Resubmissions
10-04-2024 19:40
240410-ydkgescg9z 110-04-2024 19:27
240410-x6ewzace5s 1010-04-2024 19:16
240410-xzannshb36 610-04-2024 19:04
240410-xq4kdsca2y 1010-04-2024 18:56
240410-xlmq3sbg4y 1010-04-2024 18:54
240410-xka1wsbf9s 710-04-2024 18:49
240410-xga7gsgd82 610-04-2024 18:41
240410-xbrmaabd2x 8Analysis
-
max time kernel
529s -
max time network
524s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
10-04-2024 19:16
Static task
static1
Behavioral task
behavioral1
Sample
sample.html
Resource
win11-20240221-en
General
-
Target
sample.html
-
Size
467KB
-
MD5
12b9d6652e7d1689ed510c50c53bd38c
-
SHA1
013a1cc01a97a97d9b18dfbafcfec91a57e6232a
-
SHA256
4b1aa26e12d9f06ba494ad2e2223466c8ddc5bc61b5f189630dffea54f3d93ce
-
SHA512
0ce40b9a4d137d99330f7bc2776734d121d485d3f1e3af23ede4bbebead330c30de2c4568029303259812d591ef7bbc52bd1f16d8912dd5ea006523008346e7c
-
SSDEEP
6144:DFoiM/iMTiMkiMriM2iMSiMliMziMViMuMt:D2iciiiViQibiRimiIiOiXMt
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: ChilledWindows.exe File opened (read-only) \??\H: ChilledWindows.exe File opened (read-only) \??\I: ChilledWindows.exe File opened (read-only) \??\J: ChilledWindows.exe File opened (read-only) \??\R: ChilledWindows.exe File opened (read-only) \??\Z: ChilledWindows.exe File opened (read-only) \??\B: ChilledWindows.exe File opened (read-only) \??\E: ChilledWindows.exe File opened (read-only) \??\G: ChilledWindows.exe File opened (read-only) \??\Y: ChilledWindows.exe File opened (read-only) \??\A: ChilledWindows.exe File opened (read-only) \??\S: ChilledWindows.exe File opened (read-only) \??\T: ChilledWindows.exe File opened (read-only) \??\X: ChilledWindows.exe File opened (read-only) \??\O: ChilledWindows.exe File opened (read-only) \??\P: ChilledWindows.exe File opened (read-only) \??\Q: ChilledWindows.exe File opened (read-only) \??\V: ChilledWindows.exe File opened (read-only) \??\K: ChilledWindows.exe File opened (read-only) \??\L: ChilledWindows.exe File opened (read-only) \??\M: ChilledWindows.exe File opened (read-only) \??\N: ChilledWindows.exe File opened (read-only) \??\W: ChilledWindows.exe -
Program crash 3 IoCs
pid pid_target Process procid_target 3804 3228 WerFault.exe 108 3636 3992 WerFault.exe 113 4560 4736 WerFault.exe 116 -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4181651180-3163410697-3990547336-1000\{A0850E74-80C7-4FF7-B7A0-D4C729C41725} msedge.exe Key created \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4181651180-3163410697-3990547336-1000\{D448434C-0F4C-4E0B-AF37-51C7BBCAEE99} ChilledWindows.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 956 msedge.exe 956 msedge.exe 4160 msedge.exe 4160 msedge.exe 1536 msedge.exe 1536 msedge.exe 780 msedge.exe 780 msedge.exe 1672 identity_helper.exe 1672 identity_helper.exe 3832 msedge.exe 3832 msedge.exe 3832 msedge.exe 3832 msedge.exe 1568 msedge.exe 1568 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
pid Process 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeShutdownPrivilege 2988 ChilledWindows.exe Token: SeCreatePagefilePrivilege 2988 ChilledWindows.exe Token: 33 4800 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4800 AUDIODG.EXE Token: SeShutdownPrivilege 2988 ChilledWindows.exe Token: SeCreatePagefilePrivilege 2988 ChilledWindows.exe Token: SeShutdownPrivilege 2988 ChilledWindows.exe Token: SeCreatePagefilePrivilege 2988 ChilledWindows.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe 4160 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2680 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4160 wrote to memory of 4976 4160 msedge.exe 78 PID 4160 wrote to memory of 4976 4160 msedge.exe 78 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 244 4160 msedge.exe 79 PID 4160 wrote to memory of 956 4160 msedge.exe 80 PID 4160 wrote to memory of 956 4160 msedge.exe 80 PID 4160 wrote to memory of 4552 4160 msedge.exe 81 PID 4160 wrote to memory of 4552 4160 msedge.exe 81 PID 4160 wrote to memory of 4552 4160 msedge.exe 81 PID 4160 wrote to memory of 4552 4160 msedge.exe 81 PID 4160 wrote to memory of 4552 4160 msedge.exe 81 PID 4160 wrote to memory of 4552 4160 msedge.exe 