Analysis
-
max time kernel
17s -
max time network
38s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
30-11-2022 13:44
General
-
Target
7f5efb9dbd99c1fca3ebe59c5c38aacb9721d757671aee350a0a2107c41a2df7.exe
-
Size
11.7MB
-
MD5
8bd3bff5e679f6b14e42d7b66aa8497f
-
SHA1
76891d257c1a9ba36426b3e834b8eda6c5254ffc
-
SHA256
7f5efb9dbd99c1fca3ebe59c5c38aacb9721d757671aee350a0a2107c41a2df7
-
SHA512
05deb4c1c8fa09c07600dbb79b2ad35c1532f773b7ab28d18c833c8b63d7e076ce2e232bd13a2eb9abd1a2f3d1668d7802d0fa205f619222358d4368fb06a0df
-
SSDEEP
384:rMgQoufci5qP6TseVkeHD9xu+FyVQVhwfPl5SCuZacZ/LsytKY1Q39cYAYAwj7aW:6ro
Malware Config
Extracted
asyncrat
0.5.7B
Katayumi
normal-knife.auto.playit.gg:54950
normal-knife.auto.playit.gg:7707
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
ZxKKE4oK8.exe
-
install_folder
%Temp%
Extracted
quasar
2.1.0.0
Skidy
roasted-flag.auto.playit.gg:51952
VNM_MUTEX_bsVy5mHRmaFZMQOLbI
-
encryption_key
ux20jjbixeS7PecgmZeq
-
install_name
windows.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
windows
-
subdirectory
$windows
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 1 IoCs
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Windows security bypass 2 TTPs 2 IoCs
-
Async RAT payload 1 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Executes dropped EXE 10 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Windows security modification 2 TTPs 10 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 50 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 5 IoCs
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f5efb9dbd99c1fca3ebe59c5c38aacb9721d757671aee350a0a2107c41a2df7.exe"C:\Users\Admin\AppData\Local\Temp\7f5efb9dbd99c1fca3ebe59c5c38aacb9721d757671aee350a0a2107c41a2df7.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Windows security modification
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7f5efb9dbd99c1fca3ebe59c5c38aacb9721d757671aee350a0a2107c41a2df7.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\7f5efb9dbd99c1fca3ebe59c5c38aacb9721d757671aee350a0a2107c41a2df7.exe"C:\Users\Admin\AppData\Local\Temp\7f5efb9dbd99c1fca3ebe59c5c38aacb9721d757671aee350a0a2107c41a2df7.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DD8989123MD.exe"C:\Users\Admin\AppData\Local\Temp\DD8989123MD.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 14⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 15⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\DD8989123MD.exe"C:\Users\Admin\AppData\Local\Temp\DD8989123MD.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 9844⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\K8MN9DA.exe"C:\Users\Admin\AppData\Local\Temp\K8MN9DA.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 14⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 15⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\K8MN9DA.exe"C:\Users\Admin\AppData\Local\Temp\K8MN9DA.