chimera | c577e52acd51c63f1313eadd17580a9d89995e6a9713d40d390e40dc2d7da404

Resubmissions

12/03/2025, 21:38

250312-1g2k8atybt 10

09/03/2025, 00:43

250309-a3c7mswkz5 10

09/03/2025, 00:40

250309-a1jxeawvbx 10

Analysis

max time kernel
111s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2025, 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan.Ransom.Chimera.zip
Size

128KB
MD5

516c7e4d553b8a32856b5c4fc2e7519d
SHA1

ca20c227b31eacec40c9a2935a0f5921f3d4e1b7
SHA256

c577e52acd51c63f1313eadd17580a9d89995e6a9713d40d390e40dc2d7da404
SHA512

ad2a5356a0d9faf7cac215a2bdd44cba0fde89e5ad4f887389db7f8576a7829595e61d81d485597fa3dbdfaaa6190be291087166d9eadf7e1855a73fbdc6cb16
SSDEEP

3072:z6rHehPZGIQFIbdqrVKKLaF8eL3SqLjPn4RT:+qhPZGIkIbdS8K2T2q/Qh

Score

10^/10

chimera discovery ransomware spyware stealer

Malware Config

Signatures

Chimera 64 IoCs

Ransomware which infects local and network files, often distributed via Dropbox links.

ransomware chimera

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files\Microsoft Office\root\fre\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\js\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
Key created	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\Local Settings	OpenWith.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe

Chimera Ransomware Loader DLL 1 IoCs

Drops/unpacks executable file which resembles Chimera's Loader.dll.

ransomware

resource	yara_rule
behavioral2/memory/3480-4-0x0000000010000000-0x0000000010010000-memory.dmp	chimera_loader_dll