81 PID 4160 wrote to memory of 4552 4160 msedge.exe 81 PID 4160 wrote to memory of 4552 4160 msedge.exe 81 PID 4160 wrote to memory of 4552 4160 msedge.exe 81 PID 4160 wrote to memory of 4552 4160 msedge.exe 81 PID 4160 wrote to memory of 4552 4160 msedge.exe 81 PID 4160 wrote to memory of 4552 4160 msedge.exe 81 PID 4160 wrote to memory of 4552 4160 msedge.exe 81 PID 4160 wrote to memory of 4552 4160 msedge.exe 81 PID 4160 wrote to memory of 4552 4160 msedge.exe 81 PID 4160 wrote to memory of 4552 4160 msedge.exe 81 PID 4160 wrote to memory of 4552 4160 msedge.exe 81 PID 4160 wrote to memory of 4552 4160 msedge.exe 81 PID 4160 wrote to memory of 4552 4160 msedge.exe 81 PID 4160 wrote to memory of 4552 4160 msedge.exe 81
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xb8,0x10c,0x7ffb39ec3cb8,0x7ffb39ec3cc8,0x7ffb39ec3cd82⤵PID:4976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,4447853205509718940,6291069211071481050,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:22⤵PID:244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,4447853205509718940,6291069211071481050,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,4447853205509718940,6291069211071481050,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:82⤵PID:4552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,4447853205509718940,6291069211071481050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:12⤵PID:2124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,4447853205509718940,6291069211071481050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:12⤵PID:2096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,4447853205509718940,6291069211071481050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:12⤵PID:1028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1932,4447853205509718940,6291069211071481050,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,4447853205509718940,6291069211071481050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:12⤵PID:3212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1932,4447853205509718940,6291069211071481050,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5228 /prefetch:82⤵PID:4376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1932,4447853205509718940,6291069211071481050,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5220 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,4447853205509718940,6291069211071481050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:12⤵PID:3992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,4447853205509718940,6291069211071481050,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,4447853205509718940,6291069211071481050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:12⤵PID:1764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,4447853205509718940,6291069211071481050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:12⤵PID:4904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,4447853205509718940,6291069211071481050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:12⤵PID:3100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,4447853205509718940,6291069211071481050,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:12⤵PID:4884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,4447853205509718940,6291069211071481050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:12⤵PID:3252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,4447853205509718940,6291069211071481050,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:12⤵PID:3120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,4447853205509718940,6291069211071481050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:12⤵PID:4688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,4447853205509718940,6291069211071481050,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6992 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,4447853205509718940,6291069211071481050,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7044 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,4447853205509718940,6291069211071481050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:12⤵PID:2152