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ZxKKE4oK8" /tr '"C:\Users\Admin\AppData\Local\Temp\ZxKKE4oK8.exe"' & exit5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "ZxKKE4oK8" /tr '"C:\Users\Admin\AppData\Local\Temp\ZxKKE4oK8.exe"'6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1D8A.tmp.bat""5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 36⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\ZxKKE4oK8.exe"C:\Users\Admin\AppData\Local\Temp\ZxKKE4oK8.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 17⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 18⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 14724⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\LunaInjector.exe"C:\Users\Admin\AppData\Roaming\LunaInjector.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\F7A3.tmp\F7A4.tmp\F7A5.bat C:\Users\Admin\AppData\Roaming\LunaInjector.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
C:\Windows\system32\mode.commode 82,245⤵
-
C:\Users\Admin\AppData\Local\Temp\SHA90123M17.exe"C:\Users\Admin\AppData\Local\Temp\SHA90123M17.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 14⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 15⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\SHA90123M17.exe"C:\Users\Admin\AppData\Local\Temp\SHA90123M17.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\SHA90123M17.exe"C:\Users\Admin\AppData\Local\Temp\SHA90123M17.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\SHA90123M17.exe"C:\Users\Admin\AppData\Local\Temp\SHA90123M17.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\SHA90123M17.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\$windows\windows.exe"C:\Users\Admin\AppData\Roaming\$windows\windows.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 16⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 17⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\$windows\windows.exe"C:\Users\Admin\AppData\Roaming\$windows\windows.exe"6⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$windows\windows.exe" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6A1F8gAdKXHS.bat" "7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 10526⤵
- Program crash
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jJv8JB4mid7E.bat" "5⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650016⤵
-
C:\Users\Admin\AppData\Local\Temp\SHA90123M17.exe"C:\Users\Admin\AppData\Local\Temp\SHA90123M17.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 11884⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 22122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4844 -ip 48441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1348 -ip 13481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2724 -ip 27241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1332 -ip 13321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3092 -ip 30921⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5ae91d7de8bdf2ec15754928aa22d911b
SHA1513d560db89f0bc4413f0248133e221eeea53d27
SHA2562866d0013f804c09c6ec89c081dcd394a95c8bb421bdc4339e5486f9e1183b8c
SHA512d46371deb4a3b378cf81a3e7c1d40154ed8029f230d439c6bf4200d43acc2068c116038a56ac768a448c95334e5c20e9b62a904aa324b97fb9679fa724fed668
-
