xmrig | 625003c81f3726f91c74f306fe26bdd73efa3050499bc49849aa463ff7cd64fe

Analysis

max time kernel
139s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-05-2024 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lunar Release.rar
Size

57.5MB
MD5

17e97ff9038efe7e34cfe0e4dcb8588a
SHA1

7664f96e2d9a1fdc55428f476a7dd0ce1a88d5d9
SHA256

625003c81f3726f91c74f306fe26bdd73efa3050499bc49849aa463ff7cd64fe
SHA512

407952e00df66b3c157ac5e8e25b569a12d6ed37d741d09764818e7ccc6c996d9fe96cc77b30feac23728bf71284cab111b6fc5df59b42d2fec862df888c96f9
SSDEEP

1572864:jtIsfSjSGt+a0Sb/u95f3f9fvBva+05Zqknd5RNI:JIsfSjSGtTcfvbaLZJjs

Score

10^/10

xmrig evasion execution miner persistence pyinstaller upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/800-105-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/800-106-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/800-104-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/800-103-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/800-102-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/800-100-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/800-99-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/800-107-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/800-108-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2408 powershell.exe
1808 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

pid	process
2408	powershell.exe
1808	powershell.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

services.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\YWZWALUU\ImagePath = "C:\\ProgramData\\bbskkvrqdoji\\fdjrmaypnxal.exe"	services.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 7 IoCs

Processes:

LunarExecutorV1.2.EXEfinal1.EXEnum2.EXEjhi_service.exeMicrosoftEdgeUpdater.exeservices.exekanilzbpgdul.exe

pid process

2340 LunarExecutorV1.2.EXE
2924 final1.EXE
2540 num2.EXE
1364 jhi_service.exe
1860 MicrosoftEdgeUpdater.exe
480 services.exe
1600 kanilzbpgdul.exe
Loads dropped DLL 8 IoCs

Processes:

7zFM.exeLunarExecutorV1.2.EXEfinal1.EXEnum2.EXEservices.exe

pid process

2552 7zFM.exe
2340 LunarExecutorV1.2.EXE
2924 final1.EXE
2540 num2.EXE
2540 num2.EXE
2540 num2.EXE
2540 num2.EXE
480 services.exe

pid	process
2340	LunarExecutorV1.2.EXE
2924	final1.EXE
2540	num2.EXE
1364	jhi_service.exe
1860	MicrosoftEdgeUpdater.exe
480	services.exe
1600	kanilzbpgdul.exe

pid	process
2552	7zFM.exe
2340	LunarExecutorV1.2.EXE
2924	final1.EXE
2540	num2.EXE
2540	num2.EXE
2540	num2.EXE
2540	num2.EXE
480	services.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/800-105-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/800-106-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/800-104-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/800-103-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/800-102-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/800-100-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/800-99-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/800-98-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/800-97-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/800-96-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/800-95-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/800-94-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/800-107-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/800-108-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

final1.EXEnum2.EXELunarExecutorV1.2.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	final1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	num2.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	LunarExecutorV1.2.EXE

Drops file in System32 directory 2 IoCs

Processes:

powershell.exeMicrosoftEdgeUpdater.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	MicrosoftEdgeUpdater.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

kanilzbpgdul.exeMicrosoftEdgeUpdater.exe

description	pid	process	target process
PID 1600 set thread context of 2944	1600	kanilzbpgdul.exe	conhost.exe
PID 1600 set thread context of 800	1600	kanilzbpgdul.exe	svchost.exe
PID 1860 set thread context of 2588	1860	MicrosoftEdgeUpdater.exe	dialer.exe

Drops file in Windows directory 1 IoCs

Processes:

wusa.exe

description ioc process

File created C:\Windows\wusa.lock wusa.exe

description	ioc	process
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 18 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
696	sc.exe
1912	sc.exe
2052	sc.exe
2488	sc.exe
1576	sc.exe
632	sc.exe
1860	sc.exe
1084	sc.exe
2580	sc.exe
2520	sc.exe
2984	sc.exe
1528	sc.exe
2880	sc.exe
580	sc.exe
1760	sc.exe
2276	sc.exe
768	sc.exe
320	sc.exe

