5ea427c25bf86d66d8d7de62dc85e1a42f65189a3806d05940332a148337c417

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
22/04/2024, 07:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$R0/Uninstall Lunar Client.exe
Size

179KB
MD5

43e77e22b80c7d1535025dabb1b1eb5e
SHA1

5e8ecb175e7a2fef3d0b61afadb94484ccc3bf8a
SHA256

e2e372e3f2885f855bc375cc84d424dd2c60c6649668b2c2b8a8e77a74f8f7d9
SHA512

3a0e36c3e085e656473bb9868dadb3eb9b479f5b2809c5931c94e10467f51d04fd6246fc858cf0058b6607b72ac5efde42351fd854816231e015672dcc4e6a88
SSDEEP

3072:Xn77v00hEoDEtau24lkW6Dx/XItjLSTtWIDlXiGzcTyQxwRTApim8/aH2tvhOEAl:X740IGskW6V4tjLSTPpiGzcTsP7/s2ta

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
796	Un_A.exe

Loads dropped DLL 6 IoCs

pid	Process
796	Un_A.exe
796	Un_A.exe
796	Un_A.exe
796	Un_A.exe
796	Un_A.exe
796	Un_A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
796	Un_A.exe
796	Un_A.exe
1596	msedge.exe
1596	msedge.exe
2812	msedge.exe
2812	msedge.exe
2376	identity_helper.exe
2376	identity_helper.exe
1096	msedge.exe
1096	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3344 wrote to memory of 796	3344	Uninstall Lunar Client.exe	80
PID 3344 wrote to memory of 796	3344	Uninstall Lunar Client.exe	80
PID 3344 wrote to memory of 796	3344	Uninstall Lunar Client.exe	80
PID 796 wrote to memory of 2812	796	Un_A.exe	82
PID 796 wrote to memory of 2812	796	Un_A.exe	82
PID 2812 wrote to memory of 868	2812	msedge.exe	83
PID 2812 wrote to memory of 868	2812	msedge.exe	83
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 4200	2812	msedge.exe	85
PID 2812 wrote to memory of 1596	2812	msedge.exe	86
PID 2812 wrote to memory of 1596	2812	msedge.exe	86
PID 2812 wrote to memory of 824	2812	msedge.exe	87
PID 2812 wrote to memory of 824	2812	msedge.exe	87
PID 2812 wrote to memory of 824	2812	msedge.exe	87
PID 2812 wrote to memory of 824	2812	msedge.exe	87
PID 2812 wrote to memory of 824	2812	msedge.exe	87
PID 2812 wrote to memory of 824	2812	msedge.exe	87
PID 2812 wrote to memory of 824	2812	msedge.exe	87
PID 2812 wrote to memory of 824	2812	msedge.exe	87
PID 2812 wrote to memory of 824	2812	msedge.exe	87
PID 2812 wrote to memory of 824	2812	msedge.exe	87
PID 2812 wrote to memory of 824	2812	msedge.exe	87
PID 2812 wrote to memory of 824	2812	msedge.exe	87
PID 2812 wrote to memory of 824	2812	msedge.exe	87
PID 2812 wrote to memory of 824	2812	msedge.exe	87
PID 2812 wrote to memory of 824	2812	msedge.exe	87

C:\Users\Admin\AppData\Local\Temp\$R0\Uninstall Lunar Client.exe
"C:\Users\Admin\AppData\Local\Temp\$R0\Uninstall Lunar Client.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3344
- C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\$R0\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:796
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://lunarclient.com/uninstaller/?installId=unknown
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffff1c13cb8,0x7ffff1c13cc8,0x7ffff1c13cd8
      4⤵
      PID:868
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,10154142145713241257,12500954047738568398,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
      4⤵
      PID:4200
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,10154142145713241257,12500954047738568398,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,10154142145713241257,12500954047738568398,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
      4⤵
      PID:824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10154142145713241257,12500954047738568398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
      4⤵
      PID:3720
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10154142145713241257,12500954047738568398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
      4⤵
      PID:1344
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10154142145713241257,12500954047738568398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
      4⤵
      PID:4196
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10154142145713241257,12500954047738568398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
      4⤵
      PID:2152
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10154142145713241257,12500954047738568398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
      4⤵
      PID:2596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10154142145713241257,12500954047738568398,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:1
      4⤵
      PID:3904
  - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,10154142145713241257,12500954047738568398,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5724 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2376
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10154142145713241257,12500954047738568398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
      4⤵
      PID:3536
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10154142145713241257,12500954047738568398,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
      4⤵
      PID:1880
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,10154142145713241257,12500954047738568398,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1096

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3500

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
21986fa2280bae3957498a58adf62fc2

