Overview
overview
5Static
static
3lunar-clie..._3.exe
windows7-x64
4lunar-clie..._3.exe
windows10-2004-x64
4$PLUGINSDIR/INetC.dll
windows7-x64
3$PLUGINSDIR/INetC.dll
windows10-2004-x64
3$PLUGINSDI...er.dll
windows7-x64
1$PLUGINSDI...er.dll
windows10-2004-x64
1$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows7-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$PLUGINSDI...7z.dll
windows7-x64
3$PLUGINSDI...7z.dll
windows10-2004-x64
3$R0/Uninst...nt.exe
windows7-x64
4$R0/Uninst...nt.exe
windows10-2004-x64
5$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows7-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3Resubmissions
17-04-2024 11:48
240417-nyt69afc7y 517-04-2024 11:47
240417-nydt9sfc6w 517-04-2024 11:46
240417-nxfmgadf82 516-04-2024 17:06
240416-vmg6wahb7x 5Analysis
-
max time kernel
1798s -
max time network
1699s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 11:47
Static task
static1
Behavioral task
behavioral1
Sample
lunar-client-v3_2_3.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
lunar-client-v3_2_3.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/INetC.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/WinShell.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral17
Sample
$R0/Uninstall Lunar Client.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
$R0/Uninstall Lunar Client.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral19
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240215-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral21
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral23
Sample
$PLUGINSDIR/WinShell.dll
Resource
win7-20240220-en
Behavioral task
behavioral24
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral25
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240215-en
Behavioral task
behavioral26
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240412-en
General
-
Target
$R0/Uninstall Lunar Client.exe
-
Size
404KB
-
MD5
227c1f9fe7c7f6fb24a451a5ca84e722
-
SHA1
9c34be548c0b2affd930d05c1b315a5cbe9bca45
-
SHA256
bafcf2b563e935de1c9d2d55413d25b9a06a8ee8b4cdab49ba7bfe0bfb5c668a
-
SHA512
1fde79719e176eaa9f23211f9679d5406c219b2ae074227306001ea88c3c2f10c1ed1e0e52b10bc1e0ca9adc4cdc82d2da474ce7e59defaae816655ddc0fce66
-
SSDEEP
3072:Wn77v00hEoDEtauTsqBGeQIfxqxAjDsksbfVl1snhl+l2L0Sa9/l7a4vZAzLmDVH:W740IEa+J+Rql1DKs2t0EyL+ya2
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Un_A.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation Un_A.exe -
Executes dropped EXE 1 IoCs
Processes:
Un_A.exepid process 3572 Un_A.exe -
Loads dropped DLL 6 IoCs
Processes:
Un_A.exepid process 3572 Un_A.exe 3572 Un_A.exe 3572 Un_A.exe 3572 Un_A.exe 3572 Un_A.exe 3572 Un_A.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
Un_A.exetasklist.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepid process 3572 Un_A.exe 3572 Un_A.exe 3156 tasklist.exe 3156 tasklist.exe 2272 msedge.exe 2272 msedge.exe 716 msedge.exe 716 msedge.exe 4784 identity_helper.exe 4784 identity_helper.exe 2536 msedge.exe 2536 msedge.exe 2536 msedge.exe 2536 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
msedge.exepid process 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
tasklist.exedescription pid process Token: SeDebugPrivilege 3156 tasklist.