Detects Pyinstaller 7 IoCs

pyinstaller

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXE	pyinstaller
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXE	pyinstaller
\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXE	pyinstaller
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXE	pyinstaller
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXE	pyinstaller
\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXE	pyinstaller
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LUNARE~1.EXE	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

jhi_service.exekanilzbpgdul.exeMicrosoftEdgeUpdater.exesvchost.exepowershell.exedialer.exe

pid	process
1364	jhi_service.exe
1364	jhi_service.exe
1364	jhi_service.exe
1364	jhi_service.exe
1364	jhi_service.exe
1364	jhi_service.exe
1364	jhi_service.exe
1364	jhi_service.exe
1600	kanilzbpgdul.exe
1600	kanilzbpgdul.exe
1600	kanilzbpgdul.exe
1600	kanilzbpgdul.exe
1600	kanilzbpgdul.exe
1600	kanilzbpgdul.exe
1860	MicrosoftEdgeUpdater.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
2408	powershell.exe
1860	MicrosoftEdgeUpdater.exe
1860	MicrosoftEdgeUpdater.exe
1860	MicrosoftEdgeUpdater.exe
1860	MicrosoftEdgeUpdater.exe
1860	MicrosoftEdgeUpdater.exe
1860	MicrosoftEdgeUpdater.exe
1860	MicrosoftEdgeUpdater.exe
1860	MicrosoftEdgeUpdater.exe
1860	MicrosoftEdgeUpdater.exe
1860	MicrosoftEdgeUpdater.exe
1860	MicrosoftEdgeUpdater.exe
1860	MicrosoftEdgeUpdater.exe
2588	dialer.exe
2588	dialer.exe
2588	dialer.exe
2588	dialer.exe
1860	MicrosoftEdgeUpdater.exe
1860	MicrosoftEdgeUpdater.exe
1860	MicrosoftEdgeUpdater.exe
800	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

2552 7zFM.exe

pid	process
2552	7zFM.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

7zFM.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exepowershell.exepowercfg.exepowercfg.exedialer.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeRestorePrivilege	2552	7zFM.exe
Token: 35	2552	7zFM.exe
Token: SeSecurityPrivilege	2552	7zFM.exe
Token: SeSecurityPrivilege	2552	7zFM.exe
Token: SeShutdownPrivilege	1108	powercfg.exe
Token: SeShutdownPrivilege	532	powercfg.exe
Token: SeShutdownPrivilege	2024	powercfg.exe
Token: SeShutdownPrivilege	1680	powercfg.exe
Token: SeShutdownPrivilege	1028	powercfg.exe
Token: SeShutdownPrivilege	1260	powercfg.exe
Token: SeShutdownPrivilege	1032	powercfg.exe
Token: SeShutdownPrivilege	2948	powercfg.exe
Token: SeLockMemoryPrivilege	800	svchost.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeShutdownPrivilege	1256	powercfg.exe
Token: SeShutdownPrivilege	2456	powercfg.exe
Token: SeDebugPrivilege	2588	dialer.exe
Token: SeShutdownPrivilege	1652	powercfg.exe
Token: SeShutdownPrivilege	1744	powercfg.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

7zFM.exe

pid process

2552 7zFM.exe
2552 7zFM.exe
2552 7zFM.exe

pid	process
2552	7zFM.exe
2552	7zFM.exe
2552	7zFM.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exe7zFM.exeLunarExecutorV1.2.EXEfinal1.EXEnum2.EXEkanilzbpgdul.execmd.exeMicrosoftEdgeUpdater.exedialer.exe

