Overview
overview
10Static
static
3Lunar Release.rar
windows7-x64
10Lunar Release.rar
windows10-2004-x64
3Lunar Rele....2.exe
windows10-2004-x64
10Lunar Rele...ch.dll
windows7-x64
1Lunar Rele...ch.dll
windows10-2004-x64
1Lunar Rele...on.dll
windows7-x64
1Lunar Rele...on.dll
windows10-2004-x64
1Lunar Rele...al.txt
windows7-x64
1Lunar Rele...al.txt
windows10-2004-x64
1Lunar Rele...ld.txt
windows7-x64
1Lunar Rele...ld.txt
windows10-2004-x64
1Lunar Rele...sf.ico
windows7-x64
1Lunar Rele...sf.ico
windows10-2004-x64
3Lunar Rele...eld.js
windows7-x64
3Lunar Rele...eld.js
windows10-2004-x64
3Lunar Rele...se.txt
windows7-x64
1Lunar Rele...se.txt
windows10-2004-x64
1Lunar Rele...ces.js
windows7-x64
3Lunar Rele...ces.js
windows10-2004-x64
3Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-05-2024 14:01
Static task
static1
Behavioral task
behavioral1
Sample
Lunar Release.rar
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Lunar Release.rar
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Lunar Release/LunarExecutorV1.2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
Lunar Release/auto_attach.dll
Resource
win7-20231129-en
Behavioral task
behavioral5
Sample
Lunar Release/auto_attach.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
Lunar Release/byfron.dll
Resource
win7-20240508-en
Behavioral task
behavioral7
Sample
Lunar Release/byfron.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
Lunar Release/fonts and logo/Arial.txt
Resource
win7-20240508-en
Behavioral task
behavioral9
Sample
Lunar Release/fonts and logo/Arial.txt
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
Lunar Release/fonts and logo/Bold.txt
Resource
win7-20240220-en
Behavioral task
behavioral11
Sample
Lunar Release/fonts and logo/Bold.txt
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
Lunar Release/fonts and logo/fdsfdsf.ico
Resource
win7-20240221-en
Behavioral task
behavioral13
Sample
Lunar Release/fonts and logo/fdsfdsf.ico
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
Lunar Release/infinite yield.js
Resource
win7-20231129-en
Behavioral task
behavioral15
Sample
Lunar Release/infinite yield.js
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
Lunar Release/license.txt
Resource
win7-20240508-en
Behavioral task
behavioral17
Sample
Lunar Release/license.txt
Resource
win10v2004-20240226-en
Behavioral task
behavioral18
Sample
Lunar Release/resources.js
Resource
win7-20240419-en
Behavioral task
behavioral19
Sample
Lunar Release/resources.js
Resource
win10v2004-20240508-en
General
-
Target
Lunar Release.rar
-
Size
57.5MB
-
MD5
17e97ff9038efe7e34cfe0e4dcb8588a
-
SHA1
7664f96e2d9a1fdc55428f476a7dd0ce1a88d5d9
-
SHA256
625003c81f3726f91c74f306fe26bdd73efa3050499bc49849aa463ff7cd64fe
-
SHA512
407952e00df66b3c157ac5e8e25b569a12d6ed37d741d09764818e7ccc6c996d9fe96cc77b30feac23728bf71284cab111b6fc5df59b42d2fec862df888c96f9
-
SSDEEP
1572864:jtIsfSjSGt+a0Sb/u95f3f9fvBva+05Zqknd5RNI:JIsfSjSGtTcfvbaLZJjs
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection svchost.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP svchost.exe -
XMRig Miner payload 9 IoCs
Processes:
resource yara_rule behavioral1/memory/1656-83-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1656-84-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1656-86-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1656-85-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1656-76-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1656-75-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1656-87-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1656-88-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1656-89-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 320 powershell.exe 3012 powershell.exe -
Creates new service(s) 2 TTPs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
services.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\YWZWALUU\ImagePath = "C:\\ProgramData\\bbskkvrqdoji\\fdjrmaypnxal.exe" services.exe -
Executes dropped EXE 10 IoCs
Processes:
LunarExecutorV1.2.EXEfinal1.EXEnum2.EXEjhi_service.exeservices.exekanilzbpgdul.exeMicrosoftEdgeUpdater.exefdjrmaypnxal.exeLUNARE~1.EXELUNARE~1.EXEpid process 2248 LunarExecutorV1.2.EXE 2616 final1.EXE 2692 num2.EXE 2184 jhi_service.exe 488 services.exe 2344 kanilzbpgdul.exe 2044 MicrosoftEdgeUpdater.exe 2604 fdjrmaypnxal.exe 948 LUNARE~1.EXE 2876 LUNARE~1.EXE -
Loads dropped DLL 20 IoCs
Processes:
7zFM.exeLunarExecutorV1.2.EXEfinal1.EXEnum2.EXEservices.execonhost.exeLUNARE~1.EXELUNARE~1.EXEpid process 2624 7zFM.exe 2248 LunarExecutorV1.2.EXE 2616 final1.EXE 2692 num2.EXE 2692 num2.EXE 488 services.exe 2692 num2.EXE 2692 num2.EXE 488 services.exe 488 services.exe 2616 final1.EXE 1584 conhost.exe 948 LUNARE~1.EXE 2876 LUNARE~1.EXE 2876 LUNARE~1.EXE 2876 LUNARE~1.EXE 2876 LUNARE~1.EXE 2876 LUNARE~1.EXE 2876 LUNARE~1.EXE 2876 LUNARE~1.EXE -