C:\Users\Admin\AppData\Local\Temp\DD8989123MD.exeFilesize
545KB
MD59c8b5486b38230c7c1f934c01a895d95
SHA185626e89ca6a0a3838786698ec670d909c5eec5b
SHA256fd8eb30f8c98d4e97459b051f6e14a52e6194e4b431ae1243c8638f08701f5a5
SHA5125555b9c7ccef651f03787f7531eea69023fc7c4aaa2315aba878d490f1a655afbd6347da0721d5e88cad3a956e399d21dfda2f2d2a83afc1c7277f1468a17450
-
C:\Users\Admin\AppData\Local\Temp\DD8989123MD.exeFilesize
545KB
MD59c8b5486b38230c7c1f934c01a895d95
SHA185626e89ca6a0a3838786698ec670d909c5eec5b
SHA256fd8eb30f8c98d4e97459b051f6e14a52e6194e4b431ae1243c8638f08701f5a5
SHA5125555b9c7ccef651f03787f7531eea69023fc7c4aaa2315aba878d490f1a655afbd6347da0721d5e88cad3a956e399d21dfda2f2d2a83afc1c7277f1468a17450
-
C:\Users\Admin\AppData\Local\Temp\DD8989123MD.exeFilesize
545KB
MD59c8b5486b38230c7c1f934c01a895d95
SHA185626e89ca6a0a3838786698ec670d909c5eec5b
SHA256fd8eb30f8c98d4e97459b051f6e14a52e6194e4b431ae1243c8638f08701f5a5
SHA5125555b9c7ccef651f03787f7531eea69023fc7c4aaa2315aba878d490f1a655afbd6347da0721d5e88cad3a956e399d21dfda2f2d2a83afc1c7277f1468a17450
-
C:\Users\Admin\AppData\Local\Temp\F7A3.tmp\F7A4.tmp\F7A5.batFilesize
438B
MD5ad81fd823266aabb73a229b8d842720e
SHA109c851304e0626bbf5fd15aa4212e14c9a8294a2
SHA256ad3ce6e067e2210681ffca11d32d91c6be6cc13fca5f9fb7ab7a73e4daa31f00
SHA512201bc9e51c00bbb38e949c06b59adcb32f9a07caeba38fc92db7ec8f9c54e43932fed045982cd4fa56d605f082f44828de7f9ad732777fc7ca86a4ff7f91989e
-
C:\Users\Admin\AppData\Local\Temp\K8MN9DA.exeFilesize
660KB
MD5cc62fe37de863f616d672eaf6b22b0c3
SHA12aca0fd587e4a998e749162a2a12f40bc49d50e7
SHA256edefa1d69e62fd464ffd2599c369b147edcff115e1f7a0454d9d9b567ce15d1b
SHA5127923d36d4651062684058c817cf2dd19295864e7bc82d33b8120ca3695390d5610cf37731f92f8acbb936df6f72e13c9cb1d64d4b3b13aafd82374bce1a0ac4d
-
C:\Users\Admin\AppData\Local\Temp\K8MN9DA.exeFilesize
660KB
MD5cc62fe37de863f616d672eaf6b22b0c3
SHA12aca0fd587e4a998e749162a2a12f40bc49d50e7
SHA256edefa1d69e62fd464ffd2599c369b147edcff115e1f7a0454d9d9b567ce15d1b
SHA5127923d36d4651062684058c817cf2dd19295864e7bc82d33b8120ca3695390d5610cf37731f92f8acbb936df6f72e13c9cb1d64d4b3b13aafd82374bce1a0ac4d
-
C:\Users\Admin\AppData\Local\Temp\K8MN9DA.exeFilesize
660KB
MD5cc62fe37de863f616d672eaf6b22b0c3
SHA12aca0fd587e4a998e749162a2a12f40bc49d50e7
SHA256edefa1d69e62fd464ffd2599c369b147edcff115e1f7a0454d9d9b567ce15d1b
SHA5127923d36d4651062684058c817cf2dd19295864e7bc82d33b8120ca3695390d5610cf37731f92f8acbb936df6f72e13c9cb1d64d4b3b13aafd82374bce1a0ac4d
-
C:\Users\Admin\AppData\Local\Temp\SHA90123M17.exeFilesize
4.2MB
MD50ca81a3bec58298a318d19bdf208cb99
SHA1cec944263887c4e3ac2956f2a27cbc9be86591d6
SHA256ffe3d6f61150e4a25a4e9549252dc1a505bfd2247f7d3aacec825e1787f089ea
SHA512eda9f6e37ea306e38fa5cdaf5c036782dab19a8dca628af63adb959d75579d014fd17bce5f4e9b5c7c6b24cea2cbaf95fbe849fe93b3e5faa87dbf69bdea1940
-
C:\Users\Admin\AppData\Local\Temp\SHA90123M17.exeFilesize
4.2MB
MD50ca81a3bec58298a318d19bdf208cb99
SHA1cec944263887c4e3ac2956f2a27cbc9be86591d6
SHA256ffe3d6f61150e4a25a4e9549252dc1a505bfd2247f7d3aacec825e1787f089ea