description	pid	process	target process
PID 328 wrote to memory of 2552	328	cmd.exe	7zFM.exe
PID 328 wrote to memory of 2552	328	cmd.exe	7zFM.exe
PID 328 wrote to memory of 2552	328	cmd.exe	7zFM.exe
PID 2552 wrote to memory of 2340	2552	7zFM.exe	LunarExecutorV1.2.EXE
PID 2552 wrote to memory of 2340	2552	7zFM.exe	LunarExecutorV1.2.EXE
PID 2552 wrote to memory of 2340	2552	7zFM.exe	LunarExecutorV1.2.EXE
PID 2340 wrote to memory of 2924	2340	LunarExecutorV1.2.EXE	final1.EXE
PID 2340 wrote to memory of 2924	2340	LunarExecutorV1.2.EXE	final1.EXE
PID 2340 wrote to memory of 2924	2340	LunarExecutorV1.2.EXE	final1.EXE
PID 2924 wrote to memory of 2540	2924	final1.EXE	num2.EXE
PID 2924 wrote to memory of 2540	2924	final1.EXE	num2.EXE
PID 2924 wrote to memory of 2540	2924	final1.EXE	num2.EXE
PID 2540 wrote to memory of 1364	2540	num2.EXE	jhi_service.exe
PID 2540 wrote to memory of 1364	2540	num2.EXE	jhi_service.exe
PID 2540 wrote to memory of 1364	2540	num2.EXE	jhi_service.exe
PID 2540 wrote to memory of 1860	2540	num2.EXE	MicrosoftEdgeUpdater.exe
PID 2540 wrote to memory of 1860	2540	num2.EXE	MicrosoftEdgeUpdater.exe
PID 2540 wrote to memory of 1860	2540	num2.EXE	MicrosoftEdgeUpdater.exe
PID 1600 wrote to memory of 2944	1600	kanilzbpgdul.exe	conhost.exe
PID 1600 wrote to memory of 2944	1600	kanilzbpgdul.exe	conhost.exe
PID 1600 wrote to memory of 2944	1600	kanilzbpgdul.exe	conhost.exe
PID 1600 wrote to memory of 2944	1600	kanilzbpgdul.exe	conhost.exe
PID 1600 wrote to memory of 2944	1600	kanilzbpgdul.exe	conhost.exe
PID 1600 wrote to memory of 2944	1600	kanilzbpgdul.exe	conhost.exe
PID 1600 wrote to memory of 2944	1600	kanilzbpgdul.exe	conhost.exe
PID 1600 wrote to memory of 2944	1600	kanilzbpgdul.exe	conhost.exe
PID 1600 wrote to memory of 2944	1600	kanilzbpgdul.exe	conhost.exe
PID 1600 wrote to memory of 800	1600	kanilzbpgdul.exe	svchost.exe
PID 1600 wrote to memory of 800	1600	kanilzbpgdul.exe	svchost.exe
PID 1600 wrote to memory of 800	1600	kanilzbpgdul.exe	svchost.exe
PID 1600 wrote to memory of 800	1600	kanilzbpgdul.exe	svchost.exe
PID 1600 wrote to memory of 800	1600	kanilzbpgdul.exe	svchost.exe
PID 2316 wrote to memory of 1060	2316	cmd.exe	wusa.exe
PID 2316 wrote to memory of 1060	2316	cmd.exe	wusa.exe
PID 2316 wrote to memory of 1060	2316	cmd.exe	wusa.exe
PID 1860 wrote to memory of 2588	1860	MicrosoftEdgeUpdater.exe	dialer.exe
PID 1860 wrote to memory of 2588	1860	MicrosoftEdgeUpdater.exe	dialer.exe
PID 1860 wrote to memory of 2588	1860	MicrosoftEdgeUpdater.exe	dialer.exe
PID 1860 wrote to memory of 2588	1860	MicrosoftEdgeUpdater.exe	dialer.exe
PID 1860 wrote to memory of 2588	1860	MicrosoftEdgeUpdater.exe	dialer.exe
PID 1860 wrote to memory of 2588	1860	MicrosoftEdgeUpdater.exe	dialer.exe
PID 1860 wrote to memory of 2588	1860	MicrosoftEdgeUpdater.exe	dialer.exe
PID 2588 wrote to memory of 436	2588	dialer.exe	winlogon.exe
PID 2588 wrote to memory of 480	2588	dialer.exe	services.exe
PID 2588 wrote to memory of 496	2588	dialer.exe	lsass.exe
PID 2588 wrote to memory of 504	2588	dialer.exe	lsm.exe
PID 2588 wrote to memory of 604	2588	dialer.exe	svchost.exe
PID 2588 wrote to memory of 680	2588	dialer.exe	svchost.exe
PID 2588 wrote to memory of 748	2588	dialer.exe	svchost.exe
PID 2588 wrote to memory of 816	2588	dialer.exe	svchost.exe
PID 2588 wrote to memory of 860	2588	dialer.exe	svchost.exe
PID 2588 wrote to memory of 972	2588	dialer.exe	svchost.exe
PID 2588 wrote to memory of 280	2588	dialer.exe	svchost.exe
PID 2588 wrote to memory of 356	2588	dialer.exe	spoolsv.exe
PID 2588 wrote to memory of 1068	2588	dialer.exe	svchost.exe
PID 2588 wrote to memory of 1116	2588	dialer.exe	taskhost.exe
PID 2588 wrote to memory of 1172	2588	dialer.exe	Dwm.exe
PID 2588 wrote to memory of 1200	2588	dialer.exe	Explorer.EXE
PID 2588 wrote to memory of 1788	2588	dialer.exe	svchost.exe
PID 2588 wrote to memory of 2160	2588	dialer.exe	sppsvc.exe
PID 2588 wrote to memory of 328	2588	dialer.exe	cmd.exe
PID 2588 wrote to memory of 2088	2588	dialer.exe	conhost.exe
PID 2588 wrote to memory of 2552	2588	dialer.exe	7zFM.exe
PID 2588 wrote to memory of 2720	2588	dialer.exe	wmiprvse.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:436