Processes:
resource yara_rule behavioral1/memory/1656-74-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1656-71-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1656-83-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1656-84-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1656-86-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1656-85-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1656-76-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1656-75-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1656-72-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1656-70-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1656-69-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1656-87-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1656-88-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1656-89-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
num2.EXELunarExecutorV1.2.EXEfinal1.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" num2.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" LunarExecutorV1.2.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" final1.EXE -
Drops file in System32 directory 22 IoCs
Processes:
WMIADAP.EXEfdjrmaypnxal.exesvchost.exepowershell.exeMicrosoftEdgeUpdater.exepowershell.exedescription ioc process File opened for modification C:\Windows\system32\PerfStringBackup.INI WMIADAP.EXE File opened for modification C:\Windows\system32\MRT.exe fdjrmaypnxal.exe File created C:\Windows\system32\perfh007.dat WMIADAP.EXE File created C:\Windows\system32\perfc00A.dat WMIADAP.EXE File created C:\Windows\system32\perfc00C.dat WMIADAP.EXE File created C:\Windows\system32\perfc010.dat WMIADAP.EXE File created C:\Windows\system32\perfh010.dat WMIADAP.EXE File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini WMIADAP.EXE File created C:\Windows\system32\perfc007.dat WMIADAP.EXE File created C:\Windows\system32\perfc011.dat WMIADAP.EXE File created C:\Windows\system32\perfh011.dat WMIADAP.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Setup.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx svchost.exe File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.h WMIADAP.EXE File created C:\Windows\system32\perfh009.dat WMIADAP.EXE File created C:\Windows\system32\perfh00A.dat WMIADAP.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe MicrosoftEdgeUpdater.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\perfc009.dat WMIADAP.EXE File created C:\Windows\system32\perfh00C.dat WMIADAP.EXE File created C:\Windows\system32\PerfStringBackup.TMP WMIADAP.EXE -
Suspicious use of SetThreadContext 6 IoCs
Processes:
kanilzbpgdul.exeMicrosoftEdgeUpdater.exefdjrmaypnxal.exedescription pid process target process PID 2344 set thread context of 1344 2344 kanilzbpgdul.exe conhost.exe PID 2344 set thread context of 1656 2344 kanilzbpgdul.exe svchost.exe PID 2044 set thread context of 2936 2044 MicrosoftEdgeUpdater.exe dialer.exe PID 2604 set thread context of 1780 2604 fdjrmaypnxal.exe dialer.exe PID 2604 set thread context of 1372 2604 fdjrmaypnxal.exe dialer.exe PID 2604 set thread context of 2408 2604 fdjrmaypnxal.exe dialer.exe -
Drops file in Windows directory 6 IoCs
Processes:
WMIADAP.EXEwusa.exesvchost.exewusa.exedescription ioc process File created C:\Windows\inf\WmiApRpl\0009\WmiApRpl.ini WMIADAP.EXE File created C:\Windows\wusa.lock wusa.exe File opened for modification C:\Windows\appcompat\programs\RecentFileCache.bcf svchost.exe File created C:\Windows\wusa.lock wusa.exe File created C:\Windows\inf\WmiApRpl\WmiApRpl.h WMIADAP.EXE File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.h WMIADAP.EXE -
Launches sc.exe 18 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 2652 sc.exe 2092 sc.exe 272 sc.exe 1428 sc.exe 484 sc.exe 1472 sc.exe 2404 sc.exe 2272 sc.exe 1548 sc.exe 2740 sc.exe 1856 sc.exe 2040 sc.exe 2732 sc.exe 908 sc.exe 2488 sc.exe 564 sc.exe 2608 sc.exe 2868 sc.exe -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXE pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 2 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 7026a1a23eb0da01 powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
