Overview
overview
5Static
static
3Lunar Clie...10.exe
windows7-x64
4Lunar Clie...10.exe
windows10-2004-x64
4Lunar Clie...10.exe
macos-10.15-amd64
1$PLUGINSDIR/INetC.dll
windows7-x64
3$PLUGINSDIR/INetC.dll
windows10-2004-x64
3$PLUGINSDIR/INetC.dll
macos-10.15-amd64
4$PLUGINSDI...er.dll
windows7-x64
1$PLUGINSDI...er.dll
windows10-2004-x64
1$PLUGINSDI...er.dll
macos-10.15-amd64
1$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...ls.dll
macos-10.15-amd64
1$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
macos-10.15-amd64
1$PLUGINSDI...ll.dll
windows7-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
macos-10.15-amd64
4$PLUGINSDI...co.ico
windows7-x64
3$PLUGINSDI...co.ico
windows10-2004-x64
3$PLUGINSDI...co.ico
macos-10.15-amd64
4$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
macos-10.15-amd64
1$PLUGINSDI...7z.dll
windows7-x64
3$PLUGINSDI...7z.dll
windows10-2004-x64
3$PLUGINSDI...7z.dll
macos-10.15-amd64
4$R0/Uninst...nt.exe
windows7-x64
4$R0/Uninst...nt.exe
windows10-2004-x64
5$R0/Uninst...nt.exe
macos-10.15-amd64
1$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3Analysis
-
max time kernel
139s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
08-06-2024 22:49
Static task
static1
Behavioral task
behavioral1
Sample
Lunar Client v3.2.10.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Lunar Client v3.2.10.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
Lunar Client v3.2.10.exe
Resource
macos-20240410-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/INetC.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/INetC.dll
Resource
macos-20240410-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
macos-20240410-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240221-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/StdUtils.dll
Resource
macos-20240410-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/System.dll
Resource
macos-20240410-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/WinShell.dll
Resource
win7-20240508-en
Behavioral task
behavioral17
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral18
Sample
$PLUGINSDIR/WinShell.dll
Resource
macos-20240410-en
Behavioral task
behavioral19
Sample
$PLUGINSDIR/installerHeaderico.ico
Resource
win7-20240508-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/installerHeaderico.ico
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
$PLUGINSDIR/installerHeaderico.ico
Resource
macos-20240410-en
Behavioral task
behavioral22
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240419-en
Behavioral task
behavioral23
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral24
Sample
$PLUGINSDIR/nsExec.dll
Resource
macos-20240410-en
Behavioral task
behavioral25
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral27
Sample
$PLUGINSDIR/nsis7z.dll
Resource
macos-20240410-en
Behavioral task
behavioral28
Sample
$R0/Uninstall Lunar Client.exe
Resource
win7-20240419-en
Behavioral task
behavioral29
Sample
$R0/Uninstall Lunar Client.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral30
Sample
$R0/Uninstall Lunar Client.exe
Resource
macos-20240410-en
Behavioral task
behavioral31
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240508-en
Behavioral task
behavioral32
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240508-en
General
-
Target
$R0/Uninstall Lunar Client.exe
-
Size
179KB
-
MD5
e5631be1a47db5e083eea62d40178dd8
-
SHA1
83154f1b1cd81fee968a939172500c09d07cb048
-
SHA256
e9465a3bec6550f1182dc87a0f3d73b6f4722aeed33b2cb2c17451e1e580cfd8
-
SHA512
a4e4aeb0bea96bd6e51c3c24b911f6363fabd3434728b1d9c5f7ddc522a76297935d4cd1b4c1ad1f1a6e2bd02b137752c0d464b419aa5a64f7a241a7da442d3a
-
SSDEEP
3072:An77v00hEoDEtau24lkW6Dx/XItjLSTtWIDlXiGzILKk3/xaH2tvhOEA1RJCir8M:A740ImskW6V4tjLSTPpiGzILLps2t0EI
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Un_A.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Un_A.exe -
Executes dropped EXE 1 IoCs
Processes:
Un_A.exepid process 1240 Un_A.exe -
Loads dropped DLL 6 IoCs
Processes:
Un_A.exepid process 1240 Un_A.exe 1240 Un_A.exe 1240 Un_A.exe 1240 Un_A.exe 1240 Un_A.exe 1240 Un_A.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
Un_A.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepid process 1240 Un_A.exe 1240 Un_A.exe 4912 msedge.exe 4912 msedge.exe 3516 msedge.exe 3516 msedge.exe 3312 identity_helper.exe 3312 identity_helper.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
msedge.exepid process 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Uninstall Lunar Client.exeUn_A.exemsedge.exedescription pid process target process PID 3756 wrote to memory of 1240 3756 Uninstall Lunar Client.exe Un_A.exe PID 3756 wrote to memory of 1240 3756 Uninstall Lunar Client.exe Un_A.exe PID 3756 wrote to memory of 1240 3756 Uninstall Lunar Client.exe Un_A.exe PID 1240 wrote to memory of 3516 1240 Un_A.exe msedge.exe PID 1240 wrote to memory of 3516 1240 Un_A.exe msedge.exe PID 3516 wrote to memory of 2592 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2592 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4240 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4912 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4912 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 3600 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 3600 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 3600 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 3600 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 3600 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 3600 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 3600 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 3600 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 3600 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 3600 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 3600 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 3600 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 3600 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 3600 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 3600 3516 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\$R0\Uninstall Lunar Client.exe"C:\Users\Admin\AppData\Local\Temp\$R0\Uninstall Lunar Client.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\$R0\2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://lunarclient.com/uninstaller/?installId=unknown3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8952046f8,0x7ff895204708,0x7ff8952047184⤵PID:2592