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
PID:480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:604

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
3⤵
PID:2720

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
3⤵
PID:1588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:816

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
3⤵
PID:1172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
PID:860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:280

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1068

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:1788

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:2160

C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe
C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
3⤵
PID:2944

C:\Windows\system32\svchost.exe
svchost.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\ProgramData\bbskkvrqdoji\fdjrmaypnxal.exe
C:\ProgramData\bbskkvrqdoji\fdjrmaypnxal.exe
2⤵
PID:1936

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
3⤵
- Command and Scripting Interpreter: PowerShell
PID:1808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:1512

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
4⤵
PID:3028

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
3⤵
- Launches sc.exe
PID:632

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1912

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
3⤵
- Launches sc.exe
PID:1860

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
3⤵
- Launches sc.exe
PID:320

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
3⤵
- Launches sc.exe
PID:2880

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
PID:2928

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
PID:2228

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
PID:908

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
PID:2948

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
3⤵
PID:1260

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
3⤵
PID:2360

C:\Windows\system32\dialer.exe
dialer.exe
3⤵
PID:1952

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:496

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:504

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Lunar Release.rar"
2⤵
- Suspicious use of WriteProcessMemory
PID:328

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Lunar Release.rar"
3⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2552

C:\Users\Admin\AppData\Local\Temp\7zO8F906738\LunarExecutorV1.2.EXE
"C:\Users\Admin\AppData\Local\Temp\7zO8F906738\LunarExecutorV1.2.EXE"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2340

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\final1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\final1.EXE
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2924

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\num2.EXE
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\num2.EXE
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2540

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jhi_service.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jhi_service.exe
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1364

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "HDNFMUHS"
8⤵
- Launches sc.exe
PID:580

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "HDNFMUHS" binpath= "C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe" start= "auto"
8⤵
- Launches sc.exe
PID:1084

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
8⤵
- Launches sc.exe
PID:2276

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "HDNFMUHS"
8⤵
- Launches sc.exe
PID:1760

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MicrosoftEdgeUpdater.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MicrosoftEdgeUpdater.exe
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
8⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
8⤵
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
9⤵
- Drops file in Windows directory
PID:1060

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
8⤵
- Launches sc.exe
PID:696

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
8⤵
- Launches sc.exe
PID:2052

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
8⤵
- Launches sc.exe
PID:2580

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
8⤵
- Launches sc.exe
PID:2488

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
8⤵
- Launches sc.exe
PID:2520

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "YWZWALUU"
8⤵
- Launches sc.exe
PID:1576

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "YWZWALUU" binpath= "C:\ProgramData\bbskkvrqdoji\fdjrmaypnxal.exe" start= "auto"
8⤵
- Launches sc.exe
PID:2984

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
8⤵
- Launches sc.exe
PID:1528

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "YWZWALUU"
8⤵
- Launches sc.exe
PID:768

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXE
6⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXE
7⤵
PID:5840

C:\Users\Admin\AppData\Local\Temp\7zO8F9EF668\LunarExecutorV1.2.EXE
"C:\Users\Admin\AppData\Local\Temp\7zO8F9EF668\LunarExecutorV1.2.EXE"
4⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\final1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\final1.EXE
5⤵
PID:6028

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\num2.EXE
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\num2.EXE
6⤵
PID:6100

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\jhi_service.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\jhi_service.exe
7⤵
PID:3060