SHA512eda9f6e37ea306e38fa5cdaf5c036782dab19a8dca628af63adb959d75579d014fd17bce5f4e9b5c7c6b24cea2cbaf95fbe849fe93b3e5faa87dbf69bdea1940
-
C:\Users\Admin\AppData\Local\Temp\SHA90123M17.exeFilesize
4.2MB
MD50ca81a3bec58298a318d19bdf208cb99
SHA1cec944263887c4e3ac2956f2a27cbc9be86591d6
SHA256ffe3d6f61150e4a25a4e9549252dc1a505bfd2247f7d3aacec825e1787f089ea
SHA512eda9f6e37ea306e38fa5cdaf5c036782dab19a8dca628af63adb959d75579d014fd17bce5f4e9b5c7c6b24cea2cbaf95fbe849fe93b3e5faa87dbf69bdea1940
-
C:\Users\Admin\AppData\Local\Temp\SHA90123M17.exeFilesize
4.2MB
MD50ca81a3bec58298a318d19bdf208cb99
SHA1cec944263887c4e3ac2956f2a27cbc9be86591d6
SHA256ffe3d6f61150e4a25a4e9549252dc1a505bfd2247f7d3aacec825e1787f089ea
SHA512eda9f6e37ea306e38fa5cdaf5c036782dab19a8dca628af63adb959d75579d014fd17bce5f4e9b5c7c6b24cea2cbaf95fbe849fe93b3e5faa87dbf69bdea1940
-
C:\Users\Admin\AppData\Local\Temp\SHA90123M17.exeFilesize
4.2MB
MD50ca81a3bec58298a318d19bdf208cb99
SHA1cec944263887c4e3ac2956f2a27cbc9be86591d6
SHA256ffe3d6f61150e4a25a4e9549252dc1a505bfd2247f7d3aacec825e1787f089ea
SHA512eda9f6e37ea306e38fa5cdaf5c036782dab19a8dca628af63adb959d75579d014fd17bce5f4e9b5c7c6b24cea2cbaf95fbe849fe93b3e5faa87dbf69bdea1940
-
C:\Users\Admin\AppData\Local\Temp\SHA90123M17.exeFilesize
4.2MB
MD50ca81a3bec58298a318d19bdf208cb99
SHA1cec944263887c4e3ac2956f2a27cbc9be86591d6
SHA256ffe3d6f61150e4a25a4e9549252dc1a505bfd2247f7d3aacec825e1787f089ea
SHA512eda9f6e37ea306e38fa5cdaf5c036782dab19a8dca628af63adb959d75579d014fd17bce5f4e9b5c7c6b24cea2cbaf95fbe849fe93b3e5faa87dbf69bdea1940
-
C:\Users\Admin\AppData\Local\Temp\ZxKKE4oK8.exeFilesize
660KB
MD5cc62fe37de863f616d672eaf6b22b0c3
SHA12aca0fd587e4a998e749162a2a12f40bc49d50e7
SHA256edefa1d69e62fd464ffd2599c369b147edcff115e1f7a0454d9d9b567ce15d1b
SHA5127923d36d4651062684058c817cf2dd19295864e7bc82d33b8120ca3695390d5610cf37731f92f8acbb936df6f72e13c9cb1d64d4b3b13aafd82374bce1a0ac4d
-
C:\Users\Admin\AppData\Local\Temp\ZxKKE4oK8.exeFilesize
660KB
MD5cc62fe37de863f616d672eaf6b22b0c3
SHA12aca0fd587e4a998e749162a2a12f40bc49d50e7
SHA256edefa1d69e62fd464ffd2599c369b147edcff115e1f7a0454d9d9b567ce15d1b
SHA5127923d36d4651062684058c817cf2dd19295864e7bc82d33b8120ca3695390d5610cf37731f92f8acbb936df6f72e13c9cb1d64d4b3b13aafd82374bce1a0ac4d
-
C:\Users\Admin\AppData\Local\Temp\jJv8JB4mid7E.batFilesize
208B
MD51912d82ae84a5401b41763449b384fa8
SHA10bc4de5a1c1bcdd8ce4d2db37be3adc2b9a2e325
SHA25622204978b2a5b81c26fae43cf20d6d40ac6c509869f2ae31d2d94bd829c35457
SHA5126c3564612cf31b495a0214876c64511a57451502404f2c59e2028fd32a357834c8f16c35de51316d52b137c805db4aaa3a204bc9e7c6578769ce72a00bfa8ba7
-
C:\Users\Admin\AppData\Local\Temp\tmp1D8A.tmp.batFilesize
156B
MD5f70c4d71706d116f234e138ae380bf34
SHA111e7a8a636c5997ff786d67389765bf526c940d5
SHA2560f609a55c8e6dffb6513c1c77473fb126b027ebe95422f3e7f24625504c8426a
SHA512890a990e67fd04a519722137474a6e9a33fe1e47f97503cdff5028490da9fcf7598a49d31b7c9bb2a76e94cde8f84326a66fa100a8f007c1056009443cadc2a0
-
C:\Users\Admin\AppData\Roaming\$windows\windows.exeFilesize
4.2MB
MD50ca81a3bec58298a318d19bdf208cb99
SHA1cec944263887c4e3ac2956f2a27cbc9be86591d6
SHA256ffe3d6f61150e4a25a4e9549252dc1a505bfd2247f7d3aacec825e1787f089ea
