Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
09/05/2024, 09:15
240509-k72qxadc27 809/05/2024, 09:06
240509-k27d7saa7v 1009/05/2024, 08:59
240509-kx4grahg7w 8Analysis
-
max time kernel
391s -
max time network
392s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 08:59
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://tria.ge/submit/file
Resource
win10v2004-20240426-en
General
-
Target
https://tria.ge/submit/file
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 5972 ChilledWindows.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: ChilledWindows.exe File opened (read-only) \??\M: ChilledWindows.exe File opened (read-only) \??\O: ChilledWindows.exe File opened (read-only) \??\W: ChilledWindows.exe File opened (read-only) \??\Y: ChilledWindows.exe File opened (read-only) \??\Z: ChilledWindows.exe File opened (read-only) \??\H: ChilledWindows.exe File opened (read-only) \??\X: ChilledWindows.exe File opened (read-only) \??\A: ChilledWindows.exe File opened (read-only) \??\J: ChilledWindows.exe File opened (read-only) \??\K: ChilledWindows.exe File opened (read-only) \??\P: ChilledWindows.exe File opened (read-only) \??\S: ChilledWindows.exe File opened (read-only) \??\T: ChilledWindows.exe File opened (read-only) \??\B: ChilledWindows.exe File opened (read-only) \??\E: ChilledWindows.exe File opened (read-only) \??\G: ChilledWindows.exe File opened (read-only) \??\L: ChilledWindows.exe File opened (read-only) \??\N: ChilledWindows.exe File opened (read-only) \??\Q: ChilledWindows.exe File opened (read-only) \??\R: ChilledWindows.exe File opened (read-only) \??\U: ChilledWindows.exe File opened (read-only) \??\V: ChilledWindows.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 154 raw.githubusercontent.com 155 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-540404634-651139247-2967210625-1000\{51D814C3-53A9-4116-A4C1-2F821C417ADF} msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-540404634-651139247-2967210625-1000\{CC1F6CF7-0879-46F0-B6F2-1DA5B800173E} ChilledWindows.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 45916.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1928 msedge.exe 1928 msedge.exe 2308 msedge.exe 2308 msedge.exe 2428 identity_helper.exe 2428 identity_helper.exe 4044 msedge.exe 4044 msedge.exe 972 msedge.exe 972 msedge.exe 972 msedge.exe 972 msedge.exe 972 msedge.exe 972 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
pid Process 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeShutdownPrivilege 5972 ChilledWindows.exe Token: SeCreatePagefilePrivilege 5972 ChilledWindows.exe Token: 33 2000 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2000 AUDIODG.EXE Token: SeShutdownPrivilege 5972 ChilledWindows.exe Token: SeCreatePagefilePrivilege 5972 ChilledWindows.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 5972 ChilledWindows.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2308 wrote to memory of 1760 2308 msedge.exe 83 PID 2308 wrote to memory of 1760 2308 msedge.exe 83 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 4520 2308 msedge.exe 84 PID 2308 wrote to memory of 1928 2308 msedge.exe 85 PID 2308 wrote to memory of 1928 2308 msedge.exe 85 PID 2308 wrote to memory of 3036 2308 msedge.exe 86 PID 2308 wrote to memory of 3036 2308 msedge.exe 86 PID 2308 wrote to memory of 3036 2308 msedge.exe 86 PID 2308 wrote to memory of 3036 2308 msedge.exe 86 PID 2308 wrote to memory of 3036 2308 msedge.exe 86 PID 2308 wrote to memory of 3036 2308 msedge.exe 86 PID 2308 wrote to memory of 3036 2308 msedge.exe 86 PID 2308 wrote to memory of 3036 2308 msedge.exe 86 PID 2308 wrote to memory of 3036 2308 msedge.exe 86 PID 2308 wrote to memory of 3036 2308 msedge.exe 86 PID 2308 wrote to memory of 3036 2308 msedge.exe 86 PID 2308 wrote to memory of 3036 2308 msedge.exe 86 PID 2308 wrote to memory of 3036 2308 msedge.exe 86 PID 2308 wrote to memory of 3036 2308 msedge.exe 86 PID 2308 wrote to memory of 3036 2308 msedge.exe 86 PID 2308 wrote to memory of 3036 2308 msedge.exe 86 PID 2308 wrote to memory of 3036 2308 msedge.exe 86 PID 2308 wrote to memory of 3036 2308 msedge.exe 86 PID 2308 wrote to memory of 3036 2308 msedge.exe 86 PID 2308 wrote to memory of 3036 2308 