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Uninstall Lunar Client.exeUn_A.execmd.exemsedge.exedescription pid process target process PID 1960 wrote to memory of 3572 1960 Uninstall Lunar Client.exe Un_A.exe PID 1960 wrote to memory of 3572 1960 Uninstall Lunar Client.exe Un_A.exe PID 1960 wrote to memory of 3572 1960 Uninstall Lunar Client.exe Un_A.exe PID 3572 wrote to memory of 5108 3572 Un_A.exe cmd.exe PID 3572 wrote to memory of 5108 3572 Un_A.exe cmd.exe PID 3572 wrote to memory of 5108 3572 Un_A.exe cmd.exe PID 5108 wrote to memory of 3156 5108 cmd.exe tasklist.exe PID 5108 wrote to memory of 3156 5108 cmd.exe tasklist.exe PID 5108 wrote to memory of 3156 5108 cmd.exe tasklist.exe PID 5108 wrote to memory of 1868 5108 cmd.exe find.exe PID 5108 wrote to memory of 1868 5108 cmd.exe find.exe PID 5108 wrote to memory of 1868 5108 cmd.exe find.exe PID 3572 wrote to memory of 716 3572 Un_A.exe msedge.exe PID 3572 wrote to memory of 716 3572 Un_A.exe msedge.exe PID 716 wrote to memory of 2364 716 msedge.exe msedge.exe PID 716 wrote to memory of 2364 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2812 716 msedge.exe msedge.exe PID 716 wrote to memory of 2272 716 msedge.exe msedge.exe PID 716 wrote to memory of 2272 716 msedge.exe msedge.exe PID 716 wrote to memory of 4768 716 msedge.exe msedge.exe PID 716 wrote to memory of 4768 716 msedge.exe msedge.exe PID 716 wrote to memory of 4768 716 msedge.exe msedge.exe PID 716 wrote to memory of 4768 716 msedge.exe msedge.exe PID 716 wrote to memory of 4768 716 msedge.exe msedge.exe PID 716 wrote to memory of 4768 716 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\$R0\Uninstall Lunar Client.exe"C:\Users\Admin\AppData\Local\Temp\$R0\Uninstall Lunar Client.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\$R0\2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\cmd.execmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Lunar Client.exe" | %SYSTEMROOT%\System32\find.exe "Lunar Client.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\tasklist.exetasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq Lunar Client.exe"4⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3156 -
C:\Windows\SysWOW64\find.exeC:\Windows\System32\find.exe "Lunar Client.exe"4⤵PID:1868
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://lunarclient.com/uninstaller/?installId=unknown3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffea8d846f8,0x7ffea8d84708,0x7ffea8d847184⤵PID:2364
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,14245164698574431801,6159403386610071226,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:24⤵PID:2812
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,14245164698574431801,6159403386610071226,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:2272 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,14245164698574431801,6159403386610071226,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:84⤵PID:4768
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14245164698574431801,6159403386610071226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:14⤵PID:4288
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14245164698574431801,6159403386610071226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:14⤵PID:4312
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14245164698574431801,6159403386610071226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:14⤵PID:4164
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14245164698574431801,6159403386610071226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:14⤵PID:1996
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14245164698574431801,6159403386610071226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:14⤵PID:5032
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14245164698574431801,6159403386610071226,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:14⤵PID:2692
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,14245164698574431801,6159403386610071226,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 /prefetch:84⤵PID:1624
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,14245164698574431801,6159403386610071226,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:4784 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14245164698574431801,6159403386610071226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:14⤵PID:4832