SHA512eda9f6e37ea306e38fa5cdaf5c036782dab19a8dca628af63adb959d75579d014fd17bce5f4e9b5c7c6b24cea2cbaf95fbe849fe93b3e5faa87dbf69bdea1940
-
C:\Users\Admin\AppData\Roaming\$windows\windows.exeFilesize
4.2MB
MD50ca81a3bec58298a318d19bdf208cb99
SHA1cec944263887c4e3ac2956f2a27cbc9be86591d6
SHA256ffe3d6f61150e4a25a4e9549252dc1a505bfd2247f7d3aacec825e1787f089ea
SHA512eda9f6e37ea306e38fa5cdaf5c036782dab19a8dca628af63adb959d75579d014fd17bce5f4e9b5c7c6b24cea2cbaf95fbe849fe93b3e5faa87dbf69bdea1940
-
C:\Users\Admin\AppData\Roaming\$windows\windows.exeFilesize
4.2MB
MD50ca81a3bec58298a318d19bdf208cb99
SHA1cec944263887c4e3ac2956f2a27cbc9be86591d6
SHA256ffe3d6f61150e4a25a4e9549252dc1a505bfd2247f7d3aacec825e1787f089ea
SHA512eda9f6e37ea306e38fa5cdaf5c036782dab19a8dca628af63adb959d75579d014fd17bce5f4e9b5c7c6b24cea2cbaf95fbe849fe93b3e5faa87dbf69bdea1940
-
C:\Users\Admin\AppData\Roaming\LunaInjector.exeFilesize
89KB
MD538bece8d537dea0d0bf7603c073aa90c
SHA1fc70b8b4d22b323fe9e886f36620269d6c791eac
SHA256261b67c10cca406ce934032f7e6da36b8408db3fce6df7d7a37dca69703c59cb
SHA512224d70c8f2b8c98456177cd087faa77436c86fbcd4fe36ae410c6d184181b30cbd50718fbfa347b85a0d2d303f273197fd9fea5addb28538eab43d84f527185d
-
C:\Users\Admin\AppData\Roaming\LunaInjector.exeFilesize
89KB
MD538bece8d537dea0d0bf7603c073aa90c
SHA1fc70b8b4d22b323fe9e886f36620269d6c791eac
SHA256261b67c10cca406ce934032f7e6da36b8408db3fce6df7d7a37dca69703c59cb
SHA512224d70c8f2b8c98456177cd087faa77436c86fbcd4fe36ae410c6d184181b30cbd50718fbfa347b85a0d2d303f273197fd9fea5addb28538eab43d84f527185d
-
memory/116-212-0x0000000000000000-mapping.dmp
-
memory/656-230-0x0000000000000000-mapping.dmp
-
memory/848-208-0x0000000000000000-mapping.dmp
-
memory/1284-222-0x0000000000000000-mapping.dmp
-
memory/1332-156-0x0000000000000000-mapping.dmp
-
memory/1332-159-0x0000000000300000-0x000000000072C000-memory.dmpFilesize
4.2MB
-
memory/1348-149-0x0000000000000000-mapping.dmp
-
memory/1348-153-0x0000000000D90000-0x0000000000E3A000-memory.dmpFilesize
680KB
-
memory/1768-165-0x0000000000000000-mapping.dmp
-
memory/1800-169-0x0000000000000000-mapping.dmp
-
memory/2064-203-0x0000000000000000-mapping.dmp
-
memory/2064-215-0x0000000071D00000-0x0000000071D4C000-memory.dmpFilesize
304KB
-
memory/2352-187-0x0000000000000000-mapping.dmp
-
memory/2724-150-0x0000000000AC0000-0x0000000000B4E000-memory.dmpFilesize
568KB
-
memory/2724-146-0x0000000000000000-mapping.dmp
-
memory/3020-164-0x0000000000000000-mapping.dmp
-
memory/3092-202-0x0000000000000000-mapping.dmp
-
memory/3224-213-0x0000000000000000-mapping.dmp
-
memory/3284-200-0x0000000006880000-0x00000000068BC000-memory.dmpFilesize
240KB
-
memory/3284-199-0x0000000006320000-0x0000000006332000-memory.dmpFilesize
72KB
-
memory/3284-194-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/3284-193-0x0000000000000000-mapping.dmp
-
memory/3336-141-0x0000000000000000-mapping.dmp
-
memory/3388-229-0x0000000000000000-mapping.dmp
-
memory/3468-171-0x0000000000000000-mapping.dmp
-
memory/3608-227-0x0000000000000000-mapping.dmp
-
