Overview
overview
10Static
static
3Lunar Release.rar
windows7-x64
10Lunar Release.rar
windows10-2004-x64
3Lunar Rele....2.exe
windows10-2004-x64
10Lunar Rele...ch.dll
windows7-x64
1Lunar Rele...ch.dll
windows10-2004-x64
1Lunar Rele...on.dll
windows7-x64
1Lunar Rele...on.dll
windows10-2004-x64
1Lunar Rele...al.txt
windows7-x64
1Lunar Rele...al.txt
windows10-2004-x64
1Lunar Rele...ld.txt
windows7-x64
1Lunar Rele...ld.txt
windows10-2004-x64
1Lunar Rele...sf.ico
windows7-x64
1Lunar Rele...sf.ico
windows10-2004-x64
3Lunar Rele...eld.js
windows7-x64
3Lunar Rele...eld.js
windows10-2004-x64
3Lunar Rele...se.txt
windows7-x64
1Lunar Rele...se.txt
windows10-2004-x64
1Lunar Rele...ces.js
windows7-x64
3Lunar Rele...ces.js
windows10-2004-x64
3Analysis
-
max time kernel
139s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-05-2024 15:52
Static task
static1
Behavioral task
behavioral1
Sample
Lunar Release.rar
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Lunar Release.rar
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Lunar Release/LunarExecutorV1.2.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
Lunar Release/auto_attach.dll
Resource
win7-20240508-en
Behavioral task
behavioral5
Sample
Lunar Release/auto_attach.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
Lunar Release/byfron.dll
Resource
win7-20240221-en
Behavioral task
behavioral7
Sample
Lunar Release/byfron.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
Lunar Release/fonts and logo/Arial.txt
Resource
win7-20240508-en
Behavioral task
behavioral9
Sample
Lunar Release/fonts and logo/Arial.txt
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
Lunar Release/fonts and logo/Bold.txt
Resource
win7-20240508-en
Behavioral task
behavioral11
Sample
Lunar Release/fonts and logo/Bold.txt
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
Lunar Release/fonts and logo/fdsfdsf.ico
Resource
win7-20240221-en
Behavioral task
behavioral13
Sample
Lunar Release/fonts and logo/fdsfdsf.ico
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
Lunar Release/infinite yield.js
Resource
win7-20240419-en
Behavioral task
behavioral15
Sample
Lunar Release/infinite yield.js
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
Lunar Release/license.txt
Resource
win7-20240221-en
Behavioral task
behavioral17
Sample
Lunar Release/license.txt
Resource
win10v2004-20240426-en
Behavioral task
behavioral18
Sample
Lunar Release/resources.js
Resource
win7-20240419-en
Behavioral task
behavioral19
Sample
Lunar Release/resources.js
Resource
win10v2004-20240508-en
General
-
Target
Lunar Release.rar
-
Size
57.5MB
-
MD5
17e97ff9038efe7e34cfe0e4dcb8588a
-
SHA1
7664f96e2d9a1fdc55428f476a7dd0ce1a88d5d9
-
SHA256
625003c81f3726f91c74f306fe26bdd73efa3050499bc49849aa463ff7cd64fe
-
SHA512
407952e00df66b3c157ac5e8e25b569a12d6ed37d741d09764818e7ccc6c996d9fe96cc77b30feac23728bf71284cab111b6fc5df59b42d2fec862df888c96f9
-
SSDEEP
1572864:jtIsfSjSGt+a0Sb/u95f3f9fvBva+05Zqknd5RNI:JIsfSjSGtTcfvbaLZJjs
Malware Config
Signatures
-
XMRig Miner payload 9 IoCs
Processes:
resource yara_rule behavioral1/memory/800-105-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/800-106-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/800-104-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/800-103-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/800-102-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/800-100-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/800-99-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/800-107-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/800-108-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2408 powershell.exe 1808 powershell.exe -
Creates new service(s) 2 TTPs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
services.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\YWZWALUU\ImagePath = "C:\\ProgramData\\bbskkvrqdoji\\fdjrmaypnxal.exe" services.exe -
Executes dropped EXE 7 IoCs
Processes:
LunarExecutorV1.2.EXEfinal1.EXEnum2.EXEjhi_service.exeMicrosoftEdgeUpdater.exeservices.exekanilzbpgdul.exepid process 2340 LunarExecutorV1.2.EXE 2924 final1.EXE 2540 num2.EXE 1364 jhi_service.exe 1860 MicrosoftEdgeUpdater.exe 480 services.exe 1600 kanilzbpgdul.exe -
Loads dropped DLL 8 IoCs
Processes:
7zFM.exeLunarExecutorV1.2.EXEfinal1.EXEnum2.EXEservices.exepid process 2552 7zFM.exe 2340 LunarExecutorV1.2.EXE 2924 final1.EXE 2540 num2.EXE 2540 num2.EXE 2540 num2.EXE 2540 num2.EXE 480 services.exe -
Processes:
resource yara_rule behavioral1/memory/800-105-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/800-106-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/800-104-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/800-103-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/800-102-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/800-100-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/800-99-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/800-98-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/800-97-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/800-96-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/800-95-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/800-94-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/800-107-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/800-108-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
final1.EXEnum2.EXELunarExecutorV1.2.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" final1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" num2.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" LunarExecutorV1.2.EXE -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exeMicrosoftEdgeUpdater.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe MicrosoftEdgeUpdater.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
kanilzbpgdul.exeMicrosoftEdgeUpdater.exedescription pid process target process PID 1600 set thread context of 2944 1600 kanilzbpgdul.exe conhost.exe PID 1600 set thread context of 800 1600 kanilzbpgdul.exe svchost.exe PID 1860 set thread context of 2588 1860 MicrosoftEdgeUpdater.exe dialer.exe -
Drops file in Windows directory 1 IoCs
Processes:
wusa.exedescription ioc process File created C:\Windows\wusa.lock wusa.exe -
Launches sc.exe 18 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 696 sc.exe 1912 sc.exe 2052 sc.exe 2488 sc.exe 1576 sc.exe 632 sc.exe 1860 sc.exe 1084 sc.exe 2580 sc.exe 2520 sc.exe 2984 sc.exe 1528 sc.exe 2880 sc.exe 580 sc.exe 1760 sc.exe 2276 sc.exe 768 sc.exe 320 sc.exe -
Detects Pyinstaller 7 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXE pyinstaller C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXE pyinstaller \Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXE pyinstaller C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXE pyinstaller C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXE pyinstaller \Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXE pyinstaller C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LUNARE~1.EXE pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 41 IoCs
Processes:
jhi_service.exekanilzbpgdul.exeMicrosoftEdgeUpdater.exesvchost.exepowershell.exedialer.exepid process 1364 jhi_service.exe 1364 jhi_service.exe 1364 jhi_service.exe 1364 jhi_service.exe 1364 jhi_service.exe 1364 jhi_service.exe 1364 jhi_service.exe 1364 jhi_service.exe 1600 kanilzbpgdul.exe 1600 kanilzbpgdul.exe 1600 kanilzbpgdul.exe 1600 kanilzbpgdul.exe 1600 kanilzbpgdul.exe 1600 kanilzbpgdul.exe 1860 MicrosoftEdgeUpdater.exe 800 svchost.exe 800 svchost.exe 800 svchost.exe 800 svchost.exe 800 svchost.exe 2408 powershell.exe 1860 MicrosoftEdgeUpdater.exe 1860 MicrosoftEdgeUpdater.exe 1860 MicrosoftEdgeUpdater.exe 1860 MicrosoftEdgeUpdater.exe 1860 MicrosoftEdgeUpdater.exe 1860 MicrosoftEdgeUpdater.exe 1860 MicrosoftEdgeUpdater.exe 1860 MicrosoftEdgeUpdater.exe 1860 MicrosoftEdgeUpdater.exe 1860 MicrosoftEdgeUpdater.exe 1860 MicrosoftEdgeUpdater.exe 1860 MicrosoftEdgeUpdater.exe 2588 dialer.exe 2588 dialer.exe 2588 dialer.exe 2588 dialer.exe 1860 MicrosoftEdgeUpdater.exe 1860 MicrosoftEdgeUpdater.exe 1860 MicrosoftEdgeUpdater.exe 800 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid process 2552 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