jhi_service.exekanilzbpgdul.exesvchost.exeMicrosoftEdgeUpdater.exepowershell.exedialer.exefdjrmaypnxal.exepowershell.exepid process 2184 jhi_service.exe 2184 jhi_service.exe 2184 jhi_service.exe 2184 jhi_service.exe 2184 jhi_service.exe 2184 jhi_service.exe 2184 jhi_service.exe 2184 jhi_service.exe 2344 kanilzbpgdul.exe 2344 kanilzbpgdul.exe 2344 kanilzbpgdul.exe 2344 kanilzbpgdul.exe 2344 kanilzbpgdul.exe 2344 kanilzbpgdul.exe 1656 svchost.exe 2044 MicrosoftEdgeUpdater.exe 1656 svchost.exe 1656 svchost.exe 1656 svchost.exe 1656 svchost.exe 1656 svchost.exe 1656 svchost.exe 1656 svchost.exe 1656 svchost.exe 320 powershell.exe 1656 svchost.exe 2044 MicrosoftEdgeUpdater.exe 2044 MicrosoftEdgeUpdater.exe 2044 MicrosoftEdgeUpdater.exe 2044 MicrosoftEdgeUpdater.exe 2044 MicrosoftEdgeUpdater.exe 2044 MicrosoftEdgeUpdater.exe 2044 MicrosoftEdgeUpdater.exe 2044 MicrosoftEdgeUpdater.exe 2044 MicrosoftEdgeUpdater.exe 2044 MicrosoftEdgeUpdater.exe 2044 MicrosoftEdgeUpdater.exe 2044 MicrosoftEdgeUpdater.exe 2936 dialer.exe 2936 dialer.exe 2936 dialer.exe 2936 dialer.exe 2936 dialer.exe 2936 dialer.exe 2936 dialer.exe 2936 dialer.exe 2044 MicrosoftEdgeUpdater.exe 2936 dialer.exe 2936 dialer.exe 2936 dialer.exe 2936 dialer.exe 2044 MicrosoftEdgeUpdater.exe 2044 MicrosoftEdgeUpdater.exe 2936 dialer.exe 2936 dialer.exe 2936 dialer.exe 2936 dialer.exe 1656 svchost.exe 2604 fdjrmaypnxal.exe 2936 dialer.exe 2936 dialer.exe 3012 powershell.exe 2936 dialer.exe 2936 dialer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid process 2624 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
7zFM.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exepowershell.exepowercfg.exedialer.exepowercfg.exepowercfg.exepowercfg.exesvchost.exepowershell.exepowercfg.exeExplorer.EXEdialer.exepowercfg.exepowercfg.exepowercfg.exedescription pid process Token: SeRestorePrivilege 2624 7zFM.exe Token: 35 2624 7zFM.exe Token: SeSecurityPrivilege 2624 7zFM.exe Token: SeShutdownPrivilege 1748 powercfg.exe Token: SeShutdownPrivilege 2484 powercfg.exe Token: SeShutdownPrivilege 1232 powercfg.exe Token: SeShutdownPrivilege 2856 powercfg.exe Token: SeShutdownPrivilege 2332 powercfg.exe Token: SeShutdownPrivilege 1968 powercfg.exe Token: SeShutdownPrivilege 2208 powercfg.exe Token: SeShutdownPrivilege 400 powercfg.exe Token: SeLockMemoryPrivilege 1656 svchost.exe Token: SeDebugPrivilege 320 powershell.exe Token: SeShutdownPrivilege 1804 powercfg.exe Token: SeDebugPrivilege 2936 dialer.exe Token: SeShutdownPrivilege 2144 powercfg.exe Token: SeShutdownPrivilege 2136 powercfg.exe Token: SeShutdownPrivilege 3068 powercfg.exe Token: SeAuditPrivilege 848 svchost.exe Token: SeDebugPrivilege 3012 powershell.exe Token: SeShutdownPrivilege 2976 powercfg.exe Token: SeShutdownPrivilege 1212 Explorer.EXE Token: SeDebugPrivilege 1780 dialer.exe Token: SeShutdownPrivilege 1904 powercfg.exe Token: SeShutdownPrivilege 1944 powercfg.exe Token: SeShutdownPrivilege 1932 powercfg.exe Token: SeAssignPrimaryTokenPrivilege 848 svchost.exe Token: SeIncreaseQuotaPrivilege 848 svchost.exe Token: SeSecurityPrivilege 848 svchost.exe Token: SeTakeOwnershipPrivilege 848 svchost.exe Token: SeLoadDriverPrivilege 848 svchost.exe Token: SeSystemtimePrivilege 848 svchost.exe Token: SeBackupPrivilege 848 svchost.exe Token: SeRestorePrivilege 848 svchost.exe Token: SeShutdownPrivilege 848 svchost.exe Token: SeSystemEnvironmentPrivilege 848 svchost.exe Token: SeUndockPrivilege 848 svchost.exe Token: SeManageVolumePrivilege 848 svchost.exe Token: SeAssignPrimaryTokenPrivilege 848 svchost.exe Token: SeIncreaseQuotaPrivilege 848 svchost.exe Token: SeSecurityPrivilege 848 svchost.exe Token: SeTakeOwnershipPrivilege 848 svchost.exe Token: SeLoadDriverPrivilege 848 svchost.exe Token: SeSystemtimePrivilege 848 svchost.exe Token: SeBackupPrivilege 848 svchost.exe Token: SeRestorePrivilege 848 svchost.exe Token: SeShutdownPrivilege 848 svchost.exe Token: SeSystemEnvironmentPrivilege 848 svchost.exe Token: SeUndockPrivilege 848 svchost.exe Token: SeManageVolumePrivilege 848 svchost.exe Token: SeAssignPrimaryTokenPrivilege 848 svchost.exe Token: SeIncreaseQuotaPrivilege 848 svchost.exe Token: SeSecurityPrivilege 848 svchost.exe Token: SeTakeOwnershipPrivilege 848 svchost.exe Token: SeLoadDriverPrivilege 848 svchost.exe Token: SeSystemtimePrivilege 848 svchost.exe Token: SeBackupPrivilege 848 svchost.exe Token: SeRestorePrivilege 848 svchost.exe Token: SeShutdownPrivilege 848 svchost.exe Token: SeSystemEnvironmentPrivilege 848 svchost.exe Token: SeUndockPrivilege 848 svchost.exe Token: SeManageVolumePrivilege 848 svchost.exe Token: SeAssignPrimaryTokenPrivilege 848 svchost.exe Token: SeIncreaseQuotaPrivilege 848 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
7zFM.exepid process 2624 7zFM.exe 2624 7zFM.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
