Resubmissions
12/03/2025, 21:38
250312-1g2k8atybt 1009/03/2025, 00:43
250309-a3c7mswkz5 1009/03/2025, 00:40
250309-a1jxeawvbx 10Analysis
-
max time kernel
111s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
12/03/2025, 21:38
Static task
static1
Behavioral task
behavioral1
Sample
Trojan.Ransom.Chimera.zip
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Trojan.Ransom.Chimera.zip
Resource
win10v2004-20250217-en
General
-
Target
Trojan.Ransom.Chimera.zip
-
Size
128KB
-
MD5
516c7e4d553b8a32856b5c4fc2e7519d
-
SHA1
ca20c227b31eacec40c9a2935a0f5921f3d4e1b7
-
SHA256
c577e52acd51c63f1313eadd17580a9d89995e6a9713d40d390e40dc2d7da404
-
SHA512
ad2a5356a0d9faf7cac215a2bdd44cba0fde89e5ad4f887389db7f8576a7829595e61d81d485597fa3dbdfaaa6190be291087166d9eadf7e1855a73fbdc6cb16
-
SSDEEP
3072:z6rHehPZGIQFIbdqrVKKLaF8eL3SqLjPn4RT:+qhPZGIkIbdS8K2T2q/Qh
Malware Config
Signatures
-
Chimera 64 IoCs
Ransomware which infects local and network files, often distributed via Dropbox links.
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files\Microsoft Office\root\fre\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\js\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\Local Settings OpenWith.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files\Java\jre-1.8\lib\images\cursors\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe -
Chimera Ransomware Loader DLL 1 IoCs
Drops/unpacks executable file which resembles Chimera's Loader.dll.
resource yara_rule behavioral2/memory/3480-4-0x0000000010000000-0x0000000010010000-memory.dmp chimera_loader_dll -
Chimera family
-
Renames multiple (3285) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
pid Process 3480 Trojan.Ransom.Chimera.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 27 IoCs
description ioc Process File opened for modification C:\Users\Public\Documents\desktop.ini Trojan.Ransom.Chimera.exe File opened for modification C:\Users\Public\Music\desktop.ini Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\desktop.ini Trojan.Ransom.Chimera.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini Trojan.Ransom.Chimera.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini Trojan.Ransom.Chimera.exe File opened for modification C:\Users\Admin\Documents\desktop.ini Trojan.Ransom.Chimera.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini Trojan.Ransom.Chimera.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini Trojan.Ransom.Chimera.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini Trojan.Ransom.Chimera.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini Trojan.Ransom.Chimera.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini Trojan.Ransom.Chimera.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini Trojan.Ransom.Chimera.exe File opened for modification C:\Users\Admin\Searches\desktop.ini Trojan.Ransom.Chimera.exe File opened for modification C:\Users\Public\Libraries\desktop.ini Trojan.Ransom.Chimera.exe File opened for modification C:\Users\Public\Videos\desktop.ini Trojan.Ransom.Chimera.exe File opened for modification C:\Users\Public\desktop.ini Trojan.Ransom.Chimera.exe File opened for modification C:\Users\Admin\Music\desktop.ini Trojan.Ransom.Chimera.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files (x86)\desktop.ini Trojan.Ransom.Chimera.exe File opened for modification C:\Users\Admin\Videos\desktop.ini Trojan.Ransom.Chimera.exe File opened for modification C:\Users\Public\Desktop\desktop.ini Trojan.Ransom.Chimera.exe File opened for modification C:\Users\Public\Downloads\desktop.ini Trojan.Ransom.Chimera.exe File opened for modification C:\Users\Public\Pictures\desktop.ini Trojan.Ransom.Chimera.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini Trojan.Ransom.Chimera.exe File opened for modification C:\Users\Admin\Links\desktop.ini Trojan.Ransom.Chimera.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini Trojan.Ransom.Chimera.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini Trojan.Ransom.Chimera.