Chimera family
chimera
Renames multiple (3285) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
3480	Trojan.Ransom.Chimera.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 27 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Documents\desktop.ini	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\desktop.ini	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Users\Public\desktop.ini	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	Trojan.Ransom.Chimera.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
56	bot.whatismyipaddress.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-400.png	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarBadge.scale-200.png	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsSmallTile.scale-100.png	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\StopwatchLargeTile.contrast-black_scale-200.png	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSplashScreen.contrast-white_scale-100.png	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\example_icons.png	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\cloud_secured_lg.png	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_folder-down_32.svg	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\ui-strings.js	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.UI\Resources\Images\star_3qtr.png	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-24_altform-unplated.png	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_contrast-black.png	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-100.png	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-64_contrast-black.png	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-GB\View3d\3DViewerProductDescription-universal.xml	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\fillandsign.svg	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pt_get.svg	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\LargeTile.scale-200_contrast-white.png	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_8_Loud.m4a	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color32.bmp	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubAppList.scale-125.png	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageWideTile.scale-200_contrast-white.png	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\word.x-none.msi.16.x-none.vreg.dat	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageStoreLogo.scale-125.png	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleSmallTile.scale-200.png	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSplashLogo.scale-125.png	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-256_altform-lightunplated.png	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-100.png	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\sat_logo_2x.png	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_scale-200.png	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_contrast-white.png	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PlaceCard\contrast-black\OfflineError.svg	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-80.png	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-180.png	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_contrast-white.png	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-150_contrast-black.png	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailBadge.scale-100.png	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\ui-strings.js	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\ui-strings.js	Trojan.Ransom.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\ui-strings.js	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionSmallTile.scale-400.png	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Exchange.scale-300.png	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\SwipeTeachingCalloutArchiveImage.layoutdir-RTL.gif	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\BadgeLogo.scale-100.png	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-ma\ui-strings.js	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\55.png	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailSplashLogo.scale-100.png	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp2.scale-200.png	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_3.m4a	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeTile.scale-125.png	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\WideTile.scale-125.png	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_altform-unplated_contrast-black.png	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-36.png	Trojan.Ransom.Chimera.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Light.scale-400.png	Trojan.Ransom.Chimera.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan.Ransom.Chimera.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 42 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = 7ecfc6db8f81db01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IENTSS"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000563f6f772e761642b0847d9d3ab62bd300000000020000000000106600000001000020000000e61ba7ca5ea2c2d03be96e75485ad62640f9f742c19ab6a3446953ace54de7af000000000e8000000002000020000000ce1856f4360e5f44eafb701643c361af1d6d8e78b7fd228502e9011cf286977110000000c2a825847c19f482a8cc3e95ff29f60d40000000d101af76a82bc5d5b3365cabd2ff601178f7a5d34f84b4d176bca56d4cf18a792caf8cb74b390687a483ee3aa0fe021164bfe1ed761c65a1a1c7826309ea4a11	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7DBAB9E6-FF8A-11EF-B404-F2FFF3D77906} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL = "http://www.bing.com/favicon.ico"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\Version = "5"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Microsoft\Internet Explorer\User Preferences	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000563f6f772e761642b0847d9d3ab62bd3000000000200000000001066000000010000200000000b9aed9bf52c9cf05100eddbcd735be12af7f27a7a4649bfc37d2698f869f4cd000000000e8000000002000020000000a23e5e5f8454192baa6f681a1464edd1e86ed27faaea28dd1ba8215f68a50561100000002e5703567c6bf0b2432f259f401e4f51400000002b5357a804387fcc7d0348bb5314273dccf103376efe1587cde0077e547b3e872ebbec56466dd83bac2dce1c5e9a7c1375766e17a757a9df5e855f3ae694c89c	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000563f6f772e761642b0847d9d3ab62bd30000000002000000000010660000000100002000000086be7f819879355a361f5e70d3bc804379a018daedb0a8ddb1533665e120af3a000000000e8000000002000020000000ae6bc28a38f7b324d368cbaff080deef091a2567c136e1f5772cd40d2578fa9850000000ac540d0c1a134e0c9b50b5d846bc4a95abec5862790d0bcbb125a457278915de52c60eeb73e99222a475085d25d8ac48a6da41513f92d1a18ea83ed15e454e4b02139499a24daa5e86b25eaa444603a2400000007e954ea02e3b324262f065500c99d352a921e3ef9d3fb31d7284e75ff984376e80b30b3ea0f98d4254bc2c81932c30d81a2edc7a3c11387c32e4a889a45b94dd	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTTR"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000563f6f772e761642b0847d9d3ab62bd3000000000200000000001066000000010000200000002c0ea8e531ca5faf47fd62111092e481b202977be3680a98a7a702c5c2d2bf6b000000000e800000000200002000000057d7440cc81becbc6aa87b16408e685f812b4c414c99a0d45bd17224e19ce50f5000000078d000239844730f21cd339e4770835acfb10855053cdca0312210dd20fa6f9936430f836f7da1db3f068cc1e452cc576c063492a9bf0893eebc52ad555a24e5e59043b77efe310d475932007735b0944000000081d07efca5db8f5376e4aaff95a80596c898ef233ff7f3ce02f2c4c76a93b338c9689beaa03f25fc852c2dce68924efcc16a5694d4c2cd1bea1012bb2b86e88d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\KnownProvidersUpgradeTime = 7ecfc6db8f81db01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
2520	msedge.exe
2520	msedge.exe
1880	msedge.exe
1880	msedge.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1532	identity_helper.exe
1532	identity_helper.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3480	Trojan.Ransom.Chimera.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	1780	7zG.exe
Token: 35	1780	7zG.exe
Token: SeSecurityPrivilege	1780	7zG.exe
Token: SeSecurityPrivilege	1780	7zG.exe
Token: SeDebugPrivilege	3480	Trojan.Ransom.Chimera.exe
Token: SeDebugPrivilege	1740	taskmgr.exe
Token: SeSystemProfilePrivilege	1740	taskmgr.exe
Token: SeCreateGlobalPrivilege	1740	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1780	7zG.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
208	OpenWith.exe
6024	iexplore.exe
6024	iexplore.exe
6000	IEXPLORE.EXE
6000	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 4540	1880	msedge.exe	121
PID 1880 wrote to memory of 4540	1880	msedge.exe	121
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 1744	1880	msedge.exe	122
PID 1880 wrote to memory of 2520	1880	msedge.exe	123
PID 1880 wrote to memory of 2520	1880	msedge.exe	123
PID 1880 wrote to memory of 1976	1880	msedge.exe	124
PID 1880 wrote to memory of 1976	1880	msedge.exe	124
PID 1880 wrote to memory of 1976	1880	msedge.exe	124
PID 1880 wrote to memory of 1976	1880	msedge.exe	124
PID 1880 wrote to memory of 1976	1880	msedge.exe	124
PID 1880 wrote to memory of 1976	1880	msedge.exe	124
PID 1880 wrote to memory of 1976	1880	msedge.exe	124
PID 1880 wrote to memory of 1976	1880	msedge.exe	124
PID 1880 wrote to memory of 1976	1880	msedge.exe	124
PID 1880 wrote to memory of 1976	1880	msedge.exe	124
PID 1880 wrote to memory of 1976	1880	msedge.exe	124
PID 1880 wrote to memory of 1976	1880	msedge.exe	124
PID 1880 wrote to memory of 1976	1880	msedge.exe	124
PID 1880 wrote to memory of 1976	1880	msedge.exe	124
PID 1880 wrote to memory of 1976	1880	msedge.exe	124
PID 1880 wrote to memory of 1976	1880	msedge.exe	124
PID 1880 wrote to memory of 1976	1880	msedge.exe	124
PID 1880 wrote to memory of 1976	1880	msedge.exe	124
PID 1880 wrote to memory of 1976	1880	msedge.exe	124
PID 1880 wrote to memory of 1976	1880	msedge.exe	124