conhost.exepid process 1584 conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exe7zFM.exeLunarExecutorV1.2.EXEfinal1.EXEnum2.EXEkanilzbpgdul.execmd.exeMicrosoftEdgeUpdater.exedialer.exedescription pid process target process PID 1808 wrote to memory of 2624 1808 cmd.exe 7zFM.exe PID 1808 wrote to memory of 2624 1808 cmd.exe 7zFM.exe PID 1808 wrote to memory of 2624 1808 cmd.exe 7zFM.exe PID 2624 wrote to memory of 2248 2624 7zFM.exe LunarExecutorV1.2.EXE PID 2624 wrote to memory of 2248 2624 7zFM.exe LunarExecutorV1.2.EXE PID 2624 wrote to memory of 2248 2624 7zFM.exe LunarExecutorV1.2.EXE PID 2248 wrote to memory of 2616 2248 LunarExecutorV1.2.EXE final1.EXE PID 2248 wrote to memory of 2616 2248 LunarExecutorV1.2.EXE final1.EXE PID 2248 wrote to memory of 2616 2248 LunarExecutorV1.2.EXE final1.EXE PID 2616 wrote to memory of 2692 2616 final1.EXE num2.EXE PID 2616 wrote to memory of 2692 2616 final1.EXE num2.EXE PID 2616 wrote to memory of 2692 2616 final1.EXE num2.EXE PID 2692 wrote to memory of 2184 2692 num2.EXE jhi_service.exe PID 2692 wrote to memory of 2184 2692 num2.EXE jhi_service.exe PID 2692 wrote to memory of 2184 2692 num2.EXE jhi_service.exe PID 2344 wrote to memory of 1344 2344 kanilzbpgdul.exe conhost.exe PID 2344 wrote to memory of 1344 2344 kanilzbpgdul.exe conhost.exe PID 2344 wrote to memory of 1344 2344 kanilzbpgdul.exe conhost.exe PID 2344 wrote to memory of 1344 2344 kanilzbpgdul.exe conhost.exe PID 2344 wrote to memory of 1344 2344 kanilzbpgdul.exe conhost.exe PID 2344 wrote to memory of 1344 2344 kanilzbpgdul.exe conhost.exe PID 2344 wrote to memory of 1344 2344 kanilzbpgdul.exe conhost.exe PID 2344 wrote to memory of 1344 2344 kanilzbpgdul.exe conhost.exe PID 2344 wrote to memory of 1344 2344 kanilzbpgdul.exe conhost.exe PID 2344 wrote to memory of 1656 2344 kanilzbpgdul.exe svchost.exe PID 2344 wrote to memory of 1656 2344 kanilzbpgdul.exe svchost.exe PID 2344 wrote to memory of 1656 2344 kanilzbpgdul.exe svchost.exe PID 2344 wrote to memory of 1656 2344 kanilzbpgdul.exe svchost.exe PID 2344 wrote to memory of 1656 2344 kanilzbpgdul.exe svchost.exe PID 2692 wrote to memory of 2044 2692 num2.EXE MicrosoftEdgeUpdater.exe PID 2692 wrote to memory of 2044 2692 num2.EXE MicrosoftEdgeUpdater.exe PID 2692 wrote to memory of 2044 2692 num2.EXE MicrosoftEdgeUpdater.exe PID 672 wrote to memory of 580 672 cmd.exe wusa.exe PID 672 wrote to memory of 580 672 cmd.exe wusa.exe PID 672 wrote to memory of 580 672 cmd.exe wusa.exe PID 2044 wrote to memory of 2936 2044 MicrosoftEdgeUpdater.exe dialer.exe PID 2044 wrote to memory of 2936 2044 MicrosoftEdgeUpdater.exe dialer.exe PID 2044 wrote to memory of 2936 2044 MicrosoftEdgeUpdater.exe dialer.exe PID 2044 wrote to memory of 2936 2044 MicrosoftEdgeUpdater.exe dialer.exe PID 2044 wrote to memory of 2936 2044 MicrosoftEdgeUpdater.exe dialer.exe PID 2044 wrote to memory of 2936 2044 MicrosoftEdgeUpdater.exe dialer.exe PID 2044 wrote to memory of 2936 2044 MicrosoftEdgeUpdater.exe dialer.exe PID 2936 wrote to memory of 436 2936 dialer.exe winlogon.exe PID 2936 wrote to memory of 488 2936 dialer.exe services.exe PID 2936 wrote to memory of 496 2936 dialer.exe lsass.exe PID 2936 wrote to memory of 504 2936 dialer.exe lsm.exe PID 2936 wrote to memory of 600 2936 dialer.exe svchost.exe PID 2936 wrote to memory of 680 2936 dialer.exe svchost.exe PID 2936 wrote to memory of 756 2936 dialer.exe svchost.exe PID 2936 wrote to memory of 812 2936 dialer.exe svchost.exe PID 2936 wrote to memory of 848 2936 dialer.exe svchost.exe PID 2936 wrote to memory of 960 2936 dialer.exe svchost.exe PID 2936 wrote to memory of 1020 2936 dialer.exe svchost.exe PID 2936 wrote to memory of 344 2936 dialer.exe spoolsv.exe PID 2936 wrote to memory of 1064 2936 dialer.exe svchost.exe PID 2936 wrote to memory of 1104 2936 dialer.exe taskhost.exe PID 2936 wrote to memory of 1164 2936 dialer.exe Dwm.exe PID 2936 wrote to memory of 1212 2936 dialer.exe Explorer.EXE PID 2936 wrote to memory of 2996 2936 dialer.exe svchost.exe PID 2936 wrote to memory of 2384 2936 dialer.exe sppsvc.exe PID 2936 wrote to memory of 1808 2936 dialer.exe cmd.exe PID 2936 wrote to memory of 1908 2936 dialer.exe conhost.exe PID 2936 wrote to memory of 2624 2936 dialer.exe 7zFM.exe PID 2936 wrote to memory of 2248 2936 dialer.exe LunarExecutorV1.2.EXE
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:436
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
PID:488 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵PID:600
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding3⤵PID:2108
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding3⤵PID:2688
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵PID:680
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
- Modifies security service
- Drops file in System32 directory
PID:756 -
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵PID:812
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵PID:1164
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:848 -
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R3⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:1936 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵PID:960
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵PID:1020
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵PID:344
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵PID:1064
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵PID:1104
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵PID:2996
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵PID:2384
-
C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exeC:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1968 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2208 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2332 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:400 -
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe3⤵PID:1344
-
C:\Windows\system32\svchost.exesvchost.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656 -
C:\ProgramData\bbskkvrqdoji\fdjrmaypnxal.exeC:\ProgramData\bbskkvrqdoji\fdjrmaypnxal.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2604 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵PID:400
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵
- Drops file in Windows directory
PID:1896 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc3⤵
- Launches sc.exe
PID:2040 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:1428 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv3⤵
- Launches sc.exe
PID:564 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits3⤵
- Launches sc.exe
PID:2652 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc3⤵
- Launches sc.exe
PID:2092 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1944 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2976 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1932 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1904 -
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1780 -
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe3⤵PID:1372
-
C:\Windows\system32\dialer.exedialer.exe3⤵PID:2408
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:496
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵PID:504
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1212 -
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Lunar Release.rar"2⤵
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Lunar Release.rar"3⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\7zO04A54CA6\LunarExecutorV1.2.EXE"C:\Users\Admin\AppData\Local\Temp\7zO04A54CA6\LunarExecutorV1.2.EXE"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\final1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\final1.EXE5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\num2.EXEC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\num2.EXE6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jhi_service.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jhi_service.exe7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2184 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 08⤵
- Suspicious use of AdjustPrivilegeToken
PID:1748 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 08⤵
- Suspicious use of AdjustPrivilegeToken
PID:2856 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 08⤵
- Suspicious use of AdjustPrivilegeToken
PID:2484 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 08⤵
- Suspicious use of AdjustPrivilegeToken
PID:1232 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "HDNFMUHS"8⤵
- Launches sc.exe
PID:2608 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "HDNFMUHS" binpath= "C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe" start= "auto"8⤵
- Launches sc.exe
PID:1548 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog8⤵
- Launches sc.exe
PID:2732 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "HDNFMUHS"8⤵
- Launches sc.exe
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MicrosoftEdgeUpdater.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MicrosoftEdgeUpdater.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force8⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart8⤵
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart9⤵
- Drops file in Windows directory
PID:580 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc8⤵
- Launches sc.exe
PID:484 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc8⤵
- Launches sc.exe
PID:1472 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv8⤵
- Launches sc.exe
PID:2868 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits8⤵
- Launches sc.exe
PID:2404 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc8⤵
- Launches sc.exe
PID:908 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 08⤵
- Suspicious use of AdjustPrivilegeToken
PID:1804 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 08⤵
- Suspicious use of AdjustPrivilegeToken
PID:2136 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 08⤵
- Suspicious use of AdjustPrivilegeToken
PID:2144 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 08⤵
- Suspicious use of AdjustPrivilegeToken
PID:3068 -
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "YWZWALUU"8⤵
- Launches sc.exe