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1996
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1300
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3616
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Avoid.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Avoid.exe"1⤵PID:2056
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\YouAreAnIdiot\EXEVersion\YouAreAnIdiot.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\YouAreAnIdiot\EXEVersion\YouAreAnIdiot.exe"1⤵PID:3228
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 12282⤵
- Program crash
PID:3804
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3228 -ip 32281⤵PID:3504
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\YouAreAnIdiot\EXEVersion\YouAreAnIdiot.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\YouAreAnIdiot\EXEVersion\YouAreAnIdiot.exe"1⤵PID:3992
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 14562⤵
- Program crash
PID:3636
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3992 -ip 39921⤵PID:724
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\YouAreAnIdiot\EXEVersion\YouAreAnIdiot.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\YouAreAnIdiot\EXEVersion\YouAreAnIdiot.exe"1⤵PID:4736
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 14242⤵
- Program crash
PID:4560
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4736 -ip 47361⤵PID:4384
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe"1⤵PID:912
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\ChilledWindows.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\ChilledWindows.exe"1⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2988
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004D81⤵
- Suspicious use of AdjustPrivilegeToken
PID:4800
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:2680
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Hydra.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Hydra.exe"1⤵PID:1032
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Flasher.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Flasher.exe"1⤵PID:4640
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Popup.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Popup.exe"1⤵PID:3136
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD53b1e59e67b947d63336fe9c8a1a5cebc
SHA15dc7146555c05d8eb1c9680b1b5c98537dd19b91
SHA2567fccd8c81f41a2684315ad9c86ef0861ecf1f2bf5d13050f760f52aef9b4a263
SHA5122d9b8f574f7f669c109f7e0d9714b84798e07966341a0200baac01ed5939b611c7ff75bf1978fe06e37e813df277b092ba68051fae9ba997fd529962e2e5d7b0
-
Filesize
152B
MD50e10a8550dceecf34b33a98b85d5fa0b
SHA1357ed761cbff74e7f3f75cd15074b4f7f3bcdce0
SHA2565694744f7e6c49068383af6569df880eed386f56062933708c8716f4221cac61
SHA512fe6815e41c7643ddb7755cc542d478814f47acea5339df0b5265d9969d02c59ece6fc61150c6c75de3f4f59b052bc2a4f58a14caa3675daeb67955b4dc416d3a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5903fed0bb3556d84977c6a2283853f4c
SHA1e5874d0f2126225b756ab366b5ad98027d5d2902
SHA256e45e8115bc552365c195558ff4c3f594a605005df34a99c5286a472b230eeccf
SHA512627753221429afde395908243944c9249dfd3fd4fedfbf63471197caeb09b49dfa8c4b275a0fbb915f1563708e9e6ec1543c44d872d3d7ed5a1574eee283fb2f
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
1KB
MD517d03411a7cdf396155811465b4f4243
SHA1adb0d7b9bca4e551b951c2a65904bd1c9c59db7f
SHA25658213fa25561cd4e3323bd45e224c5e74164629598964a715180090dbbdc1532
SHA5129380d85e8c6c3712e877df02aab21bdf4151e8ae665b2441ae2e550e7e91dde6a1ff9e656b77406f981ff4dcd7c421a266eddfdcd03bb3972137a40b4f05a3f1
-
Filesize
5KB
MD554638a1349550f6665aa2fe4981d9416
SHA1d36911c87f77d0c8b7d4adda840d8a892cd87bcb
SHA2563dca81ac1aef8c0864fee6025c6bb4e08aa42c3bbe83aaf099f08fb2ce2f2ced
SHA512e72f226ef6b0848df107704e6993e2abbee828c14ef14ce9f2684b1a63d93d02294e4e209fd73ddcb3e74ea22359c5a1e70082e206bac0bb584c07d7152c0bec
-
Filesize
6KB
MD51de1ffa92d11ab7c3a4ba79b1c3a4521
SHA1ac6aee6789f6d7c8057969a80b55cdfd687def3b
SHA256724b471c617140d911af6a4707aca90e6588ab5292342136dfea30f1dec187d1
SHA51208aff6f8c0722a6926b64646cf37dd1bc85aa75a41ba07eeaebe5cfcf42756350897f8232957337d9ae3fa7b86bfce42d238ebca8f96a00d49bbd52dc2bc2099