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Trojan.Ransom.Chimera.zip
1⤵
PID:880

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3224

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap30531:100:7zEvent6480
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1780

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Chimera
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:208

C:\Users\Admin\Desktop\Trojan.Ransom.Chimera.exe
"C:\Users\Admin\Desktop\Trojan.Ransom.Chimera.exe"
1⤵
- Chimera
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:3480
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Music\YOUR_FILES_ARE_ENCRYPTED.HTML"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:6024
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6024 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:6000

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\YOUR_FILES_ARE_ENCRYPTED.HTML
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc012346f8,0x7ffc01234708,0x7ffc01234718
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,331444431204869029,12630624736074397375,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
  2⤵
  PID:1744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,331444431204869029,12630624736074397375,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,331444431204869029,12630624736074397375,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3020 /prefetch:8
  2⤵
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,331444431204869029,12630624736074397375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:2516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,331444431204869029,12630624736074397375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:1240
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,331444431204869029,12630624736074397375,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,331444431204869029,12630624736074397375,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,331444431204869029,12630624736074397375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:5392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,331444431204869029,12630624736074397375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:5348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,331444431204869029,12630624736074397375,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,331444431204869029,12630624736074397375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
  2⤵
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,331444431204869029,12630624736074397375,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:5708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,331444431204869029,12630624736074397375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:6048

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk-1.8\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
5fb5b7758b6d87861b876524ceed3533

SHA1
981f093f76b3eb0c9e8eee5b7cac98ea348c524a

SHA256
d60db742f63675ea4e920f57c35f347c5d021789d16f4cf68442a370340ccb53

SHA512
e23a7fbd950d8a013ad8ce9f42487bda36737bc9f61bea2d0f4c70d6311178162e13574559c16fdc631128c3939d83b39d48541c0371f6d36cc3b73211d49f8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aa378723292221de057e05f75936b4c2

SHA1
d1d52fca8f9ce32735017b9ef3e76c3be33fc2a6

SHA256
48c30b3381ea9417e0c9e02534294378d28d61b6a382294d8096dd5417b6982b

SHA512
f150891a568036089dd727d5d8613fd86e0b528f95ca2887a1be937f59f0e450f2d79fb8b63149abdc47b72bf20085b444e8f8188e221a6fefba08149c7360fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e4e54650fb0a7903f379034c9d82ac20

SHA1
d919492abb1872dadf1cd7bb06ee2b5015054077

SHA256
e5f9de12025a9ba17526352d4087a562df4db1a174441a12473fef875b8523e6

SHA512
06da3dcaf3033c152da33c0c5b633a759317ba9846deff164830364f7482057ff80870e0da0037601bdbda679952a527ffae6d4714d38b5ce89ea8e5395a707c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
aca22de0358af2a154b1585af0617fa6

SHA1
c3e0610e08ca872fac674c95f20fe9e5bcaa4e25

SHA256
a2e1bd2bc9e8a709325b9924bea6241427f1583105df48aa9f900ae90e8fadc8

SHA512
f4f9b3b29a2653d9356af5208850f63545b617758bfa206991597597361577f1a94af5e3ded8e8d59279eff5c3a84a70935bc19ef8c9374a590ca971e1624573