PID:272 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "YWZWALUU" binpath= "C:\ProgramData\bbskkvrqdoji\fdjrmaypnxal.exe" start= "auto"8⤵
- Launches sc.exe
PID:2488 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog8⤵
- Launches sc.exe
PID:1856 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "YWZWALUU"8⤵
- Launches sc.exe
PID:2272 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXE6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:948 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXE7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "18636244762037937165-1132024937-11388184721765603568-1565940907-757815405926784044"1⤵PID:1908
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "76027693910246559923408951821036525137-10000899101216221018-5196798191479692048"1⤵PID:1912
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "953458906-95577133620140569-1304227540994153774543753285-214043789-424179933"1⤵PID:748
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1331306730-155978936314140864419740903201361877903666487616-1617962815-682980414"1⤵PID:776
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1268697727622580652884812469-1139635105-888073211615513164-663042504-584175105"1⤵PID:1860
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-952326796-1784166280-513518014-15510524501646561599-16093908792020020542-91323062"1⤵PID:1028
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2241305601023621771-5789790864615289-1309186291-1648235562797704275760804750"1⤵PID:2832
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "732554367-1319369074-1177199511-12376710541394921224-2073829729-707800739-1083588964"1⤵PID:2528
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "424091320-106835720482719228647862840-1430717964142215368-395471002-2022979236"1⤵PID:2576
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-10313659791633592817-1368131950-19698155531238855234818116419731952047-1992842420"1⤵PID:1040
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "59374003614261425602105730056810833148-3043395787307585161576945307-924769589"1⤵PID:1772
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2107892631-1433568471-19041070286725679-19536861096028556521364369085573323969"1⤵PID:1044
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "319342230-1140508973-934119466243853401-620655851-1223752029150657226-1035545015"1⤵PID:2360
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "67708734-19104691472014323481780791630-16717715923565588621598994262-915677495"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1584
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "194386492-2008439544-516069018-207442737010042544021470993792-2105651720-1458078087"1⤵PID:748
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1004597626-267875555-3106890477442291891107768881-298304662-1978278812-907822173"1⤵PID:2960
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-679605298-1861030541872956440-143728074224952443307083651-1416561457-1992155721"1⤵PID:1804
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1832933528743444601-166696633-6915084713991499581431487298-105817059-102268656"1⤵PID:2016
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
3Windows Service
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\num2.EXEFilesize
4.3MB
MD5e6fe75c4390d3970545f0fdbb3274244
SHA18b6ed33f1778800cf0549bd7214249bdb81fbb58
SHA25648aaa21d99bf5fb15abc6945911438e5f3ac4c378ac89bc4eb850200f9f648d5
SHA51217b0911f13a1348e6511faf412f63721e7df7b196ae3a6acb86789eb04a2f8a90a42a6931a0c0ad45ee98910c4661c6db7e43623c560a963cd4d021ce9b1ad20
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MicrosoftEdgeUpdater.exeFilesize
2.7MB
MD519c095e1c399bdaa0663caa9162f0b0e
SHA1cb5504712ec965f7c43883f2f251823755b1e37e
SHA25638edfd7aa66f3ae1f376b9cdce558befd877d749e38306f412e8db436cb56713
SHA512a2a8e9e5140d7b306ba98d3674aa89b3e287cdf39bcf4b326148d963c38052fc65e99a17c0bf846150d71ff3efbd2c9d4b61b4c2d5847f8c9afa222af4c946d9
-
C:\Users\Admin\AppData\Local\Temp\_MEI9482\python312.dllFilesize
6.6MB
MD53c388ce47c0d9117d2a50b3fa5ac981d
SHA1038484ff7460d03d1d36c23f0de4874cbaea2c48
SHA256c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb
SHA512e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35
-
C:\Windows\System32\perfc007.datFilesize
145KB
MD519c7052de3b7281b4c1c6bfbb543c5dc
SHA1d2e12081a14c1069c89f2cee7357a559c27786e7
SHA25614ed6cb3198e80964cbc687a60aed24fb68d1bbd7588f983dc1fc6ae63514b4a
SHA512289ca791909882c857014bd24e777fa84b533896508b562051b529d4c27e0d98bc41c801c6384b382f5dc0fa584dc8f713939c636543b0a5cf5ea2b396300f83
-
C:\Windows\System32\perfc00A.datFilesize
154KB
MD5f0ecfbfa3e3e59fd02197018f7e9cb84
SHA1961e9367a4ef3a189466c0a0a186faf8958bdbc4
SHA256cfa293532a1b865b95093437d82bf8b682132aa335957f0c6d95edfbcc372324
SHA512116e648cb3b591a6a94da5ef11234778924a2ff9e0b3d7f6f00310d8a58914d12f5ee1b63c2f88701bb00538ad0e42ae2561575333c5a1d63bb8c86863ac6294