7zFM.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exepowershell.exepowercfg.exepowercfg.exedialer.exepowercfg.exepowercfg.exedescription pid process Token: SeRestorePrivilege 2552 7zFM.exe Token: 35 2552 7zFM.exe Token: SeSecurityPrivilege 2552 7zFM.exe Token: SeSecurityPrivilege 2552 7zFM.exe Token: SeShutdownPrivilege 1108 powercfg.exe Token: SeShutdownPrivilege 532 powercfg.exe Token: SeShutdownPrivilege 2024 powercfg.exe Token: SeShutdownPrivilege 1680 powercfg.exe Token: SeShutdownPrivilege 1028 powercfg.exe Token: SeShutdownPrivilege 1260 powercfg.exe Token: SeShutdownPrivilege 1032 powercfg.exe Token: SeShutdownPrivilege 2948 powercfg.exe Token: SeLockMemoryPrivilege 800 svchost.exe Token: SeDebugPrivilege 2408 powershell.exe Token: SeShutdownPrivilege 1256 powercfg.exe Token: SeShutdownPrivilege 2456 powercfg.exe Token: SeDebugPrivilege 2588 dialer.exe Token: SeShutdownPrivilege 1652 powercfg.exe Token: SeShutdownPrivilege 1744 powercfg.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
7zFM.exepid process 2552 7zFM.exe 2552 7zFM.exe 2552 7zFM.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exe7zFM.exeLunarExecutorV1.2.EXEfinal1.EXEnum2.EXEkanilzbpgdul.execmd.exeMicrosoftEdgeUpdater.exedialer.exedescription pid process target process PID 328 wrote to memory of 2552 328 cmd.exe 7zFM.exe PID 328 wrote to memory of 2552 328 cmd.exe 7zFM.exe PID 328 wrote to memory of 2552 328 cmd.exe 7zFM.exe PID 2552 wrote to memory of 2340 2552 7zFM.exe LunarExecutorV1.2.EXE PID 2552 wrote to memory of 2340 2552 7zFM.exe LunarExecutorV1.2.EXE PID 2552 wrote to memory of 2340 2552 7zFM.exe LunarExecutorV1.2.EXE PID 2340 wrote to memory of 2924 2340 LunarExecutorV1.2.EXE final1.EXE PID 2340 wrote to memory of 2924 2340 LunarExecutorV1.2.EXE final1.EXE PID 2340 wrote to memory of 2924 2340 LunarExecutorV1.2.EXE final1.EXE PID 2924 wrote to memory of 2540 2924 final1.EXE num2.EXE PID 2924 wrote to memory of 2540 2924 final1.EXE num2.EXE PID 2924 wrote to memory of 2540 2924 final1.EXE num2.EXE PID 2540 wrote to memory of 1364 2540 num2.EXE jhi_service.exe PID 2540 wrote to memory of 1364 2540 num2.EXE jhi_service.exe PID 2540 wrote to memory of 1364 2540 num2.EXE jhi_service.exe PID 2540 wrote to memory of 1860 2540 num2.EXE MicrosoftEdgeUpdater.exe PID 2540 wrote to memory of 1860 2540 num2.EXE MicrosoftEdgeUpdater.exe PID 2540 wrote to memory of 1860 2540 num2.EXE MicrosoftEdgeUpdater.exe PID 1600 wrote to memory of 2944 1600 kanilzbpgdul.exe conhost.exe PID 1600 wrote to memory of 2944 1600 kanilzbpgdul.exe conhost.exe PID 1600 wrote to memory of 2944 1600 kanilzbpgdul.exe conhost.exe PID 1600 wrote to memory of 2944 1600 kanilzbpgdul.exe conhost.exe PID 1600 wrote to memory of 2944 1600 kanilzbpgdul.exe conhost.exe PID 1600 wrote to memory of 2944 1600 kanilzbpgdul.exe conhost.exe PID 1600 wrote to memory of 2944 1600 kanilzbpgdul.exe conhost.exe PID 1600 wrote to memory of 2944 1600 kanilzbpgdul.exe conhost.exe PID 1600 wrote to memory of 2944 1600 kanilzbpgdul.exe conhost.exe PID 1600 wrote to memory of 800 1600 kanilzbpgdul.exe svchost.exe PID 1600 wrote to memory of 800 1600 kanilzbpgdul.exe svchost.exe PID 1600 wrote to memory of 800 1600 kanilzbpgdul.exe svchost.exe PID 1600 wrote to memory of 800 1600 kanilzbpgdul.exe svchost.exe PID 1600 wrote to memory of 800 1600 kanilzbpgdul.exe svchost.exe PID 2316 wrote to memory of 1060 2316 cmd.exe wusa.exe PID 2316 wrote to memory of 1060 2316 cmd.exe wusa.exe PID 2316 wrote to memory of 1060 2316 cmd.exe wusa.exe PID 1860 wrote to memory of 2588 1860 MicrosoftEdgeUpdater.exe dialer.exe PID 1860 wrote to memory of 2588 1860 MicrosoftEdgeUpdater.exe dialer.exe PID 1860 wrote to memory of 2588 1860 