Analysis
-
max time kernel
87s -
max time network
89s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 02:49
Static task
static1
Behavioral task
behavioral1
Sample
LUNA RAIDER.exe
Resource
win7-20240611-en
General
-
Target
LUNA RAIDER.exe
-
Size
8.2MB
-
MD5
0437fa16eec1dedfd1ddf69afcccbf0f
-
SHA1
1649d8123ebbbc26857b0383efbbc8c329f23161
-
SHA256
01b82e741a88ef644df41689744f4a883d25f4ea3ad172b0a7c61b9d7eddd712
-
SHA512
5e995a9b3ec1cee80700f4c7f264b09f826a67bdfc65c67bb848815f5289656580e3f62853e0397da0a425ba28fabe385674320d53c36363abab2b2497de5eb2
-
SSDEEP
196608:b2qInJf+oTjOGNW+8u8tMmo/UIaIZQHFUQsGZgqBPtgsV:b2qIn4GN8osIVZQu6gAFgk
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/744-7-0x0000000006140000-0x0000000006336000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
LUNA RAIDER.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation LUNA RAIDER.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/744-10-0x0000000006C50000-0x0000000006DDE000-memory.dmp agile_net behavioral2/memory/744-11-0x0000000007FB0000-0x00000000080FE000-memory.dmp agile_net -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
LUNA RAIDER.exemsedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer LUNA RAIDER.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion LUNA RAIDER.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS LUNA RAIDER.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = adc91b446da1da01 iexplore.exe -
Processes:
iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXEiexplore.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{38AC43CD-21E0-4C98-A200-EBAB6784E104}" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4A11CB27-35C2-11EF-A084-6E6D447F5FDC} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\RepId iexplore.exe -
Modifies registry class 4 IoCs
Processes:
LUNA RAIDER.exeOpenWith.exeiexplore.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings LUNA RAIDER.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings iexplore.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2804150937-2146708401-419095071-1000\{33E67225-FCC6-46CD-AB25-F7C187699A5A} msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 1248 msedge.exe 1248 msedge.exe 3796 msedge.exe 3796 msedge.exe 4776 identity_helper.exe 4776 identity_helper.exe 1604 msedge.exe 1604 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 2372 OpenWith.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
Processes:
msedge.exepid process 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
LUNA RAIDER.exedescription pid process Token: SeDebugPrivilege 744 LUNA RAIDER.exe -
Suspicious use of FindShellTrayWindow 32 IoCs
Processes:
iexplore.exemsedge.exepid process 1532 iexplore.exe 1532 iexplore.exe 1532 iexplore.exe 1532 iexplore.exe 1532 iexplore.exe 1532 iexplore.exe 1532 iexplore.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe 3796 msedge.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
OpenWith.exepid process 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe 2372 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
LUNA RAIDER.execmd.exeOpenWith.exeiexplore.exemsedge.exedescription pid process target process PID 744 wrote to memory of 3980 744 LUNA RAIDER.exe cmd.exe PID 744 wrote to memory of 3980 744 LUNA RAIDER.exe cmd.exe PID 744 wrote to memory of 3980 744 LUNA RAIDER.exe cmd.exe PID 3980 wrote to memory of 2796 3980 cmd.exe choice.exe PID 3980 wrote to memory of 2796 3980 cmd.exe choice.exe PID 3980 wrote to memory of 2796 3980 cmd.exe choice.exe PID 2372 wrote to memory of 1532 2372 OpenWith.exe iexplore.exe PID 2372 wrote to memory of 1532 2372 OpenWith.exe iexplore.exe PID 1532 wrote to memory of 3664 1532 iexplore.exe IEXPLORE.EXE PID 1532 wrote to memory of 3664 1532 iexplore.exe IEXPLORE.EXE PID 1532 wrote to memory of 3664 1532 iexplore.exe IEXPLORE.EXE PID 1532 wrote to memory of 3908 1532 iexplore.exe iexplore.exe PID 1532 wrote to memory of 3908 1532 iexplore.exe iexplore.exe PID 1532 wrote to memory of 3816 1532 iexplore.exe IEXPLORE.EXE PID 1532 wrote to memory of 3816 1532 iexplore.exe IEXPLORE.EXE PID 1532 wrote to memory of 3816 1532 iexplore.exe IEXPLORE.EXE PID 1532 wrote to memory of 2932 1532 iexplore.exe iexplore.exe PID 1532 wrote to memory of 2932 1532 iexplore.exe iexplore.exe PID 1532 wrote to memory of 2500 1532 iexplore.exe IEXPLORE.EXE PID 1532 wrote to memory of 2500 1532 iexplore.exe IEXPLORE.EXE PID 1532 wrote to memory of 2500 1532 iexplore.exe IEXPLORE.EXE PID 3796 wrote to memory of 3952 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3952 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 3340 3796 msedge.exe msedge.exe PID 3796 wrote to memory of 1248 3796 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\LUNA RAIDER.exe"C:\Users\Admin\AppData\Local\Temp\LUNA RAIDER.exe"1⤵