-
C:\Windows\System32\perfc00C.datFilesize
145KB
MD5ce233fa5dc5adcb87a5185617a0ff6ac
SHA12e2747284b1204d3ab08733a29fdbabdf8dc55b9
SHA25668d4de5e72cfd117151c44dd6ec74cf46fafd6c51357895d3025d7dac570ce31
SHA5121e9c8e7f12d7c87b4faa0d587a8b374e491cd44f23e13fdb64bde3bc6bf3f2a2d3aba5444a13b199a19737a8170ee8d4ead17a883fbaee66b8b32b35b7577fc2
-
C:\Windows\System32\perfc010.datFilesize
142KB
MD5d73172c6cb697755f87cd047c474cf91
SHA1abc5c7194abe32885a170ca666b7cce8251ac1d6
SHA2569de801eebbe32699630f74082c9adea15069acd5afb138c9ecd5d4904e3cdc57
SHA5127c9e4126bed6bc94a211281eed45cee30452519f125b82b143f78da32a3aac72d94d31757e1da22fb2f8a25099ffddec992e2c60987efb9da9b7a17831eafdf6
-
C:\Windows\System32\perfc011.datFilesize
114KB
MD51f998386566e5f9b7f11cc79254d1820
SHA1e1da5fe1f305099b94de565d06bc6f36c6794481
SHA2561665d97fb8786b94745295feb616a30c27af84e8a5e1d25cd1bcaf70723040ea
SHA512a7c9702dd5833f4d6d27ce293efb9507948a3b05db350fc9909af6a48bd649c7578f856b4d64d87df451d0efbe202c62da7fffcac03b3fe72c7caaea553de75f
-
C:\Windows\System32\perfh007.datFilesize
680KB
MD5b69ab3aeddb720d6ef8c05ff88c23b38
SHA1d830c2155159656ed1806c7c66cae2a54a2441fa
SHA25624c81302014118e07ed97eaac0819ecf191e0cc3d69c02b16ecda60ac4718625
SHA5124c7a99d45fb6e90c206439dcdd7cd198870ea5397a6584bb666eed53a8dc36faaac0b9cfc786a3ab4ecbbecc3a4ddd91560246d83b3319f2e37c1ed4bdbec32d
-
C:\Windows\System32\perfh009.datFilesize
646KB
MD5aecab86cc5c705d7a036cba758c1d7b0
SHA1e88cf81fd282d91c7fc0efae13c13c55f4857b5e
SHA2569bab92e274fcc0af88a7fdd143c9045b9d3a13cac2c00b63f00b320128dcc066
SHA512e0aa8da41373fc64d0e3dc86c9e92a9dd5232f6bcae42dfe6f79012d7e780de85511a9ec6941cb39476632972573a18063d3ecd8b059b1d008d34f585d9edbe8
-
C:\Windows\System32\perfh00A.datFilesize
727KB
MD57d0bac4e796872daa3f6dc82c57f4ca8
SHA1b4f6bbe08fa8cd0784a94ac442ff937a3d3eea0a
SHA256ce2ef9fc248965f1408d4b7a1e6db67494ba07a7bbdfa810418b30be66ad5879
SHA512145a0e8543e0d79fe1a5ce268d710c807834a05da1e948f84d6a1818171cd4ef077ea44ba1fe439b07b095721e0109cbf7e4cfd7b57519ee44d9fd9fe1169a3e
-
C:\Windows\System32\perfh00C.datFilesize
727KB
MD55f684ce126de17a7d4433ed2494c5ca9
SHA1ce1a30a477daa1bac2ec358ce58731429eafe911
SHA2562e2ba0c47e71991d646ec380cde47f44318d695e6f3f56ec095955a129af1c2c
SHA5124d0c2669b5002da14d44c21dc2f521fb37b6b41b61bca7b2a9af7c03f616dda9ca825f79a81d3401af626a90017654f9221a6ccc83010ff73de71967fc2f3f5b
-
C:\Windows\System32\perfh010.datFilesize
722KB
MD54623482c106cf6cc1bac198f31787b65
SHA15abb0decf7b42ef5daf7db012a742311932f6dad
SHA256eceda45aedbf6454b79f010c891bead3844d43189972f6beeb5ccddb13cc0349
SHA512afecefcec652856dd8b4275f11d75a68a582337b682309c4b61fd26ed7038b92e6b9aa72c1bfc350ce2caf5e357098b54eb1e448a4392960f9f82e01c447669f
-
C:\Windows\System32\perfh011.datFilesize
406KB
MD554c674d19c0ff72816402f66f6c3d37c
SHA12dcc0269545a213648d59dc84916d9ec2d62a138
SHA256646d4ea2f0670691aa5b998c26626ede7623886ed3ac9bc9679018f85e584bb5
SHA5124d451e9bef2c451cb9e86c7f4d705be65787c88df5281da94012bfbe5af496718ec3e48099ec3dff1d06fee7133293f10d649866fe59daa7951aebe2e5e67c1f
-
C:\Windows\System32\wbem\Performance\WmiApRpl.hFilesize
3KB
MD5b133a676d139032a27de3d9619e70091
SHA11248aa89938a13640252a79113930ede2f26f1fa
SHA256ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15
SHA512c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5
-
C:\Windows\System32\wbem\Performance\WmiApRpl.iniFilesize
27KB
MD546d08e3a55f007c523ac64dce6dcf478
SHA162edf88697e98d43f32090a2197bead7e7244245
SHA2565b15b1fc32713447c3fbc952a0fb02f1fd78c6f9ac69087bdb240625b0282614
SHA512b1f42e70c0ba866a9ed34eb531dbcbae1a659d7349c1e1a14b18b9e23d8cbd302d8509c6d3a28bc7509dd92e83bcb400201fb5d5a70f613421d81fe649d02e42
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\final1.EXEFilesize
36.9MB
MD54e463f20f2fd3d53e026b543af7cf6d5
SHA1d682f9e49845b855a7b16c584b528e13fcd3fbd6
SHA256b95fdb4a4b5303fda5264c1879f3ad1c847d7fea4c924e7aef7e5248f5796054
SHA51294e7ea55e96ce1118abd283473e66dedc933d7b6bf10713e3da4db5fa91bba3ca0a61580f01213c62282c7b272855c8c8b43e2f3fa410339349676f8d6eaf6de
-
\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXEFilesize
32.9MB
MD59ca4353663a5be5e7fa26ef45f412bfc
SHA19b1b6457f81e5342ef6d441ac43b57b3bc2353d9
SHA25602c868b4e9b704c0114e045d816e0ad7ec9d224635d53ce614770d9d681ff7d9
SHA512ccd19903395d49d621bc09fbfd2fa8fe9f7fdbeff3922498f8ebeb880e1a00db715d72eca1c3a4e60a53fd36df2811f3b263d7ccf9f1d137279c37db107da991
-
\Users\Admin\AppData\Local\Temp\IXP002.TMP\jhi_service.exeFilesize
2.5MB
MD51994ad04639f3d12c7bbfa37feb3434f
SHA14979247e5a9771286a91827851527e5dbfb80c8e
SHA256c75f76cf5b34b4a165ad5705ae5229f67fc081d958239bf0faea58e6c342301c
SHA512adc4eb990fc6721a0a39cf9832f133bde025a31b3ecd4d84e076d8c454b40dd043f1f045f6f989febf2478999a190d116a58192c49d8b878414490e7ce451b43
-
\Users\Admin\AppData\Local\Temp\_MEI9482\api-ms-win-core-file-l1-2-0.dllFilesize
