Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
27-05-2024 14:01
General
-
Target
Lunar Release.rar
-
Size
57.5MB
-
MD5
17e97ff9038efe7e34cfe0e4dcb8588a
-
SHA1
7664f96e2d9a1fdc55428f476a7dd0ce1a88d5d9
-
SHA256
625003c81f3726f91c74f306fe26bdd73efa3050499bc49849aa463ff7cd64fe
-
SHA512
407952e00df66b3c157ac5e8e25b569a12d6ed37d741d09764818e7ccc6c996d9fe96cc77b30feac23728bf71284cab111b6fc5df59b42d2fec862df888c96f9
-
SSDEEP
1572864:jtIsfSjSGt+a0Sb/u95f3f9fvBva+05Zqknd5RNI:JIsfSjSGtTcfvbaLZJjs
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 9 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s) 2 TTPs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Stops running service(s) 4 TTPs
-
Executes dropped EXE 10 IoCs
-
Loads dropped DLL 20 IoCs
-
UPX packed file 14 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Drops file in System32 directory 22 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Drops file in Windows directory 6 IoCs
-
Launches sc.exe 18 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Detects Pyinstaller 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding3⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
- Modifies security service
- Drops file in System32 directory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R3⤵
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exeC:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe3⤵
-
C:\Windows\system32\svchost.exesvchost.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\bbskkvrqdoji\fdjrmaypnxal.exeC:\ProgramData\bbskkvrqdoji\fdjrmaypnxal.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵
- Drops file in Windows directory
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe3⤵
-
C:\Windows\system32\dialer.exedialer.exe3⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Lunar Release.rar"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Lunar Release.rar"3⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zO04A54CA6\LunarExecutorV1.2.EXE"C:\Users\Admin\AppData\Local\Temp\7zO04A54CA6\LunarExecutorV1.2.EXE"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\final1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\final1.EXE5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\num2.EXEC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\num2.EXE6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jhi_service.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jhi_service.exe7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 08⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 08⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 08⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 08⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "HDNFMUHS"8⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "HDNFMUHS" binpath= "C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe" start= "auto"8⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog8⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "HDNFMUHS"8⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MicrosoftEdgeUpdater.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MicrosoftEdgeUpdater.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force8⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart9⤵
- Drops file in Windows directory
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc8⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc8⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv8⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits8⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc8⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 08⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 08⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 08⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 08⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "YWZWALUU"8⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "YWZWALUU" binpath= "C:\ProgramData\bbskkvrqdoji\fdjrmaypnxal.exe" start= "auto"8⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog8⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "YWZWALUU"8⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXE6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXE7⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "18636244762037937165-1132024937-11388184721765603568-1565940907-757815405926784044"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "76027693910246559923408951821036525137-10000899101216221018-5196798191479692