MicrosoftEdgeUpdater.exe dialer.exe PID 1860 wrote to memory of 2588 1860 MicrosoftEdgeUpdater.exe dialer.exe PID 1860 wrote to memory of 2588 1860 MicrosoftEdgeUpdater.exe dialer.exe PID 1860 wrote to memory of 2588 1860 MicrosoftEdgeUpdater.exe dialer.exe PID 1860 wrote to memory of 2588 1860 MicrosoftEdgeUpdater.exe dialer.exe PID 2588 wrote to memory of 436 2588 dialer.exe winlogon.exe PID 2588 wrote to memory of 480 2588 dialer.exe services.exe PID 2588 wrote to memory of 496 2588 dialer.exe lsass.exe PID 2588 wrote to memory of 504 2588 dialer.exe lsm.exe PID 2588 wrote to memory of 604 2588 dialer.exe svchost.exe PID 2588 wrote to memory of 680 2588 dialer.exe svchost.exe PID 2588 wrote to memory of 748 2588 dialer.exe svchost.exe PID 2588 wrote to memory of 816 2588 dialer.exe svchost.exe PID 2588 wrote to memory of 860 2588 dialer.exe svchost.exe PID 2588 wrote to memory of 972 2588 dialer.exe svchost.exe PID 2588 wrote to memory of 280 2588 dialer.exe svchost.exe PID 2588 wrote to memory of 356 2588 dialer.exe spoolsv.exe PID 2588 wrote to memory of 1068 2588 dialer.exe svchost.exe PID 2588 wrote to memory of 1116 2588 dialer.exe taskhost.exe PID 2588 wrote to memory of 1172 2588 dialer.exe Dwm.exe PID 2588 wrote to memory of 1200 2588 dialer.exe Explorer.EXE PID 2588 wrote to memory of 1788 2588 dialer.exe svchost.exe PID 2588 wrote to memory of 2160 2588 dialer.exe sppsvc.exe PID 2588 wrote to memory of 328 2588 dialer.exe cmd.exe PID 2588 wrote to memory of 2088 2588 dialer.exe conhost.exe PID 2588 wrote to memory of 2552 2588 dialer.exe 7zFM.exe PID 2588 wrote to memory of 2720 2588 dialer.exe wmiprvse.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:436
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
PID:480 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵PID:604
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding3⤵PID:2720
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding3⤵PID:1588
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵PID:680
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:748
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵PID:816
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵PID:1172
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵PID:860
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵PID:972
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵PID:280
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵PID:356
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵PID:1068
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵PID:1116
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵PID:1788
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵PID:2160
-
C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exeC:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1260 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1032 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2948 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1028 -
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe3⤵PID:2944
-
C:\Windows\system32\svchost.exesvchost.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:800 -
C:\ProgramData\bbskkvrqdoji\fdjrmaypnxal.exeC:\ProgramData\bbskkvrqdoji\fdjrmaypnxal.exe2⤵PID:1936
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
PID:1808 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵PID:1512
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵PID:3028
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc3⤵
- Launches sc.exe
PID:632 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:1912 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv3⤵
- Launches sc.exe
PID:1860 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits3⤵
- Launches sc.exe
PID:320 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc3⤵
- Launches sc.exe
PID:2880 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵PID:2928
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵PID:2228
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵PID:908
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵PID:2948
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe3⤵PID:1260
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe3⤵PID:2360
-
C:\Windows\system32\dialer.exedialer.exe3⤵PID:1952
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:496
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵PID:504
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Lunar Release.rar"2⤵
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Lunar Release.rar"3⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Users\Admin\AppData\Local\Temp\7zO8F906738\LunarExecutorV1.2.EXE"C:\Users\Admin\AppData\Local\Temp\7zO8F906738\LunarExecutorV1.2.EXE"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\final1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\final1.EXE5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\num2.EXEC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\num2.EXE6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jhi_service.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jhi_service.exe7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1364 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 08⤵
- Suspicious use of AdjustPrivilegeToken
PID:1108 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 08⤵
- Suspicious use of AdjustPrivilegeToken
PID:532 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 08⤵
- Suspicious use of AdjustPrivilegeToken
PID:2024 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 08⤵
- Suspicious use of AdjustPrivilegeToken
PID:1680 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "HDNFMUHS"8⤵
- Launches sc.exe
PID:580 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "HDNFMUHS" binpath= "C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe" start= "auto"8⤵
- Launches sc.exe
PID:1084 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog8⤵
- Launches sc.exe
PID:2276 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "HDNFMUHS"8⤵
- Launches sc.exe
PID:1760 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MicrosoftEdgeUpdater.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MicrosoftEdgeUpdater.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force8⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart8⤵
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart9⤵
- Drops file in Windows directory
PID:1060 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc8⤵
- Launches sc.exe
PID:696 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc8⤵
- Launches sc.exe
PID:2052 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv8⤵
- Launches sc.exe
PID:2580 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits8⤵
- Launches sc.exe
PID:2488 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc8⤵
- Launches sc.exe
PID:2520 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 08⤵
- Suspicious use of AdjustPrivilegeToken
PID:1652 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 08⤵
- Suspicious use of AdjustPrivilegeToken
PID:2456 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 08⤵
- Suspicious use of AdjustPrivilegeToken
PID:1256 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 08⤵
- Suspicious use of AdjustPrivilegeToken
PID:1744 -
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "YWZWALUU"8⤵
- Launches sc.exe
PID:1576 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "YWZWALUU" binpath= "C:\ProgramData\bbskkvrqdoji\fdjrmaypnxal.exe" start= "auto"8⤵
- Launches sc.exe
PID:2984 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog8⤵
- Launches sc.exe
PID:1528 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "YWZWALUU"8⤵
- Launches sc.exe
PID:768 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXE6⤵PID:1732
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXE7⤵PID:5840
-
C:\Users\Admin\AppData\Local\Temp\7zO8F9EF668\LunarExecutorV1.2.EXE"C:\Users\Admin\AppData\Local\Temp\7zO8F9EF668\LunarExecutorV1.2.EXE"4⤵PID:1516