memory/3620-140-0x00000000059C0000-0x0000000005A26000-memory.dmpFilesize
408KB
-
memory/3620-168-0x000000006FD00000-0x000000006FD4C000-memory.dmpFilesize
304KB
-
memory/3620-196-0x0000000007690000-0x000000000769E000-memory.dmpFilesize
56KB
-
memory/3620-185-0x00000000076D0000-0x0000000007766000-memory.dmpFilesize
600KB
-
memory/3620-197-0x00000000077A0000-0x00000000077BA000-memory.dmpFilesize
104KB
-
memory/3620-182-0x00000000074C0000-0x00000000074CA000-memory.dmpFilesize
40KB
-
memory/3620-170-0x00000000066F0000-0x000000000670E000-memory.dmpFilesize
120KB
-
memory/3620-143-0x0000000006150000-0x000000000616E000-memory.dmpFilesize
120KB
-
memory/3620-139-0x00000000051A0000-0x00000000051C2000-memory.dmpFilesize
136KB
-
memory/3620-138-0x0000000005390000-0x00000000059B8000-memory.dmpFilesize
6.2MB
-
memory/3620-174-0x0000000007A90000-0x000000000810A000-memory.dmpFilesize
6.5MB
-
memory/3620-198-0x0000000007780000-0x0000000007788000-memory.dmpFilesize
32KB
-
memory/3620-137-0x0000000002850000-0x0000000002886000-memory.dmpFilesize
216KB
-
memory/3620-175-0x0000000007450000-0x000000000746A000-memory.dmpFilesize
104KB
-
memory/3620-166-0x0000000007120000-0x0000000007152000-memory.dmpFilesize
200KB
-
memory/3620-136-0x0000000000000000-mapping.dmp
-
memory/3644-191-0x0000000000000000-mapping.dmp
-
memory/3804-210-0x0000000000000000-mapping.dmp
-
memory/4032-167-0x0000000000000000-mapping.dmp
-
memory/4156-219-0x0000000000000000-mapping.dmp
-
memory/4164-161-0x0000000000000000-mapping.dmp
-
memory/4204-173-0x0000000000000000-mapping.dmp
-
memory/4388-224-0x0000000000000000-mapping.dmp
-
memory/4392-142-0x0000000000000000-mapping.dmp
-
memory/4400-225-0x0000000000000000-mapping.dmp
-
memory/4524-177-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4524-176-0x0000000000000000-mapping.dmp
-
memory/4612-145-0x0000000000400000-0x0000000000598000-memory.dmpFilesize
1.6MB
-
memory/4612-144-0x0000000000000000-mapping.dmp
-
memory/4636-172-0x0000000000000000-mapping.dmp
-
memory/4660-154-0x0000000000000000-mapping.dmp
-
memory/4720-180-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4720-184-0x00000000051A0000-0x00000000051AA000-memory.dmpFilesize
40KB
-
memory/4720-186-0x0000000005470000-0x00000000054E6000-memory.dmpFilesize
472KB
-
memory/4720-183-0x0000000005200000-0x0000000005292000-memory.dmpFilesize
584KB
-
memory/4720-179-0x0000000000000000-mapping.dmp
-
memory/4784-223-0x0000000000000000-mapping.dmp
-
memory/4796-214-0x0000000000000000-mapping.dmp
-
memory/4844-132-0x0000000000B00000-0x00000000016C0000-memory.dmpFilesize
11.8MB
-
memory/4844-135-0x000000000C3A0000-0x000000000C406000-memory.dmpFilesize
408KB
-
memory/4844-134-0x000000000CF40000-0x000000000D4E4000-memory.dmpFilesize
5.6MB
-
memory/4844-133-0x0000000005FE0000-0x000000000607C000-memory.dmpFilesize
624KB
-
memory/4892-209-0x0000000000000000-mapping.dmp
-
memory/4932-226-0x0000000000000000-mapping.dmp
-
memory/5020-216-0x0000000000000000-mapping.dmp
-
memory/5024-201-0x0000000000000000-mapping.dmp
-
memory/5048-189-0x0000000000000000-mapping.dmp
-
memory/5108-163-0x0000000000000000-mapping.dmp