048"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "953458906-95577133620140569-1304227540994153774543753285-214043789-424179933"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1331306730-155978936314140864419740903201361877903666487616-1617962815-682980414"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1268697727622580652884812469-1139635105-888073211615513164-663042504-584175105"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-952326796-1784166280-513518014-15510524501646561599-16093908792020020542-91323062"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2241305601023621771-5789790864615289-1309186291-1648235562797704275760804750"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "732554367-1319369074-1177199511-12376710541394921224-2073829729-707800739-1083588964"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "424091320-106835720482719228647862840-1430717964142215368-395471002-2022979236"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-10313659791633592817-1368131950-19698155531238855234818116419731952047-1992842420"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "59374003614261425602105730056810833148-3043395787307585161576945307-924769589"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2107892631-1433568471-19041070286725679-19536861096028556521364369085573323969"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "319342230-1140508973-934119466243853401-620655851-1223752029150657226-1035545015"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "67708734-19104691472014323481780791630-16717715923565588621598994262-915677495"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "194386492-2008439544-516069018-207442737010042544021470993792-2105651720-1458078087"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1004597626-267875555-3106890477442291891107768881-298304662-1978278812-907822173"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-679605298-1861030541872956440-143728074224952443307083651-1416561457-1992155721"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1832933528743444601-166696633-6915084713991499581431487298-105817059-102268656"1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
3Windows Service
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\num2.EXEFilesize
4.3MB
MD5e6fe75c4390d3970545f0fdbb3274244
SHA18b6ed33f1778800cf0549bd7214249bdb81fbb58
SHA25648aaa21d99bf5fb15abc6945911438e5f3ac4c378ac89bc4eb850200f9f648d5
SHA51217b0911f13a1348e6511faf412f63721e7df7b196ae3a6acb86789eb04a2f8a90a42a6931a0c0ad45ee98910c4661c6db7e43623c560a963cd4d021ce9b1ad20
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MicrosoftEdgeUpdater.exeFilesize
2.7MB
MD519c095e1c399bdaa0663caa9162f0b0e
SHA1cb5504712ec965f7c43883f2f251823755b1e37e
SHA25638edfd7aa66f3ae1f376b9cdce558befd877d749e38306f412e8db436cb56713
SHA512a2a8e9e5140d7b306ba98d3674aa89b3e287cdf39bcf4b326148d963c38052fc65e99a17c0bf846150d71ff3efbd2c9d4b61b4c2d5847f8c9afa222af4c946d9
-
C:\Users\Admin\AppData\Local\Temp\_MEI9482\python312.dllFilesize
6.6MB
MD53c388ce47c0d9117d2a50b3fa5ac981d
SHA1038484ff7460d03d1d36c23f0de4874cbaea2c48
SHA256c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb
SHA512e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35
-
C:\Windows\System32\perfc007.datFilesize
145KB
MD519c7052de3b7281b4c1c6bfbb543c5dc
SHA1d2e12081a14c1069c89f2cee7357a559c27786e7
SHA25614ed6cb3198e80964cbc687a60aed24fb68d1bbd7588f983dc1fc6ae63514b4a
SHA512289ca791909882c857014bd24e777fa84b533896508b562051b529d4c27e0d98bc41c801c6384b382f5dc0fa584dc8f713939c636543b0a5cf5ea2b396300f83
-
C:\Windows\System32\perfc00A.datFilesize
154KB
MD5f0ecfbfa3e3e59fd02197018f7e9cb84
SHA1961e9367a4ef3a189466c0a0a186faf8958bdbc4
SHA256cfa293532a1b865b95093437d82bf8b682132aa335957f0c6d95edfbcc372324
SHA512116e648cb3b591a6a94da5ef11234778924a2ff9e0b3d7f6f00310d8a58914d12f5ee1b63c2f88701bb00538ad0e42ae2561575333c5a1d63bb8c86863ac6294
-
C:\Windows\System32\perfc00C.datFilesize
145KB
MD5ce233fa5dc5adcb87a5185617a0ff6ac
SHA12e2747284b1204d3ab08733a29fdbabdf8dc55b9
SHA25668d4de5e72cfd117151c44dd6ec74cf46fafd6c51357895d3025d7dac570ce31
SHA5121e9c8e7f12d7c87b4faa0d587a8b374e491cd44f23e13fdb64bde3bc6bf3f2a2d3aba5444a13b199a19737a8170ee8d4ead17a883fbaee66b8b32b35b7577fc2
-
C:\Windows\System32\perfc010.datFilesize
142KB
MD5d73172c6cb697755f87cd047c474cf91
SHA1abc5c7194abe32885a170ca666b7cce8251ac1d6
SHA2569de801eebbe32699630f74082c9adea15069acd5afb138c9ecd5d4904e3cdc57