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14245164698574431801,6159403386610071226,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:14⤵PID:2476
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,14245164698574431801,6159403386610071226,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2960 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
PID:2536
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3236
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4560
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD52579d07b98bbefadc929d80fb3dbd32a
SHA11ceb57c4b81f0f23500e118a4b9a225116a467de
SHA256b8443c289ad36568a2bf794ac9ec1f259a9dd930c36680dafc8d0cb4de81feb6
SHA51253522ad5e8e2a272d5b1bff9b9226b7d976d47413891c60d7efebd4365baff12b6891e3f79b20e14892ec7c654ad2d437941014290c428c6b1bd78a7b3e557de
-
Filesize
152B
MD58c91c8582b0c918416d14bd7eedd686e
SHA1b2ff8149bc21144fdcec64111afda492965c6621
SHA2561e839706b748c04adf8efa2790564ca1efd707fdf6451e71af6862e07123717e
SHA512a93be868d9f08097bff39069378a0bfa0f5c78e74e9e8df820be9b0426cbfe84e03e9638b329b6142279ed140a120c4c4c21857f410fc4789a370445c3919dcf
-
Filesize
648B
MD515e68de80516b470fa901f14532e374b
SHA1bfb023c8e448d6f9a6c6e530d18efe390e25d19a
SHA256c38c01506b703dc6eeedcb204cff6ac2889b6824c361819fb17ba7b0e2681ee8
SHA512760a11a8fe8f7ccb38962e1f571a6a86524294e8e36532b91c1fa5ea9a53fbe7b63d7cb955e86f4c54cabc0dc6288988a8676ad881d9f96f40dce5ffc0dbf577
-
Filesize
2KB
MD5b50fa3914313aedef27440486bdca8f2
SHA1d9715663184b20f65654e86b253ea467b224c83e
SHA256f5b73696a5407b8a61ecd7da283f7701190873cf1429b492eb0eb7b70a619b77
SHA512425c8de746fd756c1d5033f19560eb318691c9048c720db36a2212ad7c754764cbfb4cde9ac0ecc83f12734357f6b7e63cc09c5980cbe1d9ea886d148f97dd9c
-
Filesize
7KB
MD56708b876b187bf408f7f6e0685aab227
SHA17cb2c1469fb5f7f874edd6b840707bf3507a8830
SHA256e32a22f22d0a28a28d0f10457597ac0b954dfe948dc6822f90d81bdd46b5650d
SHA512be5ffd17d368988253f8f08caf5af018ca1dd8a095e5f148f87f4d60be515d328c5bcc65e8ba99757c8a2fbd520a01e4453849bbe30c6ef9efaafd4a5d4a8135
-
Filesize
6KB
MD52a82a91d71c1973cb369d372aefc8057
SHA1d77e84135cfffa5bb020737e72f4d77185d8b9d3
SHA25648455117073f720008d044dfc9d1bba5b1808b9a81111cd2902f7c25491dab69
SHA512bb78d7ac975fd827fc55647658592ee59f15e0758964de75dcc1949220df0a078854e6cb009048af2613ace9e00f8cf96649df373cd55cf0a3cc5aa3f5dfe617
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11KB
MD5736fc12296fc32690a296a0190396b7b
SHA18e44e456f6ba23efba2468c5de33fb2d77cd1e93
SHA2568b03dc91eda10152e808c89b33bc634b9791a23ce4d44f7b011f51a4d1121992
SHA5124db9bd7a2bc97756d26951e434845cc0fda8ea482173e5ddfafccc8ba460fc0c2968333399503766a9d1b08332737030019974407d844ec967fe18a3d4249d0d
-
Filesize
100KB
MD5c6a6e03f77c313b267498515488c5740
SHA13d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA5129870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803
-
Filesize
12KB
MD50d7ad4f45dc6f5aa87f606d0331c6901
SHA148df0911f0484cbe2a8cdd5362140b63c41ee457
SHA2563eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9
-
Filesize
3KB
MD51cc7c37b7e0c8cd8bf04b6cc283e1e56
SHA10b9519763be6625bd5abce175dcc59c96d100d4c
SHA2569be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6
SHA5127acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f
-
Filesize
6KB
MD5ec0504e6b8a11d5aad43b296beeb84b2
SHA191b5ce085130c8c7194d66b2439ec9e1c206497c
SHA2565d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962
SHA5123f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57
-
Filesize
404KB
MD5227c1f9fe7c7f6fb24a451a5ca84e722
SHA19c34be548c0b2affd930d05c1b315a5cbe9bca45
SHA256bafcf2b563e935de1c9d2d55413d25b9a06a8ee8b4cdab49ba7bfe0bfb5c668a
SHA5121fde79719e176eaa9f23211f9679d5406c219b2ae074227306001ea88c3c2f10c1ed1e0e52b10bc1e0ca9adc4cdc82d2da474ce7e59defaae816655ddc0fce66
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e