Analysis Overview
SHA256
f445af50afdd98f33206c6fe8dc6f8b9c27a2dddbdc8d254cd7d2209f6450aee
Threat Level: Known bad
The file Launcher.rar was found to be: Known bad.
Malicious Activity Summary
xmrig
RedLine
RedLine payload
XMRig Miner payload
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Stops running service(s)
Creates new service(s)
UPX packed file
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Suspicious use of SetThreadContext
Launches sc.exe
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-05 03:23
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-05 03:23
Reported
2024-07-05 03:28
Platform
win10v2004-20240704-en
Max time kernel
271s
Max time network
279s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Launcher\LauncherBFH-Last.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Launcher\LauncherBFH-Last.exe | N/A |
| N/A | N/A | C:\update\sk1zscf.exe | N/A |
| N/A | N/A | C:\update\2v2dvhf.exe | N/A |
| N/A | N/A | C:\ProgramData\Windows11\Updater.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Launcher\LauncherBFH-Last.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Launcher\LauncherBFH-Last.exe | N/A |
| N/A | N/A | C:\update\sk1zscf.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\Windows11\Updater.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\update\2v2dvhf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3516 set thread context of 4248 | N/A | C:\update\sk1zscf.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| PID 3976 set thread context of 900 | N/A | C:\ProgramData\Windows11\Updater.exe | C:\Windows\system32\conhost.exe |
| PID 3976 set thread context of 1520 | N/A | C:\ProgramData\Windows11\Updater.exe | C:\Windows\system32\svchost.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Launcher\LauncherBFH-Last.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\update\2v2dvhf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Windows11\Updater.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Launcher.rar
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Launcher\" -spe -an -ai#7zMap19428:96:7zEvent6264
C:\Users\Admin\AppData\Local\Temp\Launcher\LauncherBFH-Last.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher\LauncherBFH-Last.exe"
C:\update\sk1zscf.exe
"C:\update\sk1zscf.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\update\2v2dvhf.exe
"C:\update\2v2dvhf.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WindowsUpdate"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WindowsUpdate" binpath= "C:\ProgramData\Windows11\Updater.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WindowsUpdate"
C:\ProgramData\Windows11\Updater.exe
C:\ProgramData\Windows11\Updater.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe
svchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bit.ly | udp |
| US | 67.199.248.10:443 | bit.ly | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 10.248.199.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| NL | 194.26.232.43:20746 | tcp | |
| NL | 194.26.232.43:20746 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| NL | 194.26.232.43:20746 | tcp | |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 51.15.193.130:10343 | xmr-eu1.nanopool.org | tcp |
| NL | 194.26.232.43:20746 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | 130.193.15.51.in-addr.arpa | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| NL | 194.26.232.43:20746 | tcp | |
| NL | 194.26.232.43:20746 | tcp | |
| NL | 194.26.232.43:20746 | tcp | |
| NL | 194.26.232.43:20746 | tcp | |
