Overview
overview
10Static
static
10Main/CED3D10Hook.dll
windows7-x64
1Main/CED3D10Hook.dll
windows10-2004-x64
1Main/CED3D...64.dll
windows7-x64
1Main/CED3D...64.dll
windows10-2004-x64
1Main/CED3D11Hook.dll
windows7-x64
1Main/CED3D11Hook.dll
windows10-2004-x64
1Main/CED3D...64.dll
windows7-x64
1Main/CED3D...64.dll
windows10-2004-x64
1Main/RUN_ME.bat
windows7-x64
10Main/RUN_ME.bat
windows10-2004-x64
10Main/autor...oup.js
windows7-x64
1Main/autor...oup.js
windows10-2004-x64
1Main/autor...ace.js
windows7-x64
1Main/autor...ace.js
windows10-2004-x64
1Main/autor...nfo.js
windows7-x64
1Main/autor...nfo.js
windows10-2004-x64
1Main/autor...rch.js
windows7-x64
1Main/autor...rch.js
windows10-2004-x64
1Main/autor...log.js
windows7-x64
1Main/autor...log.js
windows10-2004-x64
1Main/autor...ols.js
windows7-x64
1Main/autor...ols.js
windows10-2004-x64
1Main/autor...ave.js
windows7-x64
1Main/autor...ave.js
windows10-2004-x64
1Main/autor...yce.js
windows7-x64
1Main/autor...yce.js
windows10-2004-x64
1Main/autor...ian.js
windows7-x64
1Main/autor...ian.js
windows10-2004-x64
1Main/autor...are.js
windows7-x64
1Main/autor...are.js
windows10-2004-x64
1Main/autor...unt.js
windows7-x64
1Main/autor...unt.js
windows10-2004-x64
1Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12-03-2024 15:59
Behavioral task
behavioral1
Sample
Main/CED3D10Hook.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Main/CED3D10Hook.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
Main/CED3D10Hook64.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Main/CED3D10Hook64.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Main/CED3D11Hook.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Main/CED3D11Hook.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Main/CED3D11Hook64.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Main/CED3D11Hook64.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
Main/RUN_ME.bat
Resource
win7-20240220-en
Behavioral task
behavioral10
Sample
Main/RUN_ME.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
Main/autorun/AddToNewGroup.js
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
Main/autorun/AddToNewGroup.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
Main/autorun/DotNetInterface.js
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
Main/autorun/DotNetInterface.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
Main/autorun/JavaInfo.js
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
Main/autorun/JavaInfo.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
Main/autorun/JavaSearch.js
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
Main/autorun/JavaSearch.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
Main/autorun/MethodInvokeDialog.js
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
Main/autorun/MethodInvokeDialog.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
Main/autorun/andtools.js
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
Main/autorun/andtools.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
Main/autorun/autosave.js
Resource
win7-20240220-en
Behavioral task
behavioral24
Sample
Main/autorun/autosave.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
Main/autorun/babyce.js
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
Main/autorun/babyce.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
Main/autorun/bigendian.js
Resource
win7-20231129-en
Behavioral task
behavioral28
Sample
Main/autorun/bigendian.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
Main/autorun/ceshare.js
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
Main/autorun/ceshare.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
Main/autorun/ceshare/ceshare_account.js
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
Main/autorun/ceshare/ceshare_account.js
Resource
win10v2004-20240226-en
General
-
Target
Main/CED3D10Hook.dll
-
Size
128KB
-
MD5
43dac1f3ca6b48263029b348111e3255
-
SHA1
9e399fddc2a256292a07b5c3a16b1c8bdd8da5c1
-
SHA256
148f12445f11a50efbd23509139bf06a47d453e8514733b5a15868d10cc6e066
-
SHA512
6e77a429923b503fc08895995eb8817e36145169c2937dacc2da92b846f45101846e98191aeb4f0f2f13fff05d0836aa658f505a04208188278718166c5e3032
-
SSDEEP
1536:jRXPVJPMo10+PfXl/IRTlsfQstLh66crJWeWyPCUpfrCWV13P1+CUOEvCvOEMI7:BdJPMlMb1g6e0dU9rf3P7UObvOja