SHA1
d01ad69975b7dc46eba6806783450f987fa2b48d

SHA256
c91d76b0f27ccea28c4f5f872dee6a98f2d37424ef0b5f188af8c6757090cbb5

SHA512
ae9ba1abe7def7f6924d486a58427f04a02af7dd82aa3a36c1ed527a23ec7897f00b0e30f22529e9599ae2db88e8abc7ba8013b426885aa3c961ee74678455f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0fcda4fac8ec713700f95299a89bc126

SHA1
576a818957f882dc0b892a29da15c4bb71b93455

SHA256
f7a257742d3a6e6edd16ac8c4c4696d4bdf653041868329461444a0973e71430

SHA512
ab350ca508c412ff860f82d25ac7492afb3baf4a2827249ebc7ec9632ee444f8f0716389f0623afc0756f395cf00d7a90a0f89b360acdf72b1befe34eecb5986

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
648B

MD5
c58273a1b351997ac243051df0ff46e2

SHA1
955cff8af3109f1365e225b417814b8e9309899c

SHA256
8422a5ca49b623f5191dc990173e991773fd355bf130bcd4774fde70badc3e95

SHA512
837ab873456a9435dfdfbdaadc1f87b4a772760d1c3c2eefbb17a3647a4b4bf59997bfcca485c774076d7f5832541c036b5bbff30ec001a576a3e6f3460e7e78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
4ce5f2d3e7d4877407df585d826d3c10

SHA1
62cfbe572e2c87cc085be8f1a49e8359ea474a0a

SHA256
dcd22f059be8cd5e68db39d5e07ddf50cfb1511330f97bf81f0a162becdc26b5

SHA512
31a3d8908a8eb7d645701aa28f94f4b0c2b3f57c7f3093ef4b00667af171b842a7730c9928b2965f280c827f7fef8254bff5639eff86bbd7bc6bee2bbefcf0e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5475678b7afd52a42158eac3fac982da

SHA1
8f467f680036d4c6845a4fa7559e5b45ff973bba

SHA256
e81c287c34a4789bf33254efebbec490d74e5b81c825cdb20d5c20d6f5ff9638

SHA512
07608b9688e7099f0b015e026601f8aae6e5ae9c02ab78838ea81b6309c3960e4ce12513defe912ce844185b61fb58cbf3fe13322a8bf24b879372263823c502

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
443a59faa8afdf7d5dbb7f4c75066e64

SHA1
0bd762725666be5abd3a4addabaff036440f1560

SHA256
526a03137c7cffff5fe9bd2ff66ba889ab3a7126d4d27cfc4e301fcb969dae39

SHA512
8bce7f272e912185c6bf935d5b06070fa42cf715d5defcc020d3cf8adf046434651b100b05a26c0ae9e11b8a147498a365bda4b34280a491c7719de552749623

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d81d5eb353c69dbf1110bcf24ba8e23c

SHA1
70232c1e1f61af4d039ead90da58363e602f12d9

SHA256
1b445fe83b4b3f0f22a64b7c0b6370f954bd80bef045520e47a960c990a338d6

SHA512
9c6d19911295dac27f0ae2519cafd84b13ef4840ec855298f002c55a817cf612b7243c104079b3ac21534ff8b38a9afbbcb64c3d108f364c28aafd90fff44d69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8d926543856bef89cb7af71068b3d583

SHA1
0ea665675a2d0ec70de1145c288b77b620f2d1e4

SHA256
b386ecb629d0e0874d470e1218d3286b3881b0cfb2691304a5e6a8f50a023eff

SHA512
368a855a15f3ef7c8969bcafb0762463b3a7d360bc4d42592c7257575b3394146fa463287abbdfd2ec89f5cd3483df5ff9cd644756563f7a7304fccaf623a3a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
b7042cda37d79e364328a38266fb082b

SHA1
44632cf9b5da91655c2d90dcc5ab9420e5d89998

SHA256
321d032417ad05c24aae978698c5e677c46063ec71b66cef37517f77c807e84e

SHA512
bbe178942dfb349dd6c2640eb0199b77ad51b739f0d72aa1f5ff2b467e360483f8bb7646fd6093a1eb6e4c38870940c8ba6c90d510997da453e6677e1982386c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy41CD.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy41CD.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy41CD.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy41CD.tmp\nsExec.dll

Filesize
6KB

MD5
ec0504e6b8a11d5aad43b296beeb84b2

SHA1
91b5ce085130c8c7194d66b2439ec9e1c206497c

SHA256
5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

SHA512
3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

Filesize
179KB

MD5
43e77e22b80c7d1535025dabb1b1eb5e

SHA1
5e8ecb175e7a2fef3d0b61afadb94484ccc3bf8a

SHA256
e2e372e3f2885f855bc375cc84d424dd2c60c6649668b2c2b8a8e77a74f8f7d9

SHA512
3a0e36c3e085e656473bb9868dadb3eb9b479f5b2809c5931c94e10467f51d04fd6246fc858cf0058b6607b72ac5efde42351fd854816231e015672dcc4e6a88

Download Submit