SHA5127c9e4126bed6bc94a211281eed45cee30452519f125b82b143f78da32a3aac72d94d31757e1da22fb2f8a25099ffddec992e2c60987efb9da9b7a17831eafdf6
-
C:\Windows\System32\perfc011.datFilesize
114KB
MD51f998386566e5f9b7f11cc79254d1820
SHA1e1da5fe1f305099b94de565d06bc6f36c6794481
SHA2561665d97fb8786b94745295feb616a30c27af84e8a5e1d25cd1bcaf70723040ea
SHA512a7c9702dd5833f4d6d27ce293efb9507948a3b05db350fc9909af6a48bd649c7578f856b4d64d87df451d0efbe202c62da7fffcac03b3fe72c7caaea553de75f
-
C:\Windows\System32\perfh007.datFilesize
680KB
MD5b69ab3aeddb720d6ef8c05ff88c23b38
SHA1d830c2155159656ed1806c7c66cae2a54a2441fa
SHA25624c81302014118e07ed97eaac0819ecf191e0cc3d69c02b16ecda60ac4718625
SHA5124c7a99d45fb6e90c206439dcdd7cd198870ea5397a6584bb666eed53a8dc36faaac0b9cfc786a3ab4ecbbecc3a4ddd91560246d83b3319f2e37c1ed4bdbec32d
-
C:\Windows\System32\perfh009.datFilesize
646KB
MD5aecab86cc5c705d7a036cba758c1d7b0
SHA1e88cf81fd282d91c7fc0efae13c13c55f4857b5e
SHA2569bab92e274fcc0af88a7fdd143c9045b9d3a13cac2c00b63f00b320128dcc066
SHA512e0aa8da41373fc64d0e3dc86c9e92a9dd5232f6bcae42dfe6f79012d7e780de85511a9ec6941cb39476632972573a18063d3ecd8b059b1d008d34f585d9edbe8
-
C:\Windows\System32\perfh00A.datFilesize
727KB
MD57d0bac4e796872daa3f6dc82c57f4ca8
SHA1b4f6bbe08fa8cd0784a94ac442ff937a3d3eea0a
SHA256ce2ef9fc248965f1408d4b7a1e6db67494ba07a7bbdfa810418b30be66ad5879
SHA512145a0e8543e0d79fe1a5ce268d710c807834a05da1e948f84d6a1818171cd4ef077ea44ba1fe439b07b095721e0109cbf7e4cfd7b57519ee44d9fd9fe1169a3e
-
C:\Windows\System32\perfh00C.datFilesize
727KB
MD55f684ce126de17a7d4433ed2494c5ca9
SHA1ce1a30a477daa1bac2ec358ce58731429eafe911
SHA2562e2ba0c47e71991d646ec380cde47f44318d695e6f3f56ec095955a129af1c2c
SHA5124d0c2669b5002da14d44c21dc2f521fb37b6b41b61bca7b2a9af7c03f616dda9ca825f79a81d3401af626a90017654f9221a6ccc83010ff73de71967fc2f3f5b
-
C:\Windows\System32\perfh010.datFilesize
722KB
MD54623482c106cf6cc1bac198f31787b65
SHA15abb0decf7b42ef5daf7db012a742311932f6dad
SHA256eceda45aedbf6454b79f010c891bead3844d43189972f6beeb5ccddb13cc0349
SHA512afecefcec652856dd8b4275f11d75a68a582337b682309c4b61fd26ed7038b92e6b9aa72c1bfc350ce2caf5e357098b54eb1e448a4392960f9f82e01c447669f
-
C:\Windows\System32\perfh011.datFilesize
406KB
MD554c674d19c0ff72816402f66f6c3d37c
SHA12dcc0269545a213648d59dc84916d9ec2d62a138
SHA256646d4ea2f0670691aa5b998c26626ede7623886ed3ac9bc9679018f85e584bb5
SHA5124d451e9bef2c451cb9e86c7f4d705be65787c88df5281da94012bfbe5af496718ec3e48099ec3dff1d06fee7133293f10d649866fe59daa7951aebe2e5e67c1f
-
C:\Windows\System32\wbem\Performance\WmiApRpl.hFilesize
3KB
MD5b133a676d139032a27de3d9619e70091
SHA11248aa89938a13640252a79113930ede2f26f1fa
SHA256ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15
SHA512c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5
-
C:\Windows\System32\wbem\Performance\WmiApRpl.iniFilesize
27KB
MD546d08e3a55f007c523ac64dce6dcf478
SHA162edf88697e98d43f32090a2197bead7e7244245
SHA2565b15b1fc32713447c3fbc952a0fb02f1fd78c6f9ac69087bdb240625b0282614
SHA512b1f42e70c0ba866a9ed34eb531dbcbae1a659d7349c1e1a14b18b9e23d8cbd302d8509c6d3a28bc7509dd92e83bcb400201fb5d5a70f613421d81fe649d02e42
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\final1.EXEFilesize
36.9MB
MD54e463f20f2fd3d53e026b543af7cf6d5
SHA1d682f9e49845b855a7b16c584b528e13fcd3fbd6
SHA256b95fdb4a4b5303fda5264c1879f3ad1c847d7fea4c924e7aef7e5248f5796054
SHA51294e7ea55e96ce1118abd283473e66dedc933d7b6bf10713e3da4db5fa91bba3ca0a61580f01213c62282c7b272855c8c8b43e2f3fa410339349676f8d6eaf6de
-
\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXEFilesize
32.9MB
MD59ca4353663a5be5e7fa26ef45f412bfc
SHA19b1b6457f81e5342ef6d441ac43b57b3bc2353d9
SHA25602c868b4e9b704c0114e045d816e0ad7ec9d224635d53ce614770d9d681ff7d9
SHA512ccd19903395d49d621bc09fbfd2fa8fe9f7fdbeff3922498f8ebeb880e1a00db715d72eca1c3a4e60a53fd36df2811f3b263d7ccf9f1d137279c37db107da991
-
\Users\Admin\AppData\Local\Temp\IXP002.TMP\jhi_service.exeFilesize
2.5MB
MD51994ad04639f3d12c7bbfa37feb3434f
SHA14979247e5a9771286a91827851527e5dbfb80c8e
SHA256c75f76cf5b34b4a165ad5705ae5229f67fc081d958239bf0faea58e6c342301c
SHA512adc4eb990fc6721a0a39cf9832f133bde025a31b3ecd4d84e076d8c454b40dd043f1f045f6f989febf2478999a190d116a58192c49d8b878414490e7ce451b43
-
\Users\Admin\AppData\Local\Temp\_MEI9482\api-ms-win-core-file-l1-2-0.dllFilesize
21KB
MD51c58526d681efe507deb8f1935c75487
SHA10e6d328faf3563f2aae029bc5f2272fb7a742672
SHA256ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2
SHA5128edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1
-
\Users\Admin\AppData\Local\Temp\_MEI9482\api-ms-win-core-file-l2-1-0.dllFilesize
18KB