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30e5aca19674da01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2695060758" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31093910" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CB19F951-E089-11EE-BD28-CE055DF4442A} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2695060758" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000046600867cea8cb4995f7301d78886de60000000002000000000010660000000100002000000065a053e524c5596da20efabb48ee08925cb89cb1823f135501fa4ec8986afbb3000000000e80000000020000200000009a817b8f574a803f4f680951a5673f4a0f5c3744aa70abc06bea855ae9d361dd20000000d6fa488308246a9979acfb2562ab523906af4283dec99419c9df3a5b1cbb8dd240000000d8410afd61ee1129ecd2f4083d645a4d6cb04ace209f47360a9786645fb0076635f6cd713a74d41a654f6c0400e8ded1c591a8e9636b7bed5d2b1032a106bc08 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31093910" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000046600867cea8cb4995f7301d78886de600000000020000000000106600000001000020000000500ada68c8d7837a247e2d61cdf33e1f312fd21ff0fde5b1715cd695a927d1ba000000000e8000000002000020000000d5e2e4760719341f4e9b5c606cdd40168b868873a06cae32c70a18cc442676612000000007894ae89ff6835b90a117815f71fbef7f876827affea5abf320689107a09cae400000009a55ebdb9b5d899eb58c2ac107a2de24f12bb6cd3853d6bf138e69e5a8d896294fa0235214f653557f3c00cdeface0910bc0cb1847e14b73cecc4c91a03fc022 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 402aa8a19674da01 iexplore.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1497073144-2389943819-3385106915-1000\{D45F2DA7-0115-4738-90D9-7B6B1396CAD5} msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepid process 3064 msedge.exe 3064 msedge.exe 1236 msedge.exe 1236 msedge.exe 4604 msedge.exe 4604 msedge.exe 4016 identity_helper.exe 4016 identity_helper.exe 5828 msedge.exe 5828 msedge.exe 5828 msedge.exe 5828 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
Processes:
msedge.exepid process 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
msedge.exeiexplore.exepid process 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 4976 iexplore.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 4976 iexplore.exe 4976 iexplore.exe 3524 IEXPLORE.EXE 3524 IEXPLORE.EXE 3524 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exemsedge.exedescription pid process target process PID 3160 wrote to memory of 2032 3160 rundll32.exe rundll32.exe PID 3160 wrote to memory of 2032 3160 rundll32.exe rundll32.exe PID 3160 wrote to memory of 2032 3160 rundll32.exe rundll32.exe PID 1236 wrote to memory of 4720 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 4720 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1976 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 3064 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 3064 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1372 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1372 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1372 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1372 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1372 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1372 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1372 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1372 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1372 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1372 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1372 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1372 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1372 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1372 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1372 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1372 1236 msedge.exe msedge.exe PID 1236 wrote to memory of 1372 1236 msedge.exe msedge.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Main\CED3D10Hook.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Main\CED3D10Hook.dll,#12⤵PID:2032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9dc1946f8,0x7ff9dc194708,0x7ff9dc1947182⤵PID:4720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,15011935333097908024,6446519622486034022,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:22⤵PID:1976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,15011935333097908024,6446519622486034022,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,15011935333097908024,6446519622486034022,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:82⤵PID:1372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15011935333097908024,6446519622486034022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:12⤵PID:1908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15011935333097908024,6446519622486034022,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:12⤵PID:4088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15011935333097908024,6446519622486034022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:12⤵PID:2412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15011935333097908024,6446519622486034022,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:12⤵PID:2340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15011935333097908024,6446519622486034022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:12⤵PID:3876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15011935333097908024,6446519622486034022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:12⤵PID:4868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2156,15011935333097908024,6446519622486034022,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3768 /prefetch:82⤵PID:3816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2156,15011935333097908024,6446519622486034022,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3568 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15011935333097908024,6446519622486034022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:12⤵PID:2512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,15011935333097908024,6446519622486034022,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:82⤵PID:4496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,15011935333097908024,6446519622486034022,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15011935333097908024,6446519622486034022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1936 /prefetch:12⤵PID:4348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15011935333097908024,6446519622486034022,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:12⤵PID:4944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15011935333097908024,6446519622486034022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:12⤵PID:680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15011935333097908024,6446519622486034022,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:12⤵PID:4824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,15011935333097908024,6446519622486034022,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5784 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5828
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3512
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3896
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3000
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -nohome1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4976 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4976 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3524
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD597d3df9369fc48a2153fb12c0ce964ba
SHA1e90f225713835b370d8e7adb7fba47355afce3fb
SHA256857a25d154bc34d8ea7806a48184df3ae8132350ab772ede4abe5e2fb8e74d12
SHA512931a1233f2f68448347eb2376385a53ac7bbd836cba2c84fca50ec87002ab1a847dcc935a7fa6c77a2842d0f70628ab08116fd4623f79df508ceca03546b9206
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
533B
MD529af2b1bb5465e3d977c1a282c9150f8
SHA1915c41ebed9606cb3c553ed24ad11d926204ad45
SHA2568c2c90b91414cdd83e7bc84030c404c21e9ff558a4f1e7ebdcbd5b06633d03d3
SHA5124803026bfd2c002d57ab5c37aad854cbd7a2334cfa3b7ddbc327814293ed904a72bd541f1c0b0e485443ecbd94145f41f049d7a70f6aeab3c82e1fdba3734589
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD54f8dfa2c314fce0c3b3b40966d6b8585
SHA1ba578da2238838dcf92e2a280abd13a902989a81
SHA256fa26a1b44fe062446664afd1a140a31d5551afdbcd406d144f3c82136b9d1207
SHA5120983e56290a650ec5fd789c51a8fc52a6062e02ebcc4aab030d531f65d54764f43ee1077bfdb4cf774288786fa1448cc5d12de1a2a5e6ed8cbf2adddcee207f4
-
Filesize
5KB
MD50cebf4ffc75def0fb5f25decf17414d6
SHA1a44f793940fbf78971d4a8470783bfde71160a66
SHA256b58120e53ff4f30c270047fa63caa15c29fc73a7956b4f21328f4b02b908f1f5
SHA5120af79735acf0a58c186117f1340cee32dadf004c96497bde621319fdd64da2934f9f02665d1d4fb650d2b00a3c03d3287551d6dd1ccc083ae3f6a8a0a56a42bf
-
Filesize
6KB
MD527fcf80133865b69055613fd5ce4cd62
SHA1b7cf423a3195a7fb6b9758d5615c6fac0bc87c18
SHA256a7beaf1741954abb976537ff74ebbc2063e589fc6529a5249bc5afdba61ab891
SHA5120ba97929fb635e3d35605763e31084518fc8e031e336cee99d9d31313108c2bb8aec01688393b4b3838cdaaa30177e788084d6ef95212197f2c7a5613e337eea
-
Filesize
24KB
MD5c2ef1d773c3f6f230cedf469f7e34059
SHA1e410764405adcfead3338c8d0b29371fd1a3f292
SHA256185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521
SHA5122ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5062ce008311a7c4f0ae3bb98026eb9a7
SHA105d14e75561531a202850a24cc9961f0392dbfba
SHA2561eed6ec9d6df204c98291f88c15f8fbf12178835e72a15e11d1cfad7c2e34b0b
SHA512326ae5f73268b5af62e35e638e5a33adcf7721cc744c2a163381dfb333b03e628f009f4fd91458e79ae8eea6a248c4e22e1f292f70d0ad50066efe4550df896d
-
Filesize
11KB
MD594cf3741ca1db70e98c95063e6bd50d0
SHA1bc7b4d3d9b99a217f4a392b36ea6242d3d62736c
SHA256774fa9f8167660751bc5f64849d643cf3c1f731ae3375ef2214ded782aae4f84
SHA512d6d27164da48c2ca1b8669c79fff0a82be36317627bb547e40fab966f905e42192d0afa5661c3fa752f2e959571efc5b9dcc6b4022999494a9257941ddd793a9