21KB
MD51c58526d681efe507deb8f1935c75487
SHA10e6d328faf3563f2aae029bc5f2272fb7a742672
SHA256ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2
SHA5128edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1
-
\Users\Admin\AppData\Local\Temp\_MEI9482\api-ms-win-core-file-l2-1-0.dllFilesize
18KB
MD5bfffa7117fd9b1622c66d949bac3f1d7
SHA1402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2
SHA2561ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e
SHA512b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f
-
\Users\Admin\AppData\Local\Temp\_MEI9482\api-ms-win-core-localization-l1-2-0.dllFilesize
21KB
MD5724223109e49cb01d61d63a8be926b8f
SHA1072a4d01e01dbbab7281d9bd3add76f9a3c8b23b
SHA2564e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210
SHA51219b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c
-
\Users\Admin\AppData\Local\Temp\_MEI9482\api-ms-win-core-processthreads-l1-1-1.dllFilesize
21KB
MD5517eb9e2cb671ae49f99173d7f7ce43f
SHA14ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab
SHA25657cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54
SHA512492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be
-
\Users\Admin\AppData\Local\Temp\_MEI9482\api-ms-win-core-timezone-l1-1-0.dllFilesize
21KB
MD5d12403ee11359259ba2b0706e5e5111c
SHA103cc7827a30fd1dee38665c0cc993b4b533ac138
SHA256f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781
SHA5129004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0
-
\Users\Admin\AppData\Local\Temp\_MEI9482\ucrtbase.dllFilesize
992KB
MD50e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA14189f4459c54e69c6d3155a82524bda7549a75a6
SHA2568a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd
-
memory/320-95-0x00000000026D0000-0x00000000026D8000-memory.dmpFilesize
32KB
-
memory/320-94-0x000000001B4A0000-0x000000001B782000-memory.dmpFilesize
2.9MB
-
memory/436-107-0x00000000003F0000-0x0000000000414000-memory.dmpFilesize
144KB
-
memory/436-113-0x0000000000C60000-0x0000000000C8B000-memory.dmpFilesize
172KB
-
memory/436-114-0x000007FEBD470000-0x000007FEBD480000-memory.dmpFilesize
64KB
-
memory/436-115-0x00000000372A0000-0x00000000372B0000-memory.dmpFilesize
64KB
-
memory/436-109-0x00000000003F0000-0x0000000000414000-memory.dmpFilesize
144KB
-
memory/488-117-0x0000000000320000-0x000000000034B000-memory.dmpFilesize
172KB
-
memory/488-118-0x000007FEBD470000-0x000007FEBD480000-memory.dmpFilesize
64KB
-
memory/488-119-0x00000000372A0000-0x00000000372B0000-memory.dmpFilesize
64KB
-
memory/496-124-0x00000000000A0000-0x00000000000CB000-memory.dmpFilesize
172KB
-
memory/496-126-0x00000000372A0000-0x00000000372B0000-memory.dmpFilesize
64KB
-
memory/496-125-0x000007FEBD470000-0x000007FEBD480000-memory.dmpFilesize
64KB
-
memory/1344-62-0x0000000140000000-0x000000014000D000-memory.dmpFilesize
52KB
-
memory/1344-65-0x0000000140000000-0x000000014000D000-memory.dmpFilesize
52KB
-
memory/1344-63-0x0000000140000000-0x000000014000D000-memory.dmpFilesize
52KB
-
memory/1344-61-0x0000000140000000-0x000000014000D000-memory.dmpFilesize
52KB
-
memory/1344-60-0x0000000140000000-0x000000014000D000-memory.dmpFilesize
52KB
-
memory/1344-66-0x0000000140000000-0x000000014000D000-memory.dmpFilesize
52KB
-
memory/1656-75-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1656-69-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1656-74-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1656-71-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1656-77-0x00000000000D0000-0x00000000000F0000-memory.dmpFilesize
128KB
-
memory/1656-89-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1656-88-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1656-87-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1656-83-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1656-84-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1656-86-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1656-85-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1656-76-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1656-72-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1656-70-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2936-99-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2936-97-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2936-98-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2936-101-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2936-102-0x0000000077260000-0x0000000077409000-memory.dmpFilesize
1.7MB
-
memory/2936-103-0x0000000077040000-0x000000007715F000-memory.dmpFilesize
1.1MB
-
memory/2936-104-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2936-96-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/3012-464-0x0000000000A30000-0x0000000000A38000-memory.dmpFilesize
32KB
-
memory/3012-463-0x000000001A0B0000-0x000000001A392000-memory.dmpFilesize
2.9MB