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
2⤵
PID:2688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2021708849-1559179626401383935-19782237251133485279-924798382-69915368-1232659407"
1⤵
PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXE
Filesize
13.2MB

MD5
350b6927616e5f51b663061210424d56

SHA1
839688422b436e25a9be1ae1d2a9e92242db5a7f

SHA256
7e982d09f56afbc2ca6c2f2b19c5d425aabbc50361d2776d2fb379bde8e73216

SHA512
c8e4ad550ed0d274008e4d316f7c1ce6697425771b5c5f6ffe15c0a1b3870ca0c18ced4e058608fe1a93c02c3541ea07528207accf9cb5e54b791357831eefb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXE
Filesize
19.6MB

MD5
bada8076a5da89f951468a567b4e84de

SHA1
f5b0a85c487cfd4a38ef4a36786e16359569b32d

SHA256
e413ebebbb4a32e0da0bddf558cc48660112977294d58de63492100b0cdd5629

SHA512
535a73a5d26befdb1334d7a7b230b0f9725870c349c96667301d5de5486043cb5257ed95ad6e348b08e42748de65bfd8524127b55115e988f288d187f18d4174

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXE
Filesize
32.9MB

MD5
9ca4353663a5be5e7fa26ef45f412bfc

SHA1
9b1b6457f81e5342ef6d441ac43b57b3bc2353d9

SHA256
02c868b4e9b704c0114e045d816e0ad7ec9d224635d53ce614770d9d681ff7d9

SHA512
ccd19903395d49d621bc09fbfd2fa8fe9f7fdbeff3922498f8ebeb880e1a00db715d72eca1c3a4e60a53fd36df2811f3b263d7ccf9f1d137279c37db107da991

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\num2.EXE
Filesize
4.3MB

MD5
e6fe75c4390d3970545f0fdbb3274244

SHA1
8b6ed33f1778800cf0549bd7214249bdb81fbb58

SHA256
48aaa21d99bf5fb15abc6945911438e5f3ac4c378ac89bc4eb850200f9f648d5

SHA512
17b0911f13a1348e6511faf412f63721e7df7b196ae3a6acb86789eb04a2f8a90a42a6931a0c0ad45ee98910c4661c6db7e43623c560a963cd4d021ce9b1ad20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MicrosoftEdgeUpdater.exe
Filesize
2.7MB

MD5
19c095e1c399bdaa0663caa9162f0b0e

SHA1
cb5504712ec965f7c43883f2f251823755b1e37e

SHA256
38edfd7aa66f3ae1f376b9cdce558befd877d749e38306f412e8db436cb56713

SHA512
a2a8e9e5140d7b306ba98d3674aa89b3e287cdf39bcf4b326148d963c38052fc65e99a17c0bf846150d71ff3efbd2c9d4b61b4c2d5847f8c9afa222af4c946d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\final1.EXE
Filesize
4.5MB

MD5
8e008886b908f8f14bc3db54f9419d66

SHA1
e4e948e2d200ed7ed2126445b8407f022cc60f05

SHA256
12fa9e96aed00e2fb347eea37b8e08b34ff94eef5c838ed151ad236380e78e3e

SHA512
e28787e5da1298729a124300045c937bfd15110d7b1d77adaf904cc6ac4bd0f090a42744ed508487b8f7647558bd5d38048f287d2f3dea692cab0ba3a3d173b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\final1.EXE
Filesize
2.4MB

MD5
57c91786f289fe677223ae11bdc735ee

SHA1
656628427c5c837a666b3c43847bba56edb0f126

SHA256
ddf7876036b9d11d3a91bfc19be2a4c601ed98077fe82f6d30bd4b6b219ba710

SHA512
6cf8e288c35efdccce4f53fd8d5596402f28f7de0d54e661e3a79ad8738873c976369459458e2ba60294b3c55e19af3607674a011d7789ea26fb2df1d677eaa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jhi_service.exe
Filesize
2.5MB

MD5
1994ad04639f3d12c7bbfa37feb3434f

SHA1
4979247e5a9771286a91827851527e5dbfb80c8e

SHA256
c75f76cf5b34b4a165ad5705ae5229f67fc081d958239bf0faea58e6c342301c

SHA512
adc4eb990fc6721a0a39cf9832f133bde025a31b3ecd4d84e076d8c454b40dd043f1f045f6f989febf2478999a190d116a58192c49d8b878414490e7ce451b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LUNARE~1.EXE
Filesize
4.4MB

