Overview
overview
5Static
static
3Lunar Clie....9.exe
windows7-x64
4Lunar Clie....9.exe
windows10-2004-x64
4$PLUGINSDIR/INetC.dll
windows7-x64
3$PLUGINSDIR/INetC.dll
windows10-2004-x64
3$PLUGINSDI...er.dll
windows7-x64
1$PLUGINSDI...er.dll
windows10-2004-x64
1$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows7-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$PLUGINSDI...7z.dll
windows7-x64
3$PLUGINSDI...7z.dll
windows10-2004-x64
3$R0/Uninst...nt.exe
windows7-x64
4$R0/Uninst...nt.exe
windows10-2004-x64
5$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows7-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3Analysis
-
max time kernel
139s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 18:19
Static task
static1
Behavioral task
behavioral1
Sample
Lunar Client v3.2.9.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Lunar Client v3.2.9.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/INetC.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240419-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/WinShell.dll
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
$R0/Uninstall Lunar Client.exe
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
$R0/Uninstall Lunar Client.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240419-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240220-en
Behavioral task
behavioral22
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
$PLUGINSDIR/WinShell.dll
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240508-en
Behavioral task
behavioral26
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240426-en
General
-
Target
$R0/Uninstall Lunar Client.exe
-
Size
179KB
-
MD5
395e128165d4055f95d57340688dad4d
-
SHA1
367fa60a2a29a218a53527b748a45d0950d84492
-
SHA256
b797f2079a029f0188970f162b642fe7bdbe21f3773e17909eadec901b936681
-
SHA512
f9ce3c77da554b246d9ddc3fa7f0d31ec809ffce3e1d6e56caec5da6f339692872cce0912f0008bdb67fde5712762ba783a76c217498bbcdc8f04f9994fcbf5b
-
SSDEEP
3072:6n77v00hEoDEtau24lkW6Dx/XItjLSTtWIDlXiGzcTL6w4wPEaH2tvhOEA1RJCii:6740IGskW6V4tjLSTPpiGzcTH58s2t0+
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Un_A.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Un_A.exe -
Executes dropped EXE 1 IoCs
Processes:
Un_A.exepid process 3628 Un_A.exe -
Loads dropped DLL 6 IoCs
Processes:
Un_A.exepid process 3628 Un_A.exe 3628 Un_A.exe 3628 Un_A.exe 3628 Un_A.exe 3628 Un_A.exe 3628 Un_A.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
Un_A.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepid process 3628 Un_A.exe 3628 Un_A.exe 1964 msedge.exe 1964 msedge.exe 4268 msedge.exe 4268 msedge.exe 4860 identity_helper.exe 4860 identity_helper.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe 3740 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
msedge.exepid process 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe 4268 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Uninstall Lunar Client.exeUn_A.exemsedge.exedescription pid process target process PID 1984 wrote to memory of 3628 1984 Uninstall Lunar Client.exe Un_A.exe PID 1984 wrote to memory of 3628 1984 Uninstall Lunar Client.exe Un_A.exe PID 1984 wrote to memory of 3628 1984 Uninstall Lunar Client.exe Un_A.exe PID 3628 wrote to memory of 4268 3628 Un_A.exe msedge.exe PID 3628 wrote to memory of 4268 3628 Un_A.exe msedge.exe PID 4268 wrote to memory of 1228 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1228 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1676 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1964 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 1964 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 780 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 780 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 780 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 780 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 780 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 780 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 780 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 780 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 780 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 780 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 780 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 780 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 780 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 780 4268 msedge.exe msedge.exe PID 4268 wrote to memory of 780 4268 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\$R0\Uninstall Lunar Client.exe"C:\Users\Admin\AppData\Local\Temp\$R0\Uninstall Lunar Client.