| NL | 194.26.232.43:20746 | tcp | |
| US | 8.8.8.8:53 | 28.173.189.20.in-addr.arpa | udp |
| NL | 194.26.232.43:20746 | tcp | |
| NL | 194.26.232.43:20746 | tcp | |
| NL | 194.26.232.43:20746 | tcp | |
| NL | 194.26.232.43:20746 | tcp | |
| NL | 194.26.232.43:20746 | tcp | |
| NL | 194.26.232.43:20746 | tcp | |
| NL | 194.26.232.43:20746 | tcp | |
| NL | 194.26.232.43:20746 | tcp | |
| NL | 194.26.232.43:20746 | tcp | |
| NL | 194.26.232.43:20746 | tcp | |
| NL | 194.26.232.43:20746 | tcp | |
| NL | 194.26.232.43:20746 | tcp | |
| NL | 194.26.232.43:20746 | tcp | |
| NL | 194.26.232.43:20746 | tcp | |
| NL | 194.26.232.43:20746 | tcp | |
| NL | 194.26.232.43:20746 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Launcher\LauncherBFH-Last.exe
| MD5 | a2fd9f0e50ce7bdba610a94c6631029c |
| SHA1 | 666e589cced96647add94fa0d6e715d567a62caf |
| SHA256 | fb8e948e91a2ba3f8405f21a234d23f8d64f39cb9b4f9cb2580d14b4732b4e34 |
| SHA512 | d2f15d1cb7026b8a842957ac8e5146eeffc7785d7383e58a2599d86720d1f9100152f7d96202eb8db10f8f4515e7037765d59b3a2833777eca9e8b8f814e1079 |
memory/2052-26-0x0000000000210000-0x00000000002CA000-memory.dmp
memory/2052-27-0x0000000005310000-0x00000000058B4000-memory.dmp
memory/2052-28-0x0000000004C70000-0x0000000004D02000-memory.dmp
memory/2052-29-0x0000000004D30000-0x0000000004D3A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Launcher\mainf.dll
| MD5 | dfbad6728654395df7cdc4626686bdd7 |
| SHA1 | 63686f523d7b4bf33c6184ce7d870fa326ce4bba |
| SHA256 | ba7ee4cc8044c4aeac2c9b698a32a6d01020097e14730abc7040cd9f0ee0608c |
| SHA512 | e2ff8afcd090adc2a846152fa5f0055ade47b8d9a19e6d2ff1f20092b987db98729388142f56af716b8dc659e66188ecfa4ba35b55353e7636a58a78c7ce6abd |
memory/2052-33-0x00000000066C0000-0x00000000066C8000-memory.dmp
memory/2052-34-0x0000000008EB0000-0x00000000094D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sd4n4bj1.eno.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2052-44-0x0000000008C00000-0x0000000008C1A000-memory.dmp
memory/2052-45-0x0000000008C60000-0x0000000008C96000-memory.dmp
memory/2052-46-0x0000000009B60000-0x000000000A1DA000-memory.dmp
memory/2052-47-0x0000000008D40000-0x0000000008DD6000-memory.dmp
memory/2052-48-0x0000000008CD0000-0x0000000008CF2000-memory.dmp
memory/2052-49-0x00000000094E0000-0x0000000009546000-memory.dmp
memory/2052-51-0x0000000008E30000-0x0000000008E7A000-memory.dmp
memory/2052-50-0x0000000008D20000-0x0000000008D3E000-memory.dmp
memory/2052-52-0x000000000A1E0000-0x000000000A534000-memory.dmp
memory/2052-53-0x0000000009940000-0x00000000099A6000-memory.dmp
memory/2052-54-0x00000000099E0000-0x0000000009A02000-memory.dmp
memory/2052-55-0x000000000A540000-0x000000000A58C000-memory.dmp
memory/2052-65-0x000000000B970000-0x000000000B98E000-memory.dmp
memory/2052-66-0x000000000B990000-0x000000000BA33000-memory.dmp
memory/2052-67-0x000000000BD50000-0x000000000BD5A000-memory.dmp
memory/2052-68-0x000000000BEA0000-0x000000000BEB1000-memory.dmp
memory/2052-69-0x000000000BEC0000-0x000000000BECE000-memory.dmp
memory/2052-70-0x000000000BED0000-0x000000000BEE4000-memory.dmp
memory/2052-71-0x000000000BF20000-0x000000000BF3A000-memory.dmp
memory/2052-72-0x000000000C540000-0x000000000C548000-memory.dmp
C:\update\sk1zscf.exe
| MD5 | ca4ea1c4a32c77cb51ec562ea5de02b7 |
| SHA1 | 0c84da28464c9a9b344d742f687bc35791ba49e7 |
| SHA256 | 884a26cc7ccb6b5ca187abe58c95e887692118bc5c08c031a21320521cec34a6 |
| SHA512 | b45d3c0bee82000e51fb4cd0e8b3cb387e3b07398ab76d30144a3d1f3459af3daee47acf5a073088f9f810e40dff004b631fef4c4cb8a856556f9135076656ac |
memory/3516-84-0x0000000000F60000-0x0000000000FE8000-memory.dmp
