Analysis Overview
SHA256
112052ebe6d0f3d1fa2eedfa1dd2dd5df82ee7965b43b88e18a55f02ec971b9b
Threat Level: Known bad
The file 112052ebe6d0f3d1fa2eedfa1dd2dd5df82ee7965b43b88e18a55f02ec971b9b was found to be: Known bad.
Malicious Activity Summary
Modifies firewall policy service
UPX dump on OEP (original entry point)
UPX dump on OEP (original entry point)
UPX packed file
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Modifies registry key
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 18:42
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 18:42
Reported
2024-04-07 18:45
Platform
win7-20240221-en
Max time kernel
150s
Max time network
124s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Windows Updater.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Updater.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update\\winupdt.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Window Updates = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update\\winupdt.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2492 set thread context of 2496 | N/A | C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe | C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe |
Enumerates physical storage devices
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\112052ebe6d0f3d1fa2eedfa1dd2dd5df82ee7965b43b88e18a55f02ec971b9b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\112052ebe6d0f3d1fa2eedfa1dd2dd5df82ee7965b43b88e18a55f02ec971b9b.exe
"C:\Users\Admin\AppData\Local\Temp\112052ebe6d0f3d1fa2eedfa1dd2dd5df82ee7965b43b88e18a55f02ec971b9b.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hETmz.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Window Updates" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe" /f
C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
"C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe"
C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
"C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Updater.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Updater.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Updater.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Updater.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | havefunnuke.servequake.com | udp |
Files
memory/1592-0-0x0000000000400000-0x0000000000590000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hETmz.bat
| MD5 | 1954c7e666c5b4d1117ef07bc0c9b8ec |
| SHA1 | 559e3c0273c1463e9184027b749bdaad0a372681 |
| SHA256 | 35e0dbc8b455ca38976157ce9d0293fd6cdca20f46f1cb69058a1e0f0af6f693 |
| SHA512 | 3939de8d0ab7e67b59ff8bebed5580dafd38d8785193fd42a289728500761a68b9e6660605e19e10d4278dd106fea4b273a208f25485e7389c8f19b2958c926a |
\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
| MD5 | 7a0032783d43fce7a1ed7f3b93594d1d |
| SHA1 | 0e05c83ad9449d84f6a3d3514152d3176db8055f |
| SHA256 | 4405934199a6666a0a6352fea71d428755b2cb7d394a786a88dbf88d33a10697 |
| SHA512 | 2b0f6b76ece3ddcbf165e9297ecbb12f929350e94a5f800142191e86309b74aab453a356e47668b102167820e960444d341151bb5094bcc8919bbf49700d43b7 |
memory/1592-42-0x0000000002E20000-0x0000000002FB0000-memory.dmp
memory/1592-44-0x0000000002E20000-0x0000000002FB0000-memory.dmp
memory/2492-45-0x0000000000400000-0x0000000000590000-memory.dmp
memory/1592-46-0x0000000000400000-0x0000000000590000-memory.dmp
memory/2496-51-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2492-54-0x0000000000400000-0x0000000000590000-memory.dmp
memory/2496-55-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2496-57-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2496-63-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2496-64-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2496-65-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2496-67-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2496-68-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2496-69-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2496-71-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2496-72-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2496-73-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2496-75-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2496-76-0x0000000000400000-0x000000000045C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 18:42
Reported
2024-04-07 18:45
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
139s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Windows Updater.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Updater.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update\\winupdt.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\112052ebe6d0f3d1fa2eedfa1dd2dd5df82ee7965b43b88e18a55f02ec971b9b.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Window Updates = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update\\winupdt.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2336 set thread context of 4892 | N/A | C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe | C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe |
Enumerates physical storage devices
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\112052ebe6d0f3d1fa2eedfa1dd2dd5df82ee7965b43b88e18a55f02ec971b9b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\112052ebe6d0f3d1fa2eedfa1dd2dd5df82ee7965b43b88e18a55f02ec971b9b.exe
"C:\Users\Admin\AppData\Local\Temp\112052ebe6d0f3d1fa2eedfa1dd2dd5df82ee7965b43b88e18a55f02ec971b9b.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAKJE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Window Updates" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe" /f
C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
"C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe"
C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
"C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Updater.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Updater.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Updater.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Updater.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | havefunnuke.servequake.com | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | havefunnuke.servequake.com | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | havefunnuke.servequake.com | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | havefunnuke.servequake.com | udp |
| US | 8.8.8.8:53 | havefunnuke.servequake.com | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | havefunnuke.servequake.com | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | havefunnuke.servequake.com | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | havefunnuke.servequake.com | udp |
| US | 8.8.8.8:53 | havefunnuke.servequake.com | udp |
| US | 8.8.8.8:53 | havefunnuke.servequake.com | udp |
Files
memory/1524-0-0x0000000000400000-0x0000000000590000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BAKJE.txt
| MD5 | 1954c7e666c5b4d1117ef07bc0c9b8ec |
| SHA1 | 559e3c0273c1463e9184027b749bdaad0a372681 |
| SHA256 | 35e0dbc8b455ca38976157ce9d0293fd6cdca20f46f1cb69058a1e0f0af6f693 |
| SHA512 | 3939de8d0ab7e67b59ff8bebed5580dafd38d8785193fd42a289728500761a68b9e6660605e19e10d4278dd106fea4b273a208f25485e7389c8f19b2958c926a |
C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.txt
| MD5 | 432ac17c3e53a40393de71e3208291dd |
| SHA1 | d4544acede42b2c0ccbd738dd160982d4da7b427 |
| SHA256 | 84e166ec958e809f98a0369f01772da253680e9a873da510824ce21625a5843e |
| SHA512 | 0025155eb65e6aec7112043c93c62e75a469394740e933fdcbd0bbcbbaf32bf6d94d7977d95f2871936011ef4fb1ca091f342f789d70d59f35699b384448a9d7 |
memory/1524-28-0x0000000000400000-0x0000000000590000-memory.dmp
memory/2336-29-0x0000000000400000-0x0000000000590000-memory.dmp
memory/4892-32-0x0000000000400000-0x000000000045C000-memory.dmp
memory/4892-35-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2336-36-0x0000000000400000-0x0000000000590000-memory.dmp
memory/4892-37-0x0000000000400000-0x000000000045C000-memory.dmp
memory/4892-43-0x0000000000400000-0x000000000045C000-memory.dmp
memory/4892-44-0x0000000000400000-0x000000000045C000-memory.dmp
memory/4892-45-0x0000000000400000-0x000000000045C000-memory.dmp
memory/4892-47-0x0000000000400000-0x000000000045C000-memory.dmp
memory/4892-48-0x0000000000400000-0x000000000045C000-memory.dmp
memory/4892-49-0x0000000000400000-0x000000000045C000-memory.dmp
memory/4892-51-0x0000000000400000-0x000000000045C000-memory.dmp
memory/4892-52-0x0000000000400000-0x000000000045C000-memory.dmp
memory/4892-53-0x0000000000400000-0x000000000045C000-memory.dmp
memory/4892-55-0x0000000000400000-0x000000000045C000-memory.dmp
memory/4892-61-0x0000000000400000-0x000000000045C000-memory.dmp