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
407B

MD5
740230404a38b1cdf4fcc96f28d4bcea

SHA1
bcd648a628baa5ca9476e32ec310e0b781c56524

SHA256
e6b656c9880cb464ff38ff11651e2a7fd7e1e6228b1575d22d06e03887b5f2ae

SHA512
dafa446447dfc085a0e6b80ad518d7178b4797c9e65e6343c7f248067aeddc87cdcf921678009edb0cad85cc7a9428754ecadb1371c83bf9a194fc889f152d03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
47a143fc3493a49669309f3c5933cb18

SHA1
c8a15136444910aed8544ab1b6a5eca261b6c424

SHA256
2c425b674a0bd59ea7b1ce6f9a4215e6f7bb638b78444ac41baa089fffb55d7a

SHA512
79f6cd923990b34d7c0add868a4c1acf18ff0cd5ed46e6589ee895baf00b03bd360b88c80e2cfb5c5d0386edd9c9f274f877d53c5314ccbfdb46b072fbfd5963

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5def1e64184b74a6d00c45992cd10ffb

SHA1
de5cdd108dd5218878c59739137fdc03acc34ae0

SHA256
fe945e50f0e378710b6c182b67ffabe8f9a86fa5905a3fa6f6b1968e589e4c1c

SHA512
a568a72c89a7fe94a9ffa3a68e7df9611973d5016cce9f7d02a92adda465d134a2d2b1ea47269236cf79b473740bdeffcb7b287a26662c4fdb773fc7156eeacd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
65f4f4463910e40e52f194139d68d664

SHA1
7b426910b11aa6a3f6697bdc94e8874e01bb60a7

SHA256
f92d07c6f8eb43ffb5810d08a4362b70dd249ffd8c786a75c6049e781551c443

SHA512
9dadf13d3a431517321eaf387509631ab2ec826a51dd2fb645955586efbc4ffc33c940ae0263fe6912cccbc972a49ce74187fee65f6334b71b8a2e7c15618c9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8c74e13ef2895ad149ea7d3376a96a98

SHA1
8e05515f217fa8595a5a11ed5a7dbb66a62860b5

SHA256
6136bb815c871eb6989b3fe2121b7203f8000bca0c3c8a556c0647010f7a2804

SHA512
beaca8325b289c95f99a2819774c81cfd301db4202947272f8986c16fbe4013454dc2fdf38e3897e0be08c834608de6365b03e5d6a1d55a8ced7e5855135a1fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b8a7dacc73f2ea0c5a04926bcb9cd779

SHA1
ddd2fc95ddc7be4e72e88f0659d54cf4f131dfb9

SHA256
269406e828d025b0903b8a159679081473be5babf6644bf19e1379cdb9e3add7

SHA512
a918fa9df53d3805ca330735e6cb6b70be397ce37a057feafdd72b31fd3ae285eab3ed1099d6a5caf5d11a328c087f4ab091f05086028c5b042e6dd3cb11a516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
12998953cab3415bfd740ab071b9889e

SHA1
b919bede30bfaccd6f058062ef2483e136f23077

SHA256
015eb45910f2258fbf839b8f0188e679555a70f90de7fa6828e49b4e328c2259

SHA512
912e9c06836623ab1a75b9ba7670454f8ba129811478a35561d6a16b5291b6ef34a206af810e5877c49464c264661bfa37666dc7360afdd906b63093582ede58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
7e69dc31ed799502c514e913607906eb

SHA1
83c9f7782c733a9ca3cd2a20d51c7a7447334a80

SHA256
ade67782293d2b626870ea660775b88c6bad26817f7bc39cde5f7f57e217d1fd

SHA512
40c8076674bad11ecf0c9944153e3cf51f287645f2322ff26da433efb73a87836de1e49daa31fad5b9770311e3cdce231dfd2b11319049454d2350802364cee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe59163d.TMP

Filesize
48B

MD5
bc23e8b13d7dadb70873034c40deeead

SHA1
4bcd2db580cc3c2f9873992ce4c88165fb696afa

SHA256
cff8f407774919cf372e99755472a85331d6adb12c4ea6dc58c4f45f86d8defe

SHA512
ea7f85bab3c79a4599e580f70d5340ae70c0d15ae07c3db9d1a0023353b6c53e4e08bc8e6f835ea20585b5c64944efbf771e51b089026d6ad2269dac50c1152f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
6df1ae43daedc5dee4cde06910e87e69