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://tria.ge/submit/file1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffddd8146f8,0x7ffddd814708,0x7ffddd8147182⤵PID:1760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,2133600206707820550,12368829392056303084,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:22⤵PID:4520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,2133600206707820550,12368829392056303084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,2133600206707820550,12368829392056303084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:82⤵PID:3036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2133600206707820550,12368829392056303084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:12⤵PID:2376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2133600206707820550,12368829392056303084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵PID:3384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2133600206707820550,12368829392056303084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:12⤵PID:3932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,2133600206707820550,12368829392056303084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:82⤵PID:3272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,2133600206707820550,12368829392056303084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2133600206707820550,12368829392056303084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:12⤵PID:432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2133600206707820550,12368829392056303084,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:12⤵PID:1756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2133600206707820550,12368829392056303084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:12⤵PID:4180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2133600206707820550,12368829392056303084,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:12⤵PID:4388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2133600206707820550,12368829392056303084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:12⤵PID:3272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2133600206707820550,12368829392056303084,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:12⤵PID:4312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2133600206707820550,12368829392056303084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:12⤵PID:3136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2133600206707820550,12368829392056303084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:12⤵PID:3844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2133600206707820550,12368829392056303084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:12⤵PID:2964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2132,2133600206707820550,12368829392056303084,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3544 /prefetch:82⤵PID:4348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2132,2133600206707820550,12368829392056303084,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5572 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2133600206707820550,12368829392056303084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:12⤵PID:4040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2133600206707820550,12368829392056303084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1792 /prefetch:12⤵PID:5600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2133600206707820550,12368829392056303084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:12⤵PID:5680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,2133600206707820550,12368829392056303084,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5004 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,2133600206707820550,12368829392056303084,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1076 /prefetch:82⤵PID:3372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2133600206707820550,12368829392056303084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1724 /prefetch:12⤵PID:4080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2132,2133600206707820550,12368829392056303084,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6588 /prefetch:82⤵PID:2568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,2133600206707820550,12368829392056303084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6336 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:972