MD5
20a4e7ed0288e0232e9e779276c3565c

SHA1
016271c30cc37d408ef554e69f64bdbf9b5e5261

SHA256
c5adbecbe3e2dca07ca61e0da4bda309a281fd163c08e36fb028ebbb99f18b30

SHA512
9ca4251c439afaaea778fc206639c3c240e445837765a642c29a2b70722ce9040a5f41ce6214f8cc8f685b4af880f05b621a44f1f6964b58fcb2339f6db914bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\num2.EXE
Filesize
1.8MB

MD5
9dea22946a2684b2f4dde49c3272617b

SHA1
fd0025b98c3e0e04aeabc91b8f119ceb1a163c62

SHA256
04803655235f36c5fdaabadb4e984bb83bbdefbc42d45d13397ae57b8176bc34

SHA512
f1e485aec604d60029d3994fdd6e2536edefd755101a6c131a981df2e898fdc25632b93fef66e1ddc6853022b6ad6a44a49441105066168d1f506098fe1f445d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\num2.EXE
Filesize
576KB

MD5
b5ce367479dd6c7e29b99a820a0f0d79

SHA1
4a2d1b29769e69b5f6d11d01d3e8674bcb32bb93

SHA256
ae08e751c227ae21e7e66e939cf5d03117ea06e0d0cb0621c74b62ac7830e538

SHA512
6bdd158068a7fe2448a5eb0f183ebdc257beacfc0cfd59d174d506c40bba527cd8ae376eb018ab406e377a6185580a99c5ba66688e7d307d8ae8144e3c807cf0

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\final1.EXE
Filesize
36.9MB

MD5
4e463f20f2fd3d53e026b543af7cf6d5

SHA1
d682f9e49845b855a7b16c584b528e13fcd3fbd6

SHA256
b95fdb4a4b5303fda5264c1879f3ad1c847d7fea4c924e7aef7e5248f5796054

SHA512
94e7ea55e96ce1118abd283473e66dedc933d7b6bf10713e3da4db5fa91bba3ca0a61580f01213c62282c7b272855c8c8b43e2f3fa410339349676f8d6eaf6de

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXE
Filesize
13.3MB

MD5
823fac7f93290f61fbabb204c4bb052e

SHA1
875c3e816bad5ef9c15a36f96f5e7b5486c032af

SHA256
ae8133f4b694e5ac0af14f2ca1e1034b0671b3971d9df512ab9427334f75b10e

SHA512
08deb3643e1e74c4dd2e9388556be6976013ca9ad0cd5896f53fc12a9327c70ad28d157b43cb8229bbda1d6cfedc29d2376b82c4d0d89db074a29025d641a50b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXE
Filesize
19.9MB

MD5
06b2bef85e8591cbbde8986c8a1d13c0

SHA1
b57e283ba78b84920b36d50bd333ec45bab79a62

SHA256
936c4ed35409ff9163bc4fba704325b4962d02aadfc6e3f27b55a2f2079cfadb

SHA512
518f6b96ce4a978d468cd3a0c11456cbc9ab53caffe996db49eca545dd9eb99e5e69dfa59cd6cfc6712c8982e5a872327e6906e217f10250bcac0ab73dde461a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\LUNARE~1.EXE
Filesize
26.2MB

MD5
71216a6574adeb7655124b04ea5c3446

SHA1
b96ecc50ad0fe3eaea07d2d774ea71ec86354e0a

SHA256
d3f17c2ab0e7a44d489b3466d986d3f1eff3a3ee820575469a8ed1386e616700

SHA512
e0109ae6cc6ce973aef9023f8f3fbe95faa7a911a6801252dcaaeef9eb7cf5aabe8e2a90c7bad2b936407f805db13b9bb4aacbf4df1f39fae3f78be626af6fc6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\final1.EXE
Filesize
7.1MB

MD5
898398a53796e582fb2acdbaaaa11245

SHA1
528dfcbfb90a42ba8cc9888bf39fe51ca0400758

SHA256
bab8c40606545fc5de3700debe1ced3befec3762ef5f6b46e394570351fcd591

SHA512
26137dcb5f1e46164a196222fb968130ecbda64f4eab153ecc421b52f75016c8c1f14717d2c5cc3a4d3a077d5c8582609769cd8017e6d14b3896f1ac9e8b2f53