SHA1
e78eeff807a85bc0d3280ed993140d39a94cf373

SHA256
90bbd2d9abb220c29eaf0bca5a7a9327207657a1d082bd28122c360d6689f50f

SHA512
64069aa3213fd395dc025022fcab0d23f711514b2b80f2dba4e8fcf1adbdc0afeaf1f9413d6ad3eb3c7f961cc7e61768601cdf4db631da617f6a50150f7e9e7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58d7dd.TMP

Filesize
371B

MD5
06b9ad74126064a9f7d1c104633c6c1c

SHA1
be27eeb74de9f0c45307a213871ad2873350e2db

SHA256
670ba4465abc03a8884fd0f5a27b43900f8fab61a42cfdc4db8f25a00c75f251

SHA512
093eaf724c6e667277bf7aeac271da6261f4aa922710e424526c3e5727110f29bd1b798a6426adf45bff464f806d2850d9449063f47c930a4087b306c1fc72d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
51db15caab26c115cd72cf398a7e4283

SHA1
edcc2e7ff74a5a5f73f35c8e029b8f0327c20da6

SHA256
08f396fe7c0880a6326b7e1953499f577a6dc2c336dd9d67cabad37bac29ca47

SHA512
8971b7830bad12de169bf76f3c25c6dcb5cb8a84986459f6b3d2627bec88db0c6e67625747ff2cc8019d6a83f37e2be1da9a5946f2107c9edf0e43107b19475d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
24dea725ff36b6db6fec1ef2fc848d40

SHA1
5db5a66c28122e549da954fce3270630afb93dd2

SHA256
d9e0d6a3bca49b3906fac2755a0f3fff0a413360d3f32bb84c540f7e8b906f0f

SHA512
d930b3b4dec3c7ec0e1886b7bf34da0883698a8e63c24ccffaff713eaa614d4fc8de38781701f6faba39dc83f15760e4e45749ad7c9d788f71888c5e59018f6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ca9710e2a8e806c3c864f592ef2a74f6

SHA1
be2c764c101e8c62e4ece612a2d61ffc4b1e030d

SHA256
291476eead427e1eeb8a73c1bc76145e2ce5ee971e397eaa91096a3c4fc526ef

SHA512
0fe387b8a2048ac3d02c6c3088741b0b561b4cc3e8dc1ccd85ce618d58d4a38597418a1a7832d9e0b34afdb2256fd24f51274bee36ac6e195a7936d9ee43a3c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kno6DC.tmp

Filesize
88KB

MD5
002d5646771d31d1e7c57990cc020150

SHA1
a28ec731f9106c252f313cca349a68ef94ee3de9

SHA256
1e2e25bf730ff20c89d57aa38f7f34be7690820e8279b20127d0014dd27b743f

SHA512
689e90e7d83eef054a168b98ba2b8d05ab6ff8564e199d4089215ad3fe33440908e687aa9ad7d94468f9f57a4cc19842d53a9cd2f17758bdadf0503df63629c6

Download Submit
C:\Users\Admin\Desktop\Trojan.Ransom.Chimera.exe

Filesize
232KB

MD5
60fabd1a2509b59831876d5e2aa71a6b

SHA1
8b91f3c4f721cb04cc4974fc91056f397ae78faa

SHA256
1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838

SHA512
3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a

Download Submit
memory/1740-634-0x000001CD36300000-0x000001CD36301000-memory.dmp

Filesize
4KB

Download
memory/1740-632-0x000001CD36300000-0x000001CD36301000-memory.dmp

Filesize
4KB

Download
memory/1740-631-0x000001CD36300000-0x000001CD36301000-memory.dmp

Filesize
4KB

Download
memory/1740-633-0x000001CD36300000-0x000001CD36301000-memory.dmp

Filesize
4KB

Download
memory/1740-630-0x000001CD36300000-0x000001CD36301000-memory.dmp

Filesize
4KB

Download
memory/1740-617-0x000001CD36300000-0x000001CD36301000-memory.dmp

Filesize
4KB

Download
memory/1740-629-0x000001CD36300000-0x000001CD36301000-memory.dmp

Filesize
4KB

Download
memory/1740-618-0x000001CD36300000-0x000001CD36301000-memory.dmp

Filesize
4KB

Download
memory/1740-619-0x000001CD36300000-0x000001CD36301000-memory.dmp

Filesize
4KB

Download
memory/1740-628-0x000001CD36300000-0x000001CD36301000-memory.dmp

Filesize
4KB

Download
memory/3480-9-0x0000000005770000-0x000000000578A000-memory.dmp

Filesize
104KB

Download
memory/3480-4-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download