-
-
C:\Users\Admin\Downloads\ChilledWindows.exe"C:\Users\Admin\Downloads\ChilledWindows.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5972
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4952
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1884
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x518 0x50c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2000
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD52daa93382bba07cbc40af372d30ec576
SHA1c5e709dc3e2e4df2ff841fbde3e30170e7428a94
SHA2561826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30
SHA51265635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b
-
Filesize
152B
MD5ecdc2754d7d2ae862272153aa9b9ca6e
SHA1c19bed1c6e1c998b9fa93298639ad7961339147d
SHA256a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7
SHA512cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD542adc735c34a437e71579deed2bfbf11
SHA1594b4414c5176f179874731e9d174890cdf25cf5
SHA2567c16985f7e6f9d5c81dab51734b57d4bc737a15d6800d8af2acd7e9c4718afe9
SHA5126c73a1972a8332e55fab18467ad0746f9d6238c19b6b99504e43ead15a2bcddfe88d92ce0489db4a5887b4f3ab1af476e2bc70e69ea6013aa8fadafda70716b4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD58583b6a682eb791ea510a9d13eca6374
SHA16061af9937d0fa0d6776a54d519849178204ae24
SHA256ed2c9400b2e0de4421da3816a9780ae30b98b4714d69c952aa03de643b1aed92
SHA5129f4a4d0e9038a084797c67ac5adf282ab18acfc73bada7ac91efc5b65687a91195676635e077df8e7d69b57e9fd4ebfcfb37bb9e64916ca849f3c8b51ad492af
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5856b0152e8b9d12f98921e217344389f
SHA10938eeeff76871052e29e9756e8dadbceaffde87
SHA25658f48cde024e3ea57becfb67a5fc62bc229d723b7c6f974e091569c4873212fa
SHA5124393d856743fba04ee419a6261af05dc1891d02b12465df48cf4ec6d426351bdc592eea1ead1354fa8bf94e6ed64af6874bf625dcee6b7a73875cf97538342a6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize216B
MD5428acec401d59ca5e72c6edf0241f78d
SHA137697b57a146c10362c5cf465ee04ff766ee3c1b
SHA256c31b424c323152ef3e34b7cdd1ee8d287d952b832d483bb48a6cfb7781e95510
SHA512d0d171512934b159db2f92abf11a7c84f74e0db5fb1a2277c7b00d2b7292b84f90a50354aa3757f15cbee0c1a613e0139204d6e38fbeed0e49630f3dfda84fb1
-
Filesize
1KB
MD5b62b874ac0760f3e0402cc33cdd91c70
SHA17dddba487c4c69174fbd7daac93cf998bf9bfe32
SHA25667c5270c0c74d852cb086450e7d9ce309e6e8b373d0c0576d9b73e5782b82ebf
SHA5123642fbb7a878fadac442435c262f273f6d4daba493d354450cf676b0945b27c4fd74bc472722402b346b2c659957250c5333776ca2221fc880853512fe1ada48
-
Filesize
1KB
MD5303467b397e0a2221bf8275d775a2782
SHA14df79dce0393b3b0c74efabbaff01f132c0719d7
SHA256eac7a055d0e8a1f3421f90b6eb6bb621c5f915688261a7370e4c4ec20045243b
SHA51286284eb5c0d94fc2fbe696f76529450fb127fec39121e121135972a5c9e1892337f8625b341d839560fdfb4be68229b88b0bb3cecabb5fd9619641cad8070b8a
-
Filesize
6KB
MD5f4a5851b730426ae9c14646e7a5f9a05
SHA165d759dd7023622e416546c1d8d8253778e746e2
SHA256254e1355c44fba4a11264a6bca9fe5d22d0599d6f92b08f71d1f2baeda91b2eb
SHA512047a7d202b01b0314c4c4f6d3499312820abbb56890d2ac9d88c4c568ef607089b6bc0860e18d0f4ce9b06e0bc016cb25dc294d23363f89106c650090d5127c6
-
Filesize
7KB
MD54dd8671e5aaceeadfb859c73e8ca43a3
SHA1376ce43d174db94a36746bbc5b1bc0da5fd6af92
SHA256cf4209ebd588351c44eec7a14f4f17a0f9c11144b1f4d64b4aaa923bc6d8d834
SHA51228fdfc1f2c93abc96d6efedc5c5afdd160d4b9a800fe074bd87500d0d8107993fbe518ad80bd7f35b5e69a3bb89cde548a7ad95b6b85b0ee7a26db83b9894768
-
Filesize
5KB
MD5d156d935dd06ae9e220fb4cecae30f98
SHA11ef613840d14c7bfc1f1a17df6836f08e11a1abc
SHA256b2b266e579e2796eadfe5f07d13b22cdcf860d59a885cb293f986c3a94ac35b7
SHA51238f00db1cf002366c6859f5dc2d647b4a98f8d0aef0a7087db61084992d7ee78ec4ebddf11231edeaa25da6f6529b162298d171fd133d115fce8bd1d11b275e3
-
Filesize
7KB
MD562f598a94abbdd090ae591bed77f990f
SHA18abd577952b45c8c498a678a95e95f0b145db96a
SHA256665f7b5c753d36bb53eb1e0decbd542340a52ff31b254127b9b0c626283e43c9
SHA512fe523176502895c02384f555c679c2f6a8d404dfdf80ea5aa31f7cb8adbfd9776f9f5d0af0365f6ee2cde2e8f7bb7e82184aad8607daa7a8f0b087745f40c4ac
-
Filesize
6KB
MD5772a26d63f39a3b36871792596f0d3ec
SHA1d2f0fe9723a12221922e6ba3daba137498b8d673
SHA256487d221e4e92999197a030e1d269ee739a3a47f2334230952e14d44ffc84f2d6