-
Filesize
6KB
MD5234c6aae84021d7dc278a706b2c9d93b
SHA1034a492199d3d8fb062000940f8370290ef8258e
SHA256884717d2017e2fd8c93c68e674cb88ef0e3ec9714bd905251c02718e779a0f84
SHA5129842410482d44a66de67675b28c956a41cb8bf08b683f7af378d16ace38c88df2e604dc138335015d8dd517a4abca266df57266460e2c3af13884b6f30cecdc8
-
Filesize
6KB
MD54a76fdf56c00d9e95c8b7ced5c360cd5
SHA150e64eff6e77820795e125cd3a0344e125c7d567
SHA2562f828a7a9855334d791e4d4eb054db2d28a3a66b95d6637fa0d7b44ebb025d63
SHA512f67934d1475ccac226eac519f2c7e7c162d5e936345a776a6935344a4c6063f58e1c69ebb0055b4bdf823b55d4571a57dab69d6dd7ede7d2a7798f53cbc5e086
-
Filesize
1KB
MD5f0b617e9a05ff01055f2dbcf8ba8b7e1
SHA1f401597e29c732aeea99fce99efe0bfd1550b69c
SHA2562f036958904db5abb4afc5f60104569a09ece62282c1697318af94796165f986
SHA512a746e1e101fdb269971db914d84db8b002d05cfaecc62e0a83cee6b4b3dd91d3a3f86889e8370529b56ec76b901b3940f8da6ecd91f39f818758d544e7f8426c
-
Filesize
1KB
MD56ec815ed1982b8123c031874e10ab887
SHA1d2da4c379f77b34e5eac91fc612077fd494ce4c6
SHA25660611a71f148def29655f99f9c250ff4493ab1e7fa57954ff6c090497da381fe
SHA512df31c8e703cedb0c1e2cabb224838620adb1bf70af9042b9cfa2c0da12d90987a7e02379934f61d79ef1194a3f2ddda2c9cabd44545d911b2574a9f48ce975e0
-
Filesize
1KB
MD5f8b8b4ec3c486ed02070c4113fb00c03
SHA1264bbe3cd4d40b82ea0705c2bae1fbf805e77bbb
SHA2566e308743159b8a4a796f17c0136449ef3eda86ea9075e041ac080d269dce0e1c
SHA5123a54befa9895ae59551cad50edbae7776ad7b19321f42701496577bd4b53e37eaed353c82fcc9429cd350b4d7f7167a705257e0117ff4d170ec3482cd06e5e0a
-
Filesize
1KB
MD53932badd57eca9eb41ad89e62a6ecad4
SHA163afc9025b44e802135c13dbb65d46268043c264
SHA256cee9db1e07d5022e728b42daed4590f1bd25f10ba378f4b99c20f08fd00d44d3
SHA512e946aedf7554795c9e6b95f0c6165e092a430e60204c48d86e013c5f1e55cdc1bbd49acd653d8a4828376329589de9ab741956897609c648023240c0f1412166
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f925cd1b-58c4-4972-a418-b66623e37d7e.tmp
Filesize5KB
MD5201be1dcd8a2f96acb199a88048bab0b
SHA1269072b8d92be63b6eba573f939971f0d000e474
SHA256470d695c7a8756af78c6ff63a08f29ae68f49c18cea8b50751f1345c96f939c0
SHA512952b77745a9db11a5d59f0d42f1ebacd69e71776c2b7959df1de8bdb8d560a5e1a304534751da6069bd728c90533d06da78746715d43cc0f5c4ad1bd65b7768a
-
Filesize
11KB
MD52c1822cc063edf380ac68a49ccc7836d
SHA1fc909a504c25ec722a1655d101e55d1a0189c018
SHA25650231acdb02dc91e09e5ed1f65ea9b66525a3c8330d4e65de0376e4a510dc6e7
SHA512a41b8180a5c6c11b778d38437ac489210f1087009c3f45014839facff0b213f1441b6b234107954be56d2a0a04c5c02eeba4a4751a4beccd430b38fbbf9d6f40
-
Filesize
11KB
MD5267cb0c1b562ef832da1c2aced2ee1d1
SHA1e602dab819a3a32549af9e704e7ed82c23109fe5
SHA2569365028a020a14d59fcd7151bb61cfadfe7ee28317eee05c15229d75014d9797
SHA5127954b2f4e76d71e24a6cd224e28b5a9e20447974775c529e32f53ce18ee034b244d05a9c0a910c59a51f1407c7d9e67d1a27afc4b7f572801128bcaecd2024e0
-
Filesize
896KB
MD548bff499c92b19a8dfa87e7da12ccc1c
SHA11a610bc52930cb0d5a5324427d97d3f26106914c
SHA256c986540b7d30317b857f850fac220ac48c8382641535fa3e41c4678769956af2
SHA512836a2f4eaed86446848a8a73ec5be6b23a164defa49969929c4e8c88e2516a41d03a022797f38690c381d2983300463a2b05e6363091ebe55a039b76d3c44ecc
-
Filesize
896KB
MD5d82b30136bab4a73d53c7227c6774716
SHA1834584004936b88a7a183f274f910533b87d5745
SHA25650aa47aada0812f80841f91db2c7fdfab8363915774ab3d46d83b7901ad1eac4
SHA512bd76a470ec8c8b7d5a0b2d892606803e4f0e48404598a58ea69e3339ed26f01ffe796428a3508654e9c062db11785903864bae8d3965e9682d5a731e83662438
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
198.8MB
MD5af60ad5b6cafd14d7ebce530813e68a0
SHA1ad81b87e7e9bbc21eb93aca7638d827498e78076
SHA256b7dd3bce3ebfbc2d5e3a9f00d47f27cb6a5895c4618c878e314e573a7c216df1
SHA51281314363d5d461264ed5fdf8a7976f97bceb5081c374b4ee6bbea5d8ce3386822d089d031234ddd67c5077a1cc1ed3f6b16139253fbb1b3d34d3985f9b97aba3
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
3.6MB
MD5698ddcaec1edcf1245807627884edf9c
SHA1c7fcbeaa2aadffaf807c096c51fb14c47003ac20
SHA256cde975f975d21edb2e5faa505205ab8a2c5a565ba1ff8585d1f0e372b2a1d78b
SHA512a2c326f0c653edcd613a3cefc8d82006e843e69afc787c870aa1b9686a20d79e5ab4e9e60b04d1970f07d88318588c1305117810e73ac620afd1fb6511394155