downloads\EternalRocks.exe"
  2⤵
  - Executes dropped EXE
  PID:4300
- C:\Users\Admin\Downloads\EternalRocks.exe
  "C:\Users\Admin\Downloads\EternalRocks.exe"
  2⤵
  - Executes dropped EXE
  PID:5052
- C:\Users\Admin\Downloads\EternalRocks.exe
  "C:\Users\Admin\Downloads\EternalRocks.exe"
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Users\Admin\Downloads\EternalRocks.exe
  "C:\Users\Admin\Downloads\EternalRocks.exe"
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Users\Admin\Downloads\EternalRocks.exe
  "C:\Users\Admin\Downloads\EternalRocks.exe"
  2⤵
  - Executes dropped EXE
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6172 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6304 /prefetch:8
  2⤵
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1992,11221860963163499844,11031690161426151643,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6936 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4012
- C:\Users\Admin\Downloads\HawkEye.exe
  "C:\Users\Admin\Downloads\HawkEye.exe"
  2⤵
  - Chimera
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5096

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk-1.8\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
180677b113596ce34077f1b4a4c65748

SHA1
91913ded7e0e7d13d7c94d51bab7bb0e01cbb748

SHA256
c10182f9cd79ac81442631f32a5b95d0fd75552e12a61796d9de4a252e1a490d

SHA512
f1a5328dfe1d871de39fadef69f300f8dfa93022a83e4094b254d2d949ee2b4d59fb70e854118405880c232dd60a5b688aef351cf5d7fcf11354c7f0e5d22f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\EternalRocks.exe.log

Filesize
20B

MD5
b3ac9d09e3a47d5fd00c37e075a70ecb

SHA1
ad14e6d0e07b00bd10d77a06d68841b20675680b

SHA256
7a23c6e7ccd8811ecdf038d3a89d5c7d68ed37324bae2d4954125d9128fa9432

SHA512
09b609ee1061205aa45b3c954efc6c1a03c8fd6b3011ff88cf2c060e19b1d7fd51ee0cb9d02a39310125f3a66aa0146261bdee3d804f472034df711bc942e316

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
5.0MB

MD5
c52f20a854efb013a0a1248fd84aaa95

SHA1
8a2cfe220eebde096c17266f1ba597a1065211ab

SHA256
cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30

SHA512
07b057d4830d3e2d17c7400d56f969c614a8bae4ba1a13603bb53decd1890ddcfbaad452c59cc88e474e2fd3abd62031bf399c2d7cf6dc69405dc8afcea55b9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
cc5b7a92802b41af603d6bb9e304ac79

SHA1
31177b7926d1a7ba267c8f026a3eb9d4ebc7c492

SHA256
f251b57c059d5782ec4e531ecd29a9140f9cfc1148ac18e6680e5fb2ea2cea9b

SHA512
0b3b23c60d801643d03336083a69a4ddd54f33c355d134ab6652a91599285bd72fa35a2e86c55ffe747b87d5fc98a5483b18991c665360ac1d99bb2225d886a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
93855eece96d6f0a1764096e966e515c

SHA1
c547d76fd87d57156922a251c1d86f7b30f49e6e

SHA256
1da392b046bb901596e3ed52c464c8c83098f849891263f47a165d3225e785e3

SHA512
f762f35590dc76aeae39d476ea2f83037c7dc75c576e5c4beeea885477ca09ba7a576fed44364702dc3f7e8385db7c3fcfdd8cb946921fdb56700453b3d17db6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c124060abb8af1a08a86410a6274a932

SHA1
8149d743684fa82d0abc7bbfe8a1f29c966a3a69

SHA256
caf1013db76bcbbabf94bbb73db3f29ddae05b1c5c63f9231153be34b642c984

SHA512
66d5e840e8c431793246519db39ee3b7b64dde1641c31e3ab090467aba0a7f6052c5203e7f9eb4ffa4fdadc9b494f45662f76aff17a93fea03e8e8f5ae813d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
06f3b9ea910c09554b2515da077a0869