SHA51283aca147c99e98aba71ee714b3ace1ddc63f6ee71e2d8ca9de3c58d07299b29dbce332791f626bacb5020ccc15bb3350113db88875a716a0372ec29ce4060de9
-
Filesize
7KB
MD509daa99ea40d5f4b3e9d86efb874439b
SHA1badb5dfb073967f34888598736bd229e6eaef36a
SHA25628bfcd63ed473f751361453839ab25d9a78be6d13b01a409f38c8fd3aeb8bb98
SHA5128fa7c171fe6098e81c98af1fae9aaed085bd2b546129be46eb73d9af2fd4d07b13563e36eae9f018787bcec079e660c2aa2e62a80873381a6c2fe3f90ebdfa7e
-
Filesize
706B
MD54472385c33944e21b7b9c57212293fca
SHA1cff4646227013dd5ab56a2c77a2a8581e559579a
SHA2566b9c4f8d850c43dc17e19d48bbd57c84d1c5105714b7ff549679404357417b96
SHA51229f47659e95136c25b49deae015f42af26c3f70886677f061ac172949c296c3021f28254c73034808c1e2213de37b651736d462bd471e6586847d31bf5e0ea7b
-
Filesize
1KB
MD5efc62b457b1e900563ed0442c873e7c1
SHA19d671fbde177d5677488b0c95884bc31c30c0cc0
SHA25673e863170ee254fe873bfec1c3cc54a8da533f92cb1badb7d818fc161ab5f465
SHA512945ca3ab4341295f927be10e0d174c2e0d32a304b56e4d24b4b43c28be55aa5ffd74389d01cebe481def6a83a828c9110b59c6dddd808ffb0087b0e9d0b73af6
-
Filesize
1KB
MD51564fb8ddf021fb9ec43de5ba30e34aa
SHA189f104bc4c4e54e9382ee156d69e5ece7d383d9c
SHA25646b7f818448019f6a013971e0f71cc8546a1cf84d39b2bb63dad65e647ae0c47
SHA51253a0e84a5e17f34b56e058a490a35fb458a8df0baaa9ecfea6e473514b5e4d1fb79b514b4abaac6e305d523e5e9fef4a13ccafc427265c1decf8d8f12d25ddab
-
Filesize
1KB
MD50fba6c4ae9243639d09a2c8f61c4dc9a
SHA1dd3f1e1fea1682da925b306a4f12d342260937cb
SHA256c41d00ab68b2073a871dc647da82e15af9f333728b413df361dfafbc532c0524
SHA5121c572ab51ac5461c00a14e28604a88f14e7c3b56e8085f91e26b478f2f643fbfa00baf6c2711676f4bbbba3710160a1cd0c2a7848409fc6cc3cfabf0a109e49b
-
Filesize
1KB
MD5cc26c2c6fdcf1d5183334be1583c4cf8
SHA10ab03d3691f6de88d615e50f8d61321e438c4720
SHA256219500dc26b046b3ec96cf20bd10e500daeac8d60110f22e06ae3f12fc1735d6
SHA512c6ae6cad290553103955ab23bf4e3c69ffa39816116768a35ddfffdd5fba58d0f86d85e4db471e84da2fed0f15b3ebe16a669e147a64d3b0bdea310bef69539f
-
Filesize
204B
MD52deef420a21d9e5e6a7ac9855827b184
SHA10171131963d707fb2aab67f8731620cc8f45cc87
SHA256c61ba9e70c8c98d9f2ad486be42565683bd19995611c297525d0fdc9e554afb6
SHA51275212d904838465d7b6d8afe534ac208c041cc060e175b400f23ec6268abdf5f6eb3a22cc42565646686de3a17a4bd3cf73758d4003f0aa45ddabc629a9683f0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a644f214-02a0-4713-a708-9cc60d627a35.tmp
Filesize1KB
MD56baec8ebc4dccfac457b4dd2d1f7102a
SHA1e19a2c6ef83d4451a85f2751ac4202edb994f578
SHA256d4aa23935bf7c81f035b3db4276be2c9a64cdb7e64f07abddb22e6a3c33815b0
SHA512a5fafc05565f4ec4745b30aa8fadc9e5afc955e321bcfc8d8dfb1f5a80c03d11bf2ecfcb419723d3449b359e813b8aea693698c5281989249ed097ff75f33e55
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5aee0960611a329ada6f95c5092f560be
SHA16c3099ba2addd0f0cd550533627df3a847d7200d
SHA256324b4dfa907aa7338a9ccad43be69cf3fcaf9b05566e2313bdad4b36cb8c2375
SHA512a08eba0a0c3d106bce56fce87d54c9f55b322aa46645c9c1c5d08bf5c5fbce492bac1f16541c866e49bee89a28b6f033d7eb02c38ce1b65bad9d4ea138f03818
-
Filesize
12KB
MD59b65e5f119bb0a486c6db4d6950d044a
SHA1ba34a957513ce42d438e570de36bd59bb3f03a09
SHA256050e7302cb9456ab3d71eff2999dc367a0ba11bafbccd95609db7d32ea9b7b5f
SHA512d0e86c13f71092d78485521e876a4733ae1d27731dadc6f3815b1e46b4ebe0b26a38a9a64a576ec032b58cacd9073f4ceeb657e942b62de976baed416b6e9622
-
Filesize
576KB
MD50618414a7257f3f48bf06029ad8ae3fc
SHA19937f48349759954f546761f13bd2131a1e239c4
SHA2568219b4df7d5690bd702741d23bf7499e2073cce82edb107947553b482dd43c0e
SHA512fd0d1172ea56ade0b979acdcd698e4f2c3b5d2528b082350a57ed546ab4f8755ad73fa262405390306ccd08265708d60382f08313c8b5a4b507e7278810d66d1
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
4.4MB
MD56a4853cd0584dc90067e15afb43c4962
SHA1ae59bbb123e98dc8379d08887f83d7e52b1b47fc
SHA256ccb9502bf8ba5becf8b758ca04a5625c30b79e2d10d2677cc43ae4253e1288ec
SHA512feb223e0de9bd64e32dc4f3227e175b58196b5e614bca8c2df0bbca2442a564e39d66bcd465154149dc7ebbd3e1ca644ed09d9a9174b52236c76e7388cb9d996
-
Filesize
3.6MB
MD5698ddcaec1edcf1245807627884edf9c
SHA1c7fcbeaa2aadffaf807c096c51fb14c47003ac20
SHA256cde975f975d21edb2e5faa505205ab8a2c5a565ba1ff8585d1f0e372b2a1d78b
SHA512a2c326f0c653edcd613a3cefc8d82006e843e69afc787c870aa1b9686a20d79e5ab4e9e60b04d1970f07d88318588c1305117810e73ac620afd1fb6511394155