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 56 bot.whatismyipaddress.com -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-400.png Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarBadge.scale-200.png Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsSmallTile.scale-100.png Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\StopwatchLargeTile.contrast-black_scale-200.png Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSplashScreen.contrast-white_scale-100.png Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\example_icons.png Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\cloud_secured_lg.png Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_folder-down_32.svg Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\ui-strings.js Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.UI\Resources\Images\star_3qtr.png Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-24_altform-unplated.png Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_contrast-black.png Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-100.png Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-64_contrast-black.png Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-GB\View3d\3DViewerProductDescription-universal.xml Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\fillandsign.svg Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pt_get.svg Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\LargeTile.scale-200_contrast-white.png Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_8_Loud.m4a Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color32.bmp Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubAppList.scale-125.png Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageWideTile.scale-200_contrast-white.png Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\word.x-none.msi.16.x-none.vreg.dat Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageStoreLogo.scale-125.png Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleSmallTile.scale-200.png Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSplashLogo.scale-125.png Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-256_altform-lightunplated.png Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-100.png Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\sat_logo_2x.png Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_scale-200.png Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_contrast-white.png Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PlaceCard\contrast-black\OfflineError.svg Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-80.png Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-180.png Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_contrast-white.png Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-150_contrast-black.png Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailBadge.scale-100.png Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\ui-strings.js Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\ui-strings.js Trojan.Ransom.Chimera.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\ui-strings.js Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionSmallTile.scale-400.png Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Exchange.scale-300.png Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\SwipeTeachingCalloutArchiveImage.layoutdir-RTL.gif Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\BadgeLogo.scale-100.png Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-ma\ui-strings.js Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\55.png Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailSplashLogo.scale-100.png Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp2.scale-200.png Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_3.m4a Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeTile.scale-125.png Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\WideTile.scale-125.png Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_altform-unplated_contrast-black.png Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-36.png Trojan.Ransom.Chimera.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Light.scale-400.png Trojan.Ransom.Chimera.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan.Ransom.Chimera.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = 7ecfc6db8f81db01 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IENTSS" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000563f6f772e761642b0847d9d3ab62bd300000000020000000000106600000001000020000000e61ba7ca5ea2c2d03be96e75485ad62640f9f742c19ab6a3446953ace54de7af000000000e8000000002000020000000ce1856f4360e5f44eafb701643c361af1d6d8e78b7fd228502e9011cf286977110000000c2a825847c19f482a8cc3e95ff29f60d40000000d101af76a82bc5d5b3365cabd2ff601178f7a5d34f84b4d176bca56d4cf18a792caf8cb74b390687a483ee3aa0fe021164bfe1ed761c65a1a1c7826309ea4a11 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7DBAB9E6-FF8A-11EF-B404-F2FFF3D77906} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL = "http://www.bing.com/favicon.ico" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\Version = "5" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Microsoft\Internet Explorer\User Preferences iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000563f6f772e761642b0847d9d3ab62bd3000000000200000000001066000000010000200000000b9aed9bf52c9cf05100eddbcd735be12af7f27a7a4649bfc37d2698f869f4cd000000000e8000000002000020000000a23e5e5f8454192baa6f681a1464edd1e86ed27faaea28dd1ba8215f68a50561100000002e5703567c6bf0b2432f259f401e4f51400000002b5357a804387fcc7d0348bb5314273dccf103376efe1587cde0077e547b3e872ebbec56466dd83bac2dce1c5e9a7c1375766e17a757a9df5e855f3ae694c89c iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000563f6f772e761642b0847d9d3ab62bd30000000002000000000010660000000100002000000086be7f819879355a361f5e70d3bc804379a018daedb0a8ddb1533665e120af3a000000000e8000000002000020000000ae6bc28a38f7b324d368cbaff080deef091a2567c136e1f5772cd40d2578fa9850000000ac540d0c1a134e0c9b50b5d846bc4a95abec5862790d0bcbb125a457278915de52c60eeb73e99222a475085d25d8ac48a6da41513f92d1a18ea83ed15e454e4b02139499a24daa5e86b25eaa444603a2400000007e954ea02e3b324262f065500c99d352a921e3ef9d3fb31d7284e75ff984376e80b30b3ea0f98d4254bc2c81932c30d81a2edc7a3c11387c32e4a889a45b94dd iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTTR" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000563f6f772e761642b0847d9d3ab62bd3000000000200000000001066000000010000200000002c0ea8e531ca5faf47fd62111092e481b202977be3680a98a7a702c5c2d2bf6b000000000e800000000200002000000057d7440cc81becbc6aa87b16408e685f812b4c414c99a0d45bd17224e19ce50f5000000078d000239844730f21cd339e4770835acfb10855053cdca0312210dd20fa6f9936430f836f7da1db3f068cc1e452cc576c063492a9bf0893eebc52ad555a24e5e59043b77efe310d475932007735b0944000000081d07efca5db8f5376e4aaff95a80596c898ef233ff7f3ce02f2c4c76a93b338c9689beaa03f25fc852c2dce68924efcc16a5694d4c2cd1bea1012bb2b86e88d iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\KnownProvidersUpgradeTime = 7ecfc6db8f81db01 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} iexplore.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 2520 msedge.exe 2520 msedge.exe 1880 msedge.exe 1880 msedge.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1532 identity_helper.exe 1532 identity_helper.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3480 Trojan.Ransom.Chimera.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeRestorePrivilege 1780 7zG.exe Token: 35 1780 7zG.exe Token: SeSecurityPrivilege 1780 7zG.exe Token: SeSecurityPrivilege 1780 7zG.exe Token: SeDebugPrivilege 3480 Trojan.Ransom.Chimera.exe Token: SeDebugPrivilege 1740 taskmgr.exe Token: SeSystemProfilePrivilege 1740 taskmgr.exe Token: SeCreateGlobalPrivilege 1740 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1780 7zG.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1880 msedge.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe 1740 taskmgr.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 208 OpenWith.exe 6024 iexplore.exe 6024 iexplore.exe 6000 IEXPLORE.EXE 6000 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1880 wrote to memory of 4540 1880 msedge.exe 121 PID 1880 wrote to memory of 4540 1880 msedge.exe 121 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 1744 1880 msedge.exe 122 PID 1880 wrote to memory of 2520 1880 msedge.exe 123 PID 1880 wrote to memory of 2520 1880 msedge.exe 123 PID 1880 wrote to memory of 1976 1880 msedge.exe 124 PID 1880 wrote to memory of 1976 1880 msedge.exe 124 PID 1880 wrote to memory of 1976 1880 msedge.exe 124 PID 1880 wrote to memory of 1976 1880 msedge.exe 124 PID 1880 wrote to memory of 1976 1880 msedge.exe 124 PID 1880 wrote to memory of 1976 1880 msedge.exe 124 PID 1880 wrote to memory of 1976 1880 msedge.exe 124 PID 1880 wrote to memory of 1976 1880 msedge.exe 124 PID 1880 wrote to memory of 1976 1880 msedge.exe 124 PID 1880 wrote to memory of 1976 1880 msedge.exe 124 PID 1880 wrote to memory of 1976 1880 msedge.exe 124 PID 1880 wrote to memory of 1976 1880 msedge.exe 124 PID 1880 wrote to memory of 1976 1880 msedge.exe 124 PID 1880 wrote to memory of 1976 1880 msedge.exe 124 PID 1880 wrote to memory of 1976 1880 msedge.exe 124 PID 1880 wrote to memory of 1976 1880 msedge.exe 124 PID 1880 wrote to memory of 1976 1880 msedge.exe 124 PID 1880 wrote to memory of 1976 1880 msedge.exe 124 PID 1880 wrote to memory of 1976 1880 msedge.exe 124 PID 1880 wrote to memory of 1976 1880 msedge.exe 124
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Trojan.Ransom.Chimera.zip1⤵PID:880
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3224
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap30531:100:7zEvent64801⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1780
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Chimera