SHA1
681781093837fe170652af75536f8310203bd258

SHA256
1edca97c2a6300df98bcdda6572c1d8bba8f3dc7325b5c1a8ef9e946b732987a

SHA512
2ff57bdc72eb0646392427032fba92890bf9b1d8351af2f507d1ab911e3b40929d2699f6c6a4601fef3f9d81105258e2c5f7820d6bd28fe3a3a189217c45fe28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
beb50faf74dfef73b7d76feb00366aad

SHA1
42c1cb9d3e3275bf8dcb968b436801c73c560cb6

SHA256
711fa46f07f435935dc9dee77597bba995c4705970e257a925e9f94138ab8b45

SHA512
13e722cd94ad0071ed8ccb365d0e16157faee6436ed5b1928ccf7d7c383d74c1eab0ae2533df11566b2e7d8d6798aab1588a207c0f4d5d7a9353b31d2181fe7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2fc98fccc76f41702454f781d8d40c8c

SHA1
1984a9a337a853fbff458e35a9f9223391047bd3

SHA256
27222e99b09cbf1759c93212cd9857f4e0babd9c0804d52fbab0a41fcca332be

SHA512
2c714aa9f2cf25d1e9a03714c6f4472d4b2ddec165cac3e57fc1a4b94c0a614a5108284ebf7f4c5849a969c2db955991dbb15fc9735912e1852476392d795ff2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6fc53c1188366b45705b40cdccf11479

SHA1
97ca439fc73fc9fa104d25a63c93c824befe9aab

SHA256
1003c4a73b35691795b20af4bb5b7ac0acc12090a32c29ab7349daab25b970a0

SHA512
1cc2eb26e81179b602d97f3b2159de948516d436c28dc1934746f6556241f4861dfd27e098ef38c9afee86f566c33f2b04e4dbc1402b80ad8c1213426f379817

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5ccb69f7f4f5df2a8a57e948f7ab1909

SHA1
d3ceada6af61c5851fd3bd4fbc95f3c2fcb65395

SHA256
b33b7209571b261315a671b4172dc92e905e62368d5bae254dc8d40a0aba7748

SHA512
767a4d0d3f1610cc644fd0665cb01302dcfce0b813c1bbb18542db709d5472f740c7bebd296e45822dbfc3b571e9ce4893ababf461d3bba6a2d2bf3d18b47ead

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9997e223929b137d7b6530c00d904c46

SHA1
4e6db618533e6d7df02c2477d86ab3040f590271

SHA256
62885340a513014889bc8f696a9eeeb0df4f988853e99d19a1484de7090ea8cd

SHA512
2982776d30d56d851cba8de9e5eb500a77a5338ec26840cd34484a35fe9dc64983e45a03e331e52f40dbebf8811c16a89a879c4913dc680ad0dbecc5311c33a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
712ddfeddc1cfaa4df62c4664176fcf4

SHA1
12d1143a34d4aff252753be6d17a9c49254e38b3

SHA256
f252281eed85342039f4cc233e855c3003475d256f271bd6d3a21c3a83417d08

SHA512
ac7d59b88bb3e0941fcc1db405ae769fc2cc1caf88114445e9b31c2ff123ea985ebf17a475d0a00c1f992a35c410b5ef85d4ce2a7b33251e852937a93956d7e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d8d09d0d797cf36f0b2d7ae09cf28d6f

SHA1
d87299c886291f517a4177fac0c9d26a65291f0a

SHA256
1b376d014cb39e779fc64738ff56213b8d5ab358e43928f2b35bbd005691b600

SHA512
786a2860b43fec59a77fac5977189c1c1f005e34bc757fa755866024e7893bf9e2f71ae2839b8a4f215b177aa40a999d7b778ae0d7f083578070d026130184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9b546cc2b27a37d4c83985de9e1d0ead

SHA1
4c3782a57725053f842888c17730603bb83980bb

SHA256
8eff6753a8cea2111ef7827624a586efb2b88df71614829349b253be0e29fdda

SHA512
a75afc692fd05c39f4952ba45146cfd749198f53a3ef864d611d17d6e4a76970440eb5bbe06908691eb17d603f16e9507718fcddde13f315a6a31b8bc44f4bd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
847ee395884e6b08f193bfa26a533f6a