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,8245684293940076535,13949435553293494162,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:24⤵PID:4240
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,8245684293940076535,13949435553293494162,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:4912 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,8245684293940076535,13949435553293494162,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:84⤵PID:3600
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8245684293940076535,13949435553293494162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:14⤵PID:4084
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8245684293940076535,13949435553293494162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:14⤵PID:1488
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8245684293940076535,13949435553293494162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:14⤵PID:1744
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8245684293940076535,13949435553293494162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:14⤵PID:1940
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,8245684293940076535,13949435553293494162,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:84⤵PID:3224
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,8245684293940076535,13949435553293494162,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:3312 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8245684293940076535,13949435553293494162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:14⤵PID:4624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8245684293940076535,13949435553293494162,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:14⤵PID:1400
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8245684293940076535,13949435553293494162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:14⤵PID:2316
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8245684293940076535,13949435553293494162,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:14⤵PID:3736
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,8245684293940076535,13949435553293494162,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5584 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
PID:1540
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:456
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:964
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5439b5e04ca18c7fb02cf406e6eb24167
SHA1e0c5bb6216903934726e3570b7d63295b9d28987
SHA256247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2
-
Filesize
152B
MD5a8e767fd33edd97d306efb6905f93252
SHA1a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA51207b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize624B
MD5cee8ae92e4e03af00cee13bd63e8df51
SHA164820c4ec3805ee77aec505125a921948bd04ed1
SHA2566839c97454c5785f6e882156826812718afb32abb9a2a9abc3e6f807257f9564
SHA51260502b190d6d91e842a98b48c35d037b6580ac560e00024d04e1101c1a81e6229d16db56abe78c97f4f843bada6f6b58a65cbdf6332422dd79075a3f9589b211
-
Filesize
2KB
MD58744954ffd2384a711b7f245af82f823
SHA1928093edf0573d4b28d2dac6fdde39d80a27e32a
SHA256f8d31bf1e8d68c0ef9101ece261e21b36ab1225d0ab6acd3b7a6bca0292a7fb5
SHA512b9886d5cb28483f8997908d9e19b88c02dc0b0bad33ca7983bd18ce250b5ac49058d9b70421897901b7673eac548d74a304761b12a7c52b59c69cf75087877c1
-
Filesize
5KB
MD5623974122211e138477b6768f8504042
SHA180f9d7b9605fdfba57e64da97b33c63fea797665
SHA2567d1ffde7a9053b39d2943988d4ba41a6ef06b24b0890056d016ec49328445d1c
SHA512e1c4a41996b491c71635c570fb50e28af79b8a0b78528e083e7e4d6623c2017a8ab16f2a58e13598e56c96e3395eb28b8b95c68547ac07649197004ac80c9bcd
-
Filesize
7KB
MD56e013a4ac2e495efc1b3cb09355a2fb4
SHA188bc21821b45a099ad906bad5977915b29468dcd
SHA256d0411d343dec0638421d45301520b4dffb59bd687e6817ca0031dcb194f7f778
SHA512aa86e75b31fe9f5edcbf8cfc39b5c91e1528fdca1f130b882900a6054db0fd3dcf8a83bd73c0a32354d302258f931d8099f67b36a5ab50544e4b4f763aed80a5
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD547f63e8231b091aa7779a25d4fea70e9
SHA1fe9dcf421c5697181e4a24ec89fed4a6b1d462ae
SHA256ae374243bf3d179ed9d93350745d864820a2922fcc7600f5888a9de72bf7781a
SHA51286ff806551dd5e189db69d5f61322c090760de057162522eb58a2630d7ff4b7d1c8300ea562e0a68a3c31e691a02523f691d2e60e464d3de5920da7cd26607f9
-
Filesize
100KB
MD5c6a6e03f77c313b267498515488c5740
SHA13d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA5129870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803
-
Filesize
12KB
MD50d7ad4f45dc6f5aa87f606d0331c6901
SHA148df0911f0484cbe2a8cdd5362140b63c41ee457
SHA2563eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9
-
Filesize
3KB
MD51cc7c37b7e0c8cd8bf04b6cc283e1e56
SHA10b9519763be6625bd5abce175dcc59c96d100d4c
SHA2569be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6
SHA5127acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f
-
Filesize
6KB
MD5ec0504e6b8a11d5aad43b296beeb84b2
SHA191b5ce085130c8c7194d66b2439ec9e1c206497c
SHA2565d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962
SHA5123f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57
-
Filesize
179KB
MD5e5631be1a47db5e083eea62d40178dd8
SHA183154f1b1cd81fee968a939172500c09d07cb048
SHA256e9465a3bec6550f1182dc87a0f3d73b6f4722aeed33b2cb2c17451e1e580cfd8
SHA512a4e4aeb0bea96bd6e51c3c24b911f6363fabd3434728b1d9c5f7ddc522a76297935d4cd1b4c1ad1f1a6e2bd02b137752c0d464b419aa5a64f7a241a7da442d3a
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e