- Checks computer location settings
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\LUNA RAIDER.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LUNA RAIDER-OOMNP.rar2⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1532 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LUNA RAIDER-OOMNP.rar3⤵
- Modifies Internet Explorer settings
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1532 CREDAT:82948 /prefetch:23⤵
- Modifies Internet Explorer settings
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LUNA RAIDER-OOMNP.rar3⤵
- Modifies Internet Explorer settings
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1532 CREDAT:17422 /prefetch:23⤵
- Modifies Internet Explorer settings
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa181446f8,0x7ffa18144708,0x7ffa181447182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1980 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3672 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3672 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5372 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5640 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5632 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5eaa3db555ab5bc0cb364826204aad3f0
SHA1a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca
SHA256ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b
SHA512e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD51422b5fe2951d57a33bec22548d9f237
SHA14f5b74a1acc5e836c8e226de0664e9114e922b57
SHA256bcdc809346d68cbfef6d17375b5218eceefb701198352a16785e1009df1506f9
SHA512e39bb17726b51e71fa617f9a947b48b4a53c8a0ff6ba05a86629f7d91d79d390f306b72d44ae762df98b2e78badbb7e230d3bdafd0db1262359cb1515bc5948c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5cfe9dd31f1a804ae3591405743f9f6f2
SHA132129e29bbab096f22446eb185cb4d7dd468f823
SHA25660229bddae2244693c1122d24d34b64c76a029678bfeae28b0802f2c7885ce59
SHA5124c6629c53888a0707eaee1d594ad43dfb0402e40f63b0aad289af5dc051bd0e34d87ca4aa2a72815c1160221aa89b29733610ba65e299610d4aaadc5a182d9ce
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD520d531ef75687ba268d96b30a79e4736
SHA1e063ab7c46e2fa76d163ae574e2162ad9a7b47c6
SHA2565bf9d187995b4e80f0b0a83fa9d2e64cb1c3eca49e8d4a055cb05f72fe2a01a4
SHA5124ff06cee296658ca649eaa232b91425e79cf7716928c1f8c29335b6a8da7a899a497b0d4da55961eb1bb93470c40834e4f39a614e7f59864c7853e2f48f9e779
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD58268717e7ace63f8cdb1ff98b2a51320
SHA1eca37399451c340c7ea50887dfaaeae43abba1b8
SHA2564a83088b8b9fceb855cb1cc51f6c015e3f1a57710b6052578be72015a362a132
SHA5129cca339847c217a82e15877386ffde17d094e96e3cb20c33d165dddd050dd511f8ce5c63c2fc0b7d107abf2a41e973469e9cb8d9426a3cbf5c4aafa38dad86f8
-
\??\pipe\LOCAL\crashpad_3796_NQSJXBQRRNVRCEPWMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/744-6-0x00000000749D0000-0x0000000075180000-memory.dmpFilesize
7.7MB
-
memory/744-16-0x000000000AB00000-0x000000000AB1A000-memory.dmpFilesize
104KB
-
memory/744-9-0x0000000006090000-0x00000000060A4000-memory.dmpFilesize
80KB
-
memory/744-10-0x0000000006C50000-0x0000000006DDE000-memory.dmpFilesize
1.6MB
-
memory/744-11-0x0000000007FB0000-0x00000000080FE000-memory.dmpFilesize
1.3MB
-
memory/744-12-0x0000000008130000-0x0000000008160000-memory.dmpFilesize
192KB
-
memory/744-13-0x0000000008180000-0x0000000008296000-memory.dmpFilesize
1.1MB
-
memory/744-14-0x00000000749D0000-0x0000000075180000-memory.dmpFilesize
7.7MB
-
memory/744-15-0x000000000AAC0000-0x000000000AAFC000-memory.dmpFilesize
240KB
-
memory/744-8-0x0000000006B00000-0x0000000006C4E000-memory.dmpFilesize
1.3MB
-
memory/744-20-0x00000000749D0000-0x0000000075180000-memory.dmpFilesize
7.7MB
-
memory/744-7-0x0000000006140000-0x0000000006336000-memory.dmpFilesize
2.0MB
-
memory/744-0-0x00000000749DE000-0x00000000749DF000-memory.dmpFilesize
4KB
-
memory/744-5-0x0000000005EA0000-0x0000000005EAA000-memory.dmpFilesize
40KB
-
memory/744-4-0x0000000005E00000-0x0000000005E12000-memory.dmpFilesize
72KB
-
memory/744-3-0x0000000005ED0000-0x0000000005F62000-memory.dmpFilesize
584KB
-
memory/744-2-0x0000000006550000-0x0000000006AF4000-memory.dmpFilesize
5.6MB
-
memory/744-1-0x0000000000C20000-0x0000000001466000-memory.dmpFilesize
8.3MB