memory/3516-85-0x0000000003190000-0x0000000003196000-memory.dmp
C:\Users\Admin\AppData\Roaming\d3d9.dll
| MD5 | 84d27cefb8728163c82f5f7dc0f5f892 |
| SHA1 | e695df92d93a3d2c54e3dd625bc77fcf9cd25a53 |
| SHA256 | b70d5591b5a42d4d9a5e0ef0858558f2e0a69e947540ca694d70839106c513af |
| SHA512 | 88d51d881f087bf8a0e2c6e390f5462f40a0a6a1b112798f95fce48316d543a2b245d1e67899764b52864a0d2eec19d38a382c15ab5368f05fce938c0dad96a5 |
memory/4248-92-0x0000000000400000-0x0000000000452000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpD9E0.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/4248-110-0x0000000005AF0000-0x0000000005B66000-memory.dmp
memory/4248-112-0x00000000061C0000-0x00000000061DE000-memory.dmp
memory/4248-115-0x0000000006800000-0x0000000006E18000-memory.dmp
memory/4248-116-0x0000000006350000-0x000000000645A000-memory.dmp
memory/4248-117-0x0000000006290000-0x00000000062A2000-memory.dmp
memory/4248-118-0x00000000062F0000-0x000000000632C000-memory.dmp
C:\update\2v2dvhf.exe
| MD5 | f8f0bf351c98322c30955fed22a139a2 |
| SHA1 | bacc8466fc650c2d525f5bd3f34b7565dd62bd08 |
| SHA256 | 8d9c31096032072922fab12d506b46913af14e5d0d7e53b52395127f5854f520 |
| SHA512 | 183ea683d0d07e06489215eb7dd0c20372c04cdf7850e1b8e6e234917e820b5194f81a30f3bfacccf14052104c121950f4ddec522cf8fbd0af3ef70521e9c857 |
memory/1108-136-0x000002E7F8C70000-0x000002E7F8C92000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 124edf3ad57549a6e475f3bc4e6cfe51 |
| SHA1 | 80f5187eeebb4a304e9caa0ce66fcd78c113d634 |
| SHA256 | 638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675 |
| SHA512 | b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee |
memory/1108-150-0x000002E7F8F00000-0x000002E7F8F1C000-memory.dmp
memory/1108-151-0x000002E7F8F40000-0x000002E7F8FF5000-memory.dmp
memory/1108-152-0x000002E7F8EF0000-0x000002E7F8EFA000-memory.dmp
memory/1108-153-0x000002E7F9160000-0x000002E7F917C000-memory.dmp
memory/1108-154-0x000002E7F8F20000-0x000002E7F8F2A000-memory.dmp
memory/1108-155-0x000002E7F9180000-0x000002E7F919A000-memory.dmp
memory/1108-156-0x000002E7F9140000-0x000002E7F9148000-memory.dmp
memory/1108-157-0x000002E7F9150000-0x000002E7F9156000-memory.dmp
memory/1108-158-0x000002E7F91A0000-0x000002E7F91AA000-memory.dmp
memory/900-183-0x0000000140000000-0x000000014000D000-memory.dmp
memory/900-187-0x0000000140000000-0x000000014000D000-memory.dmp
memory/900-190-0x0000000140000000-0x000000014000D000-memory.dmp
memory/900-186-0x0000000140000000-0x000000014000D000-memory.dmp
memory/900-185-0x0000000140000000-0x000000014000D000-memory.dmp
memory/900-184-0x0000000140000000-0x000000014000D000-memory.dmp
memory/1520-191-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1520-193-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1520-196-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1520-198-0x0000026029BE0000-0x0000026029C00000-memory.dmp
memory/1520-197-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1520-201-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1520-202-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1520-200-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1520-199-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1520-195-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1520-194-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1520-192-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1520-203-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1520-204-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1520-205-0x0000000140000000-0x0000000140848000-memory.dmp