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\final1.EXEC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\final1.EXE5⤵PID:6028
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\num2.EXEC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\num2.EXE6⤵PID:6100
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\jhi_service.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\jhi_service.exe7⤵PID:3060
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:2688
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2021708849-1559179626401383935-19782237251133485279-924798382-69915368-1232659407"1⤵PID:2088
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXEFilesize
13.2MB
MD5350b6927616e5f51b663061210424d56
SHA1839688422b436e25a9be1ae1d2a9e92242db5a7f
SHA2567e982d09f56afbc2ca6c2f2b19c5d425aabbc50361d2776d2fb379bde8e73216
SHA512c8e4ad550ed0d274008e4d316f7c1ce6697425771b5c5f6ffe15c0a1b3870ca0c18ced4e058608fe1a93c02c3541ea07528207accf9cb5e54b791357831eefb5
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXEFilesize
19.6MB
MD5bada8076a5da89f951468a567b4e84de
SHA1f5b0a85c487cfd4a38ef4a36786e16359569b32d
SHA256e413ebebbb4a32e0da0bddf558cc48660112977294d58de63492100b0cdd5629
SHA512535a73a5d26befdb1334d7a7b230b0f9725870c349c96667301d5de5486043cb5257ed95ad6e348b08e42748de65bfd8524127b55115e988f288d187f18d4174
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXEFilesize
32.9MB
MD59ca4353663a5be5e7fa26ef45f412bfc
SHA19b1b6457f81e5342ef6d441ac43b57b3bc2353d9
SHA25602c868b4e9b704c0114e045d816e0ad7ec9d224635d53ce614770d9d681ff7d9
SHA512ccd19903395d49d621bc09fbfd2fa8fe9f7fdbeff3922498f8ebeb880e1a00db715d72eca1c3a4e60a53fd36df2811f3b263d7ccf9f1d137279c37db107da991
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\num2.EXEFilesize
4.3MB
MD5e6fe75c4390d3970545f0fdbb3274244
SHA18b6ed33f1778800cf0549bd7214249bdb81fbb58
SHA25648aaa21d99bf5fb15abc6945911438e5f3ac4c378ac89bc4eb850200f9f648d5
SHA51217b0911f13a1348e6511faf412f63721e7df7b196ae3a6acb86789eb04a2f8a90a42a6931a0c0ad45ee98910c4661c6db7e43623c560a963cd4d021ce9b1ad20
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MicrosoftEdgeUpdater.exeFilesize
2.7MB
MD519c095e1c399bdaa0663caa9162f0b0e
SHA1cb5504712ec965f7c43883f2f251823755b1e37e
SHA25638edfd7aa66f3ae1f376b9cdce558befd877d749e38306f412e8db436cb56713
SHA512a2a8e9e5140d7b306ba98d3674aa89b3e287cdf39bcf4b326148d963c38052fc65e99a17c0bf846150d71ff3efbd2c9d4b61b4c2d5847f8c9afa222af4c946d9
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\final1.EXEFilesize
4.5MB
MD58e008886b908f8f14bc3db54f9419d66
SHA1e4e948e2d200ed7ed2126445b8407f022cc60f05
SHA25612fa9e96aed00e2fb347eea37b8e08b34ff94eef5c838ed151ad236380e78e3e
SHA512e28787e5da1298729a124300045c937bfd15110d7b1d77adaf904cc6ac4bd0f090a42744ed508487b8f7647558bd5d38048f287d2f3dea692cab0ba3a3d173b8
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\final1.EXEFilesize
2.4MB
MD557c91786f289fe677223ae11bdc735ee
SHA1656628427c5c837a666b3c43847bba56edb0f126
SHA256ddf7876036b9d11d3a91bfc19be2a4c601ed98077fe82f6d30bd4b6b219ba710
SHA5126cf8e288c35efdccce4f53fd8d5596402f28f7de0d54e661e3a79ad8738873c976369459458e2ba60294b3c55e19af3607674a011d7789ea26fb2df1d677eaa9
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jhi_service.exeFilesize
2.5MB
MD51994ad04639f3d12c7bbfa37feb3434f
SHA14979247e5a9771286a91827851527e5dbfb80c8e
SHA256c75f76cf5b34b4a165ad5705ae5229f67fc081d958239bf0faea58e6c342301c
SHA512adc4eb990fc6721a0a39cf9832f133bde025a31b3ecd4d84e076d8c454b40dd043f1f045f6f989febf2478999a190d116a58192c49d8b878414490e7ce451b43
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LUNARE~1.EXEFilesize
4.4MB
MD520a4e7ed0288e0232e9e779276c3565c
SHA1016271c30cc37d408ef554e69f64bdbf9b5e5261
SHA256c5adbecbe3e2dca07ca61e0da4bda309a281fd163c08e36fb028ebbb99f18b30
SHA5129ca4251c439afaaea778fc206639c3c240e445837765a642c29a2b70722ce9040a5f41ce6214f8cc8f685b4af880f05b621a44f1f6964b58fcb2339f6db914bb
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\num2.EXEFilesize
1.8MB