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:208
-
C:\Users\Admin\Desktop\Trojan.Ransom.Chimera.exe"C:\Users\Admin\Desktop\Trojan.Ransom.Chimera.exe"1⤵
- Chimera
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:3480 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Music\YOUR_FILES_ARE_ENCRYPTED.HTML"2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:6024 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6024 CREDAT:17410 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:6000
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1740
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\YOUR_FILES_ARE_ENCRYPTED.HTML1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc012346f8,0x7ffc01234708,0x7ffc012347182⤵PID:4540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,331444431204869029,12630624736074397375,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:22⤵PID:1744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,331444431204869029,12630624736074397375,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,331444431204869029,12630624736074397375,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3020 /prefetch:82⤵PID:1976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,331444431204869029,12630624736074397375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵PID:2516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,331444431204869029,12630624736074397375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵PID:1240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,331444431204869029,12630624736074397375,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:82⤵PID:1324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,331444431204869029,12630624736074397375,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,331444431204869029,12630624736074397375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:12⤵PID:5392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,331444431204869029,12630624736074397375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:12⤵PID:5348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,331444431204869029,12630624736074397375,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:12⤵PID:5340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,331444431204869029,12630624736074397375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:12⤵PID:1688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,331444431204869029,12630624736074397375,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:12⤵PID:5708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,331444431204869029,12630624736074397375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:12⤵PID:6048
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:464
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2416
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD55fb5b7758b6d87861b876524ceed3533
SHA1981f093f76b3eb0c9e8eee5b7cac98ea348c524a
SHA256d60db742f63675ea4e920f57c35f347c5d021789d16f4cf68442a370340ccb53
SHA512e23a7fbd950d8a013ad8ce9f42487bda36737bc9f61bea2d0f4c70d6311178162e13574559c16fdc631128c3939d83b39d48541c0371f6d36cc3b73211d49f8f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Filesize4KB
MD5da597791be3b6e732f0bc8b20e38ee62
SHA11125c45d285c360542027d7554a5c442288974de
SHA2565b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e
-
Filesize
152B
MD5aa378723292221de057e05f75936b4c2
SHA1d1d52fca8f9ce32735017b9ef3e76c3be33fc2a6
SHA25648c30b3381ea9417e0c9e02534294378d28d61b6a382294d8096dd5417b6982b
SHA512f150891a568036089dd727d5d8613fd86e0b528f95ca2887a1be937f59f0e450f2d79fb8b63149abdc47b72bf20085b444e8f8188e221a6fefba08149c7360fd
-
Filesize
152B
MD5e4e54650fb0a7903f379034c9d82ac20
SHA1d919492abb1872dadf1cd7bb06ee2b5015054077
SHA256e5f9de12025a9ba17526352d4087a562df4db1a174441a12473fef875b8523e6
SHA51206da3dcaf3033c152da33c0c5b633a759317ba9846deff164830364f7482057ff80870e0da0037601bdbda679952a527ffae6d4714d38b5ce89ea8e5395a707c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD5aca22de0358af2a154b1585af0617fa6
SHA1c3e0610e08ca872fac674c95f20fe9e5bcaa4e25
SHA256a2e1bd2bc9e8a709325b9924bea6241427f1583105df48aa9f900ae90e8fadc8
SHA512f4f9b3b29a2653d9356af5208850f63545b617758bfa206991597597361577f1a94af5e3ded8e8d59279eff5c3a84a70935bc19ef8c9374a590ca971e1624573
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
407B
MD5740230404a38b1cdf4fcc96f28d4bcea
SHA1bcd648a628baa5ca9476e32ec310e0b781c56524
SHA256e6b656c9880cb464ff38ff11651e2a7fd7e1e6228b1575d22d06e03887b5f2ae
SHA512dafa446447dfc085a0e6b80ad518d7178b4797c9e65e6343c7f248067aeddc87cdcf921678009edb0cad85cc7a9428754ecadb1371c83bf9a194fc889f152d03