SHA1
87b005df9ce585edc1cb414143562604244f926d

SHA256
8cce66f36dc227c3cddde6514a83f35286a2abaaa1ae0a7a5af2d8a89434e17e

SHA512
83d5ce7650f8dc0b0ee679ad257d7ae961bb70f03a6ef13d6038274dc505e32b6e4b054f79a1789abb8cf9e729009078f1a19d50bb707dd9a33ac3cbe326f113

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58558d.TMP

Filesize
1KB

MD5
70dfe04c46b5a77e8ca938f20b7f48e3

SHA1
1fb0c92d10dbb79eb1a201ba261d1f3282c14f33

SHA256
c7252d790700350774b9f34684976f8c8f0508445f67db123fb46056034cce9c

SHA512
1e2188e51ca3be043fd39b5fd1920adad4ba30d0437e63a50fa09c0c5856942da28522336180d268050db34a5f3a40deb4a36477870367417695abc779d665f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f299219e1470213c252f6cc7a8cab57f

SHA1
10ea3ebf9b3cacee279f53e0ce9b8056714fbe7d

SHA256
47c20974cb1b0b330a77f996b87214fea382ce475bd4f9e2ef3ee988a0a90476

SHA512
f7b8a5f3a5340bdc9354e759930f371d5cde03859e7eeb92246e9650cd44a8e848b0671ab48c128789c5dbfed20330d8c7caf985373fe3e84752ae9a401501b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
522a13c08d74802b112fd380ddc788af

SHA1
50ba87653da52ba2e08d1aec113159806086863c

SHA256
b8dd7195d1303fb51bdc7bc72208a448932b255bcdb744d9e1d5f69e981c1e8d

SHA512
121a8b00d94f65671b8d78d4725efecac6946d1de7ad05a87492d2025ffda3838e41f2a64aabc9298aa5fd463ecb588777382d38e9dd7bf1b677b7398688b52b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bd643e8fc4f19ba343420cdec44f6208

SHA1
8fbdbefab46517a30d12df93796f1f5e6201b46a

SHA256
fb1e85da58af39d8465478dc1c732561f604c7fa085b28bc4b0c034506805f3a

SHA512
fa31d8da511e063af7572abcc6a82d3f44ee0edcb632089260cb87a55b6536b81415ab84a1c1fd6f3889518c8d6aa3bc3bec2225ec2b480391df5d936edf2ada

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 389735.crdownload

Filesize
232KB

MD5
60fabd1a2509b59831876d5e2aa71a6b

SHA1
8b91f3c4f721cb04cc4974fc91056f397ae78faa

SHA256
1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838

SHA512
3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 51212.crdownload

Filesize
3KB

MD5
6f5767ec5a9cc6f7d195dde3c3939120

SHA1
4605a2d0aae8fa5ec0b72973bea928762cc6d002

SHA256
59fe169797953f2046b283235fe80158ebf02ba586eabfea306402fba8473dae

SHA512
c0fbba6ecaef82d04157c5fcf458817bf11ce29cdaf3af6cac56724efcf4305565c6e665cdcf2106c675ba0574c60606be81d9baafe804fc7d2d3a50fed0baf6

Download Submit
memory/4116-586-0x000000001E600000-0x000000001E69C000-memory.dmp

Filesize
624KB

Download
memory/4116-584-0x000000001E050000-0x000000001E55E000-memory.dmp

Filesize
5.1MB

Download
memory/4116-589-0x0000000001C30000-0x0000000001C38000-memory.dmp

Filesize
32KB

Download
memory/4116-501-0x000000001CD30000-0x000000001D1FE000-memory.dmp

Filesize
4.8MB

Download
memory/4116-500-0x000000001C210000-0x000000001C63E000-memory.dmp

Filesize
4.2MB

Download
memory/5084-694-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/5084-698-0x0000000004BB0000-0x0000000004BCA000-memory.dmp

Filesize
104KB

Download