MD5bfffa7117fd9b1622c66d949bac3f1d7
SHA1402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2
SHA2561ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e
SHA512b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f
-
\Users\Admin\AppData\Local\Temp\_MEI9482\api-ms-win-core-localization-l1-2-0.dllFilesize
21KB
MD5724223109e49cb01d61d63a8be926b8f
SHA1072a4d01e01dbbab7281d9bd3add76f9a3c8b23b
SHA2564e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210
SHA51219b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c
-
\Users\Admin\AppData\Local\Temp\_MEI9482\api-ms-win-core-processthreads-l1-1-1.dllFilesize
21KB
MD5517eb9e2cb671ae49f99173d7f7ce43f
SHA14ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab
SHA25657cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54
SHA512492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be
-
\Users\Admin\AppData\Local\Temp\_MEI9482\api-ms-win-core-timezone-l1-1-0.dllFilesize
21KB
MD5d12403ee11359259ba2b0706e5e5111c
SHA103cc7827a30fd1dee38665c0cc993b4b533ac138
SHA256f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781
SHA5129004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0
-
\Users\Admin\AppData\Local\Temp\_MEI9482\ucrtbase.dllFilesize
992KB
MD50e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA14189f4459c54e69c6d3155a82524bda7549a75a6
SHA2568a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd
-
memory/320-95-0x00000000026D0000-0x00000000026D8000-memory.dmpFilesize
32KB
-
memory/320-94-0x000000001B4A0000-0x000000001B782000-memory.dmpFilesize
2.9MB
-
memory/436-107-0x00000000003F0000-0x0000000000414000-memory.dmpFilesize
144KB
-
memory/436-113-0x0000000000C60000-0x0000000000C8B000-memory.dmpFilesize
172KB
-
memory/436-114-0x000007FEBD470000-0x000007FEBD480000-memory.dmpFilesize
64KB
-
memory/436-115-0x00000000372A0000-0x00000000372B0000-memory.dmpFilesize
64KB
-
memory/436-109-0x00000000003F0000-0x0000000000414000-memory.dmpFilesize
144KB
-
memory/488-117-0x0000000000320000-0x000000000034B000-memory.dmpFilesize
172KB
-
memory/488-118-0x000007FEBD470000-0x000007FEBD480000-memory.dmpFilesize
64KB
-
memory/488-119-0x00000000372A0000-0x00000000372B0000-memory.dmpFilesize
64KB
-
memory/496-124-0x00000000000A0000-0x00000000000CB000-memory.dmpFilesize
172KB
-
memory/496-126-0x00000000372A0000-0x00000000372B0000-memory.dmpFilesize
64KB
-
memory/496-125-0x000007FEBD470000-0x000007FEBD480000-memory.dmpFilesize
64KB
-
memory/1344-62-0x0000000140000000-0x000000014000D000-memory.dmpFilesize
52KB
-
memory/1344-65-0x0000000140000000-0x000000014000D000-memory.dmpFilesize
52KB
-
memory/1344-63-0x0000000140000000-0x000000014000D000-memory.dmpFilesize
52KB
-
memory/1344-61-0x0000000140000000-0x000000014000D000-memory.dmpFilesize
52KB
-
memory/1344-60-0x0000000140000000-0x000000014000D000-memory.dmpFilesize
52KB
-
memory/1344-66-0x0000000140000000-0x000000014000D000-memory.dmpFilesize
52KB
-
memory/1656-75-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1656-69-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1656-74-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1656-71-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1656-77-0x00000000000D0000-0x00000000000F0000-memory.dmpFilesize
128KB
-
memory/1656-89-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1656-88-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1656-87-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1656-83-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1656-84-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1656-86-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1656-85-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1656-76-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1656-72-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1656-70-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2936-99-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2936-97-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2936-98-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2936-101-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2936-102-0x0000000077260000-0x0000000077409000-memory.dmpFilesize
1.7MB
-
memory/2936-103-0x0000000077040000-0x000000007715F000-memory.dmpFilesize
1.1MB
-
memory/2936-104-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2936-96-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/3012-464-0x0000000000A30000-0x0000000000A38000-memory.dmpFilesize
32KB
-
memory/3012-463-0x000000001A0B0000-0x000000001A392000-memory.dmpFilesize
2.9MB