MD59dea22946a2684b2f4dde49c3272617b
SHA1fd0025b98c3e0e04aeabc91b8f119ceb1a163c62
SHA25604803655235f36c5fdaabadb4e984bb83bbdefbc42d45d13397ae57b8176bc34
SHA512f1e485aec604d60029d3994fdd6e2536edefd755101a6c131a981df2e898fdc25632b93fef66e1ddc6853022b6ad6a44a49441105066168d1f506098fe1f445d
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\num2.EXEFilesize
576KB
MD5b5ce367479dd6c7e29b99a820a0f0d79
SHA14a2d1b29769e69b5f6d11d01d3e8674bcb32bb93
SHA256ae08e751c227ae21e7e66e939cf5d03117ea06e0d0cb0621c74b62ac7830e538
SHA5126bdd158068a7fe2448a5eb0f183ebdc257beacfc0cfd59d174d506c40bba527cd8ae376eb018ab406e377a6185580a99c5ba66688e7d307d8ae8144e3c807cf0
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\final1.EXEFilesize
36.9MB
MD54e463f20f2fd3d53e026b543af7cf6d5
SHA1d682f9e49845b855a7b16c584b528e13fcd3fbd6
SHA256b95fdb4a4b5303fda5264c1879f3ad1c847d7fea4c924e7aef7e5248f5796054
SHA51294e7ea55e96ce1118abd283473e66dedc933d7b6bf10713e3da4db5fa91bba3ca0a61580f01213c62282c7b272855c8c8b43e2f3fa410339349676f8d6eaf6de
-
\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXEFilesize
13.3MB
MD5823fac7f93290f61fbabb204c4bb052e
SHA1875c3e816bad5ef9c15a36f96f5e7b5486c032af
SHA256ae8133f4b694e5ac0af14f2ca1e1034b0671b3971d9df512ab9427334f75b10e
SHA51208deb3643e1e74c4dd2e9388556be6976013ca9ad0cd5896f53fc12a9327c70ad28d157b43cb8229bbda1d6cfedc29d2376b82c4d0d89db074a29025d641a50b
-
\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXEFilesize
19.9MB
MD506b2bef85e8591cbbde8986c8a1d13c0
SHA1b57e283ba78b84920b36d50bd333ec45bab79a62
SHA256936c4ed35409ff9163bc4fba704325b4962d02aadfc6e3f27b55a2f2079cfadb
SHA512518f6b96ce4a978d468cd3a0c11456cbc9ab53caffe996db49eca545dd9eb99e5e69dfa59cd6cfc6712c8982e5a872327e6906e217f10250bcac0ab73dde461a
-
\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXEFilesize
26.2MB
MD571216a6574adeb7655124b04ea5c3446
SHA1b96ecc50ad0fe3eaea07d2d774ea71ec86354e0a
SHA256d3f17c2ab0e7a44d489b3466d986d3f1eff3a3ee820575469a8ed1386e616700
SHA512e0109ae6cc6ce973aef9023f8f3fbe95faa7a911a6801252dcaaeef9eb7cf5aabe8e2a90c7bad2b936407f805db13b9bb4aacbf4df1f39fae3f78be626af6fc6
-
\Users\Admin\AppData\Local\Temp\IXP002.TMP\final1.EXEFilesize
7.1MB
MD5898398a53796e582fb2acdbaaaa11245
SHA1528dfcbfb90a42ba8cc9888bf39fe51ca0400758
SHA256bab8c40606545fc5de3700debe1ced3befec3762ef5f6b46e394570351fcd591
SHA51226137dcb5f1e46164a196222fb968130ecbda64f4eab153ecc421b52f75016c8c1f14717d2c5cc3a4d3a077d5c8582609769cd8017e6d14b3896f1ac9e8b2f53
-
\Users\Admin\AppData\Local\Temp\IXP003.TMP\num2.EXEFilesize
640KB
MD53d633dbc5613ee92c0666381275c9eff
SHA1bf4645490d37a98f2161cbec3b68424e6648691c
SHA256e6743f6a69dc96618f7f4a107ebb10672acfef6ac7f2c8d37e717627d56a0f28
SHA512d0c26ddb904e1999a73159ae2f01256d3f8b251098206ed8aa184250f9d6f62fe2f80d7c274ea19bb3ca61c68fcb5d27cdf0768cb5552899fde43365c7c0f47d
-
\Users\Admin\AppData\Local\Temp\_MEI17322\api-ms-win-core-file-l1-2-0.dllFilesize
21KB
MD51c58526d681efe507deb8f1935c75487
SHA10e6d328faf3563f2aae029bc5f2272fb7a742672
SHA256ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2
SHA5128edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1
-
\Users\Admin\AppData\Local\Temp\_MEI17322\api-ms-win-core-file-l2-1-0.dllFilesize
18KB
MD5bfffa7117fd9b1622c66d949bac3f1d7
SHA1402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2
SHA2561ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e
SHA512b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f
-
\Users\Admin\AppData\Local\Temp\_MEI17322\api-ms-win-core-localization-l1-2-0.dllFilesize
21KB
MD5724223109e49cb01d61d63a8be926b8f
SHA1072a4d01e01dbbab7281d9bd3add76f9a3c8b23b
SHA2564e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210
SHA51219b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c
-
\Users\Admin\AppData\Local\Temp\_MEI17322\api-ms-win-core-processthreads-l1-1-1.dllFilesize
21KB
MD5517eb9e2cb671ae49f99173d7f7ce43f
SHA14ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab
SHA25657cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54