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\$R0\2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://lunarclient.com/uninstaller/?installId=unknown3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe31f746f8,0x7ffe31f74708,0x7ffe31f747184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,18262849436504877910,462865448790728244,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,18262849436504877910,462865448790728244,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2700 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,18262849436504877910,462865448790728244,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,18262849436504877910,462865448790728244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,18262849436504877910,462865448790728244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,18262849436504877910,462865448790728244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,18262849436504877910,462865448790728244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,18262849436504877910,462865448790728244,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,18262849436504877910,462865448790728244,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,18262849436504877910,462865448790728244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,18262849436504877910,462865448790728244,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,18262849436504877910,462865448790728244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,18262849436504877910,462865448790728244,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,18262849436504877910,462865448790728244,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5092 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5439b5e04ca18c7fb02cf406e6eb24167
SHA1e0c5bb6216903934726e3570b7d63295b9d28987
SHA256247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a8e767fd33edd97d306efb6905f93252
SHA1a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA51207b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
672B
MD539712c03fa171c2fb1269877c59eb113
SHA197e80917329698043aae983edf98065b0c1c2960
SHA256879f8d5ec97fae7e5229d7e6d5187635c9287bb306e1f5babb864ffcc02ad22f
SHA512db11615b1afdf1f51c1942de4807a2fcb8029f87ff806264b89db565c98c83d4bbfc27bef6b7a697ea05c2d9b04005d8751a544537ee697bda0f7bf9134d86f9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD57949a4d70dd870480c717c607ede93e0
SHA1b8c9a82a861d8ca8aed9307aa466829e0e6d579e
SHA25619b7ec41017a3f100c02922fbb3c5744859f1b5cb9eed32b61097a6c2f18a997
SHA5128abb1524b679b3a04775ce82c944f464285fcce4dc6c13254006e0bdcd60729caaee4c4ed04b6573b3404971ca7ff4b7a7e50537043ecce0f062dc829836c183
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD58565adc33fe7f80cdea7de717ea62619
SHA17eed6169a888e0b623232a98a43251160eb77ea9
SHA256322258fad66aab22059eac3d038062b999626b499e02e3190ba2178fcdd0a7c9
SHA51243ccd27763c27ac943381a17ef442b309d394e8d4a26517708fd16274d750fa1eab845d3b8ee1a3745b4cbac6e6479c71823bdc4109666cc3cc12bf6716af219
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5046040f407148d6677f5dcb3825bc338
SHA1d59cc680069f603c49b7c9aae16f4c2620f94e9e
SHA256bb9ca0c56c16baae0a95e838cdaa534f541b0b021f036a205ced8eba20cd1b6e
SHA51290e33cb95dee686a69c7a862452192ca9546c12ac46fc40e529033e95791a5277e965f29a41af917fbaa929db833cd8a9f9b0708a03288d9f8007c8fc44a0ff7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD54859ee5366c80e918460a392dafb1655
SHA1223d5b2ddf8b38815b17ed21f722e53a241b9809
SHA2564422a09337f104edf544c3c3b5c206d72abff08ae8d1a4f521a4e8d99819a541
SHA512575e2637ccfb862fbcea79f7b2ff71b88893b839d49fc41eed0947b92fa7f3d7f76ee293f0d9a682ce8ce1de93f23f411191f22184a917ce82a0270f2dcfaacd
-
C:\Users\Admin\AppData\Local\Temp\nsi42F5.tmp\StdUtils.dllFilesize
100KB
MD5c6a6e03f77c313b267498515488c5740
SHA13d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA5129870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803
-
C:\Users\Admin\AppData\Local\Temp\nsi42F5.tmp\System.dllFilesize
12KB
MD50d7ad4f45dc6f5aa87f606d0331c6901
SHA148df0911f0484cbe2a8cdd5362140b63c41ee457
SHA2563eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9
-
C:\Users\Admin\AppData\Local\Temp\nsi42F5.tmp\WinShell.dllFilesize
3KB
MD51cc7c37b7e0c8cd8bf04b6cc283e1e56
SHA10b9519763be6625bd5abce175dcc59c96d100d4c
SHA2569be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6
SHA5127acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f
-
C:\Users\Admin\AppData\Local\Temp\nsi42F5.tmp\nsExec.dllFilesize
6KB
MD5ec0504e6b8a11d5aad43b296beeb84b2
SHA191b5ce085130c8c7194d66b2439ec9e1c206497c
SHA2565d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962
SHA5123f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57
-
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exeFilesize
179KB
MD5395e128165d4055f95d57340688dad4d
SHA1367fa60a2a29a218a53527b748a45d0950d84492
SHA256b797f2079a029f0188970f162b642fe7bdbe21f3773e17909eadec901b936681
SHA512f9ce3c77da554b246d9ddc3fa7f0d31ec809ffce3e1d6e56caec5da6f339692872cce0912f0008bdb67fde5712762ba783a76c217498bbcdc8f04f9994fcbf5b
-
\??\pipe\LOCAL\crashpad_4268_BXSISKYKSTWQJMROMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e