-
Filesize
5KB
MD547a143fc3493a49669309f3c5933cb18
SHA1c8a15136444910aed8544ab1b6a5eca261b6c424
SHA2562c425b674a0bd59ea7b1ce6f9a4215e6f7bb638b78444ac41baa089fffb55d7a
SHA51279f6cd923990b34d7c0add868a4c1acf18ff0cd5ed46e6589ee895baf00b03bd360b88c80e2cfb5c5d0386edd9c9f274f877d53c5314ccbfdb46b072fbfd5963
-
Filesize
5KB
MD55def1e64184b74a6d00c45992cd10ffb
SHA1de5cdd108dd5218878c59739137fdc03acc34ae0
SHA256fe945e50f0e378710b6c182b67ffabe8f9a86fa5905a3fa6f6b1968e589e4c1c
SHA512a568a72c89a7fe94a9ffa3a68e7df9611973d5016cce9f7d02a92adda465d134a2d2b1ea47269236cf79b473740bdeffcb7b287a26662c4fdb773fc7156eeacd
-
Filesize
5KB
MD565f4f4463910e40e52f194139d68d664
SHA17b426910b11aa6a3f6697bdc94e8874e01bb60a7
SHA256f92d07c6f8eb43ffb5810d08a4362b70dd249ffd8c786a75c6049e781551c443
SHA5129dadf13d3a431517321eaf387509631ab2ec826a51dd2fb645955586efbc4ffc33c940ae0263fe6912cccbc972a49ce74187fee65f6334b71b8a2e7c15618c9b
-
Filesize
6KB
MD58c74e13ef2895ad149ea7d3376a96a98
SHA18e05515f217fa8595a5a11ed5a7dbb66a62860b5
SHA2566136bb815c871eb6989b3fe2121b7203f8000bca0c3c8a556c0647010f7a2804
SHA512beaca8325b289c95f99a2819774c81cfd301db4202947272f8986c16fbe4013454dc2fdf38e3897e0be08c834608de6365b03e5d6a1d55a8ced7e5855135a1fe
-
Filesize
6KB
MD5b8a7dacc73f2ea0c5a04926bcb9cd779
SHA1ddd2fc95ddc7be4e72e88f0659d54cf4f131dfb9
SHA256269406e828d025b0903b8a159679081473be5babf6644bf19e1379cdb9e3add7
SHA512a918fa9df53d3805ca330735e6cb6b70be397ce37a057feafdd72b31fd3ae285eab3ed1099d6a5caf5d11a328c087f4ab091f05086028c5b042e6dd3cb11a516
-
Filesize
24KB
MD512998953cab3415bfd740ab071b9889e
SHA1b919bede30bfaccd6f058062ef2483e136f23077
SHA256015eb45910f2258fbf839b8f0188e679555a70f90de7fa6828e49b4e328c2259
SHA512912e9c06836623ab1a75b9ba7670454f8ba129811478a35561d6a16b5291b6ef34a206af810e5877c49464c264661bfa37666dc7360afdd906b63093582ede58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD57e69dc31ed799502c514e913607906eb
SHA183c9f7782c733a9ca3cd2a20d51c7a7447334a80
SHA256ade67782293d2b626870ea660775b88c6bad26817f7bc39cde5f7f57e217d1fd
SHA51240c8076674bad11ecf0c9944153e3cf51f287645f2322ff26da433efb73a87836de1e49daa31fad5b9770311e3cdce231dfd2b11319049454d2350802364cee1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe59163d.TMP
Filesize48B
MD5bc23e8b13d7dadb70873034c40deeead
SHA14bcd2db580cc3c2f9873992ce4c88165fb696afa
SHA256cff8f407774919cf372e99755472a85331d6adb12c4ea6dc58c4f45f86d8defe
SHA512ea7f85bab3c79a4599e580f70d5340ae70c0d15ae07c3db9d1a0023353b6c53e4e08bc8e6f835ea20585b5c64944efbf771e51b089026d6ad2269dac50c1152f
-
Filesize
538B
MD56df1ae43daedc5dee4cde06910e87e69
SHA1e78eeff807a85bc0d3280ed993140d39a94cf373
SHA25690bbd2d9abb220c29eaf0bca5a7a9327207657a1d082bd28122c360d6689f50f
SHA51264069aa3213fd395dc025022fcab0d23f711514b2b80f2dba4e8fcf1adbdc0afeaf1f9413d6ad3eb3c7f961cc7e61768601cdf4db631da617f6a50150f7e9e7e
-
Filesize
371B
MD506b9ad74126064a9f7d1c104633c6c1c
SHA1be27eeb74de9f0c45307a213871ad2873350e2db
SHA256670ba4465abc03a8884fd0f5a27b43900f8fab61a42cfdc4db8f25a00c75f251
SHA512093eaf724c6e667277bf7aeac271da6261f4aa922710e424526c3e5727110f29bd1b798a6426adf45bff464f806d2850d9449063f47c930a4087b306c1fc72d3
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD551db15caab26c115cd72cf398a7e4283
SHA1edcc2e7ff74a5a5f73f35c8e029b8f0327c20da6
SHA25608f396fe7c0880a6326b7e1953499f577a6dc2c336dd9d67cabad37bac29ca47
SHA5128971b7830bad12de169bf76f3c25c6dcb5cb8a84986459f6b3d2627bec88db0c6e67625747ff2cc8019d6a83f37e2be1da9a5946f2107c9edf0e43107b19475d
-
Filesize
10KB
MD524dea725ff36b6db6fec1ef2fc848d40
SHA15db5a66c28122e549da954fce3270630afb93dd2
SHA256d9e0d6a3bca49b3906fac2755a0f3fff0a413360d3f32bb84c540f7e8b906f0f
SHA512d930b3b4dec3c7ec0e1886b7bf34da0883698a8e63c24ccffaff713eaa614d4fc8de38781701f6faba39dc83f15760e4e45749ad7c9d788f71888c5e59018f6f
-
Filesize
10KB
MD5ca9710e2a8e806c3c864f592ef2a74f6
SHA1be2c764c101e8c62e4ece612a2d61ffc4b1e030d
SHA256291476eead427e1eeb8a73c1bc76145e2ce5ee971e397eaa91096a3c4fc526ef
SHA5120fe387b8a2048ac3d02c6c3088741b0b561b4cc3e8dc1ccd85ce618d58d4a38597418a1a7832d9e0b34afdb2256fd24f51274bee36ac6e195a7936d9ee43a3c3
-
Filesize
88KB
MD5002d5646771d31d1e7c57990cc020150
SHA1a28ec731f9106c252f313cca349a68ef94ee3de9
SHA2561e2e25bf730ff20c89d57aa38f7f34be7690820e8279b20127d0014dd27b743f
SHA512689e90e7d83eef054a168b98ba2b8d05ab6ff8564e199d4089215ad3fe33440908e687aa9ad7d94468f9f57a4cc19842d53a9cd2f17758bdadf0503df63629c6
-
Filesize
232KB
MD560fabd1a2509b59831876d5e2aa71a6b
SHA18b91f3c4f721cb04cc4974fc91056f397ae78faa
SHA2561dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838
SHA5123e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a