SHA512492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be
-
\Users\Admin\AppData\Local\Temp\_MEI17322\api-ms-win-core-timezone-l1-1-0.dllFilesize
21KB
MD5d12403ee11359259ba2b0706e5e5111c
SHA103cc7827a30fd1dee38665c0cc993b4b533ac138
SHA256f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781
SHA5129004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0
-
\Users\Admin\AppData\Local\Temp\_MEI17322\python312.dllFilesize
6.6MB
MD53c388ce47c0d9117d2a50b3fa5ac981d
SHA1038484ff7460d03d1d36c23f0de4874cbaea2c48
SHA256c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb
SHA512e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35
-
\Users\Admin\AppData\Local\Temp\_MEI17322\ucrtbase.dllFilesize
992KB
MD50e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA14189f4459c54e69c6d3155a82524bda7549a75a6
SHA2568a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd
-
memory/436-137-0x000007FEBE300000-0x000007FEBE310000-memory.dmpFilesize
64KB
-
memory/436-127-0x0000000000C00000-0x0000000000C24000-memory.dmpFilesize
144KB
-
memory/436-129-0x0000000000C00000-0x0000000000C24000-memory.dmpFilesize
144KB
-
memory/436-136-0x0000000000C30000-0x0000000000C5B000-memory.dmpFilesize
172KB
-
memory/436-138-0x00000000370B0000-0x00000000370C0000-memory.dmpFilesize
64KB
-
memory/480-154-0x00000000370B0000-0x00000000370C0000-memory.dmpFilesize
64KB
-
memory/480-150-0x00000000001E0000-0x000000000020B000-memory.dmpFilesize
172KB
-
memory/480-152-0x000007FEBE300000-0x000007FEBE310000-memory.dmpFilesize
64KB
-
memory/496-140-0x00000000001F0000-0x000000000021B000-memory.dmpFilesize
172KB
-
memory/496-141-0x000007FEBE300000-0x000007FEBE310000-memory.dmpFilesize
64KB
-
memory/496-142-0x00000000370B0000-0x00000000370C0000-memory.dmpFilesize
64KB
-
memory/800-95-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/800-99-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/800-101-0x0000000000130000-0x0000000000150000-memory.dmpFilesize
128KB
-
memory/800-105-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/800-106-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/800-104-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/800-103-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/800-102-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/800-100-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/800-94-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/800-98-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/800-96-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/800-97-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/800-108-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/800-107-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1808-363-0x000000001A250000-0x000000001A532000-memory.dmpFilesize
2.9MB
-
memory/1808-364-0x00000000003C0000-0x00000000003C8000-memory.dmpFilesize
32KB
-
memory/2408-115-0x0000000001E30000-0x0000000001E38000-memory.dmpFilesize
32KB
-
memory/2408-114-0x000000001B670000-0x000000001B952000-memory.dmpFilesize
2.9MB
-
memory/2588-116-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2588-117-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2588-121-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2588-122-0x0000000077070000-0x0000000077219000-memory.dmpFilesize
1.7MB
-
memory/2588-124-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2588-119-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2588-118-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2588-123-0x0000000076F50000-0x000000007706F000-memory.dmpFilesize
1.1MB
-
memory/2944-87-0x0000000140000000-0x000000014000D000-memory.dmpFilesize
52KB
-
memory/2944-85-0x0000000140000000-0x000000014000D000-memory.dmpFilesize
52KB
-
memory/2944-86-0x0000000140000000-0x000000014000D000-memory.dmpFilesize
52KB
-
memory/2944-91-0x0000000140000000-0x000000014000D000-memory.dmpFilesize
52KB
-
memory/2944-88-0x0000000140000000-0x000000014000D000-memory.dmpFilesize
52KB
-
memory/2944-89-0x0000000140000000-0x000000014000D000-memory.dmpFilesize
52KB