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\num2.EXE
Filesize
640KB

MD5
3d633dbc5613ee92c0666381275c9eff

SHA1
bf4645490d37a98f2161cbec3b68424e6648691c

SHA256
e6743f6a69dc96618f7f4a107ebb10672acfef6ac7f2c8d37e717627d56a0f28

SHA512
d0c26ddb904e1999a73159ae2f01256d3f8b251098206ed8aa184250f9d6f62fe2f80d7c274ea19bb3ca61c68fcb5d27cdf0768cb5552899fde43365c7c0f47d

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI17322\api-ms-win-core-file-l1-2-0.dll
Filesize
21KB

MD5
1c58526d681efe507deb8f1935c75487

SHA1
0e6d328faf3563f2aae029bc5f2272fb7a742672

SHA256
ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

SHA512
8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI17322\api-ms-win-core-file-l2-1-0.dll
Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI17322\api-ms-win-core-localization-l1-2-0.dll
Filesize
21KB

MD5
724223109e49cb01d61d63a8be926b8f

SHA1
072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

SHA256
4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

SHA512
19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI17322\api-ms-win-core-processthreads-l1-1-1.dll
Filesize
21KB

MD5
517eb9e2cb671ae49f99173d7f7ce43f

SHA1
4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

SHA256
57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

SHA512
492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI17322\api-ms-win-core-timezone-l1-1-0.dll
Filesize
21KB

MD5
d12403ee11359259ba2b0706e5e5111c

SHA1
03cc7827a30fd1dee38665c0cc993b4b533ac138

SHA256
f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781

SHA512
9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI17322\python312.dll
Filesize
6.6MB

MD5
3c388ce47c0d9117d2a50b3fa5ac981d

SHA1
038484ff7460d03d1d36c23f0de4874cbaea2c48

SHA256
c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb

SHA512
e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI17322\ucrtbase.dll
Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
memory/436-137-0x000007FEBE300000-0x000007FEBE310000-memory.dmp

Filesize
64KB

Download
memory/436-127-0x0000000000C00000-0x0000000000C24000-memory.dmp

Filesize
144KB

Download
memory/436-129-0x0000000000C00000-0x0000000000C24000-memory.dmp

Filesize
144KB

Download
memory/436-136-0x0000000000C30000-0x0000000000C5B000-memory.dmp

Filesize
172KB

Download
memory/436-138-0x00000000370B0000-0x00000000370C0000-memory.dmp

Filesize
64KB

Download
memory/480-154-0x00000000370B0000-0x00000000370C0000-memory.dmp

Filesize
64KB

Download
memory/480-150-0x00000000001E0000-0x000000000020B000-memory.dmp

Filesize
172KB

Download
memory/480-152-0x000007FEBE300000-0x000007FEBE310000-memory.dmp

Filesize
64KB

Download
memory/496-140-0x00000000001F0000-0x000000000021B000-memory.dmp

Filesize
172KB

Download
memory/496-141-0x000007FEBE300000-0x000007FEBE310000-memory.dmp

Filesize
64KB

Download
memory/496-142-0x00000000370B0000-0x00000000370C0000-memory.dmp

Filesize
64KB

Download
memory/800-95-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/800-99-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/800-101-0x0000000000130000-0x0000000000150000-memory.dmp

Filesize
128KB

Download
memory/800-105-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/800-106-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/800-104-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/800-103-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/800-102-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/800-100-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/800-94-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/800-98-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/800-96-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/800-97-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/800-108-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/800-107-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1808-363-0x000000001A250000-0x000000001A532000-memory.dmp

Filesize
2.9MB

Download
memory/1808-364-0x00000000003C0000-0x00000000003C8000-memory.dmp

Filesize
32KB

Download
memory/2408-115-0x0000000001E30000-0x0000000001E38000-memory.dmp

Filesize
32KB

Download
memory/2408-114-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2588-116-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2588-117-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2588-121-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2588-122-0x0000000077070000-0x0000000077219000-memory.dmp

Filesize
1.7MB

Download
memory/2588-124-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2588-119-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2588-118-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2588-123-0x0000000076F50000-0x000000007706F000-memory.dmp

Filesize
1.1MB

Download
memory/2944-87-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2944-85-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2944-86-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2944-91-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2944-88-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2944-89-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download