Malware Analysis Report

2025-05-06 00:09

Sample ID 250124-q24wzasqaq
Target b61d9eb6f0cbbdac1fca08faa6e1cd070c1cc2be344c6eea0488ab671809f1ed.exe
SHA256 b61d9eb6f0cbbdac1fca08faa6e1cd070c1cc2be344c6eea0488ab671809f1ed
Tags
upx blackshades defense_evasion discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b61d9eb6f0cbbdac1fca08faa6e1cd070c1cc2be344c6eea0488ab671809f1ed

Threat Level: Known bad

The file b61d9eb6f0cbbdac1fca08faa6e1cd070c1cc2be344c6eea0488ab671809f1ed.exe was found to be: Known bad.

Malicious Activity Summary

upx blackshades defense_evasion discovery persistence rat

Modifies firewall policy service

Blackshades

Blackshades family

Blackshades payload

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

UPX packed file

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry key

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-24 13:46

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-24 13:46

Reported

2025-01-24 13:48

Platform

win7-20240903-en

Max time kernel

148s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b61d9eb6f0cbbdac1fca08faa6e1cd070c1cc2be344c6eea0488ab671809f1ed.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Windows Updater.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Updater.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update\\winupdt.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Window Updates = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update\\winupdt.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2276 set thread context of 2724 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b61d9eb6f0cbbdac1fca08faa6e1cd070c1cc2be344c6eea0488ab671809f1ed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2496 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\b61d9eb6f0cbbdac1fca08faa6e1cd070c1cc2be344c6eea0488ab671809f1ed.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\b61d9eb6f0cbbdac1fca08faa6e1cd070c1cc2be344c6eea0488ab671809f1ed.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\b61d9eb6f0cbbdac1fca08faa6e1cd070c1cc2be344c6eea0488ab671809f1ed.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\b61d9eb6f0cbbdac1fca08faa6e1cd070c1cc2be344c6eea0488ab671809f1ed.exe C:\Windows\SysWOW64\cmd.exe
PID 1056 wrote to memory of 2056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1056 wrote to memory of 2056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1056 wrote to memory of 2056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1056 wrote to memory of 2056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2496 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\b61d9eb6f0cbbdac1fca08faa6e1cd070c1cc2be344c6eea0488ab671809f1ed.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2496 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\b61d9eb6f0cbbdac1fca08faa6e1cd070c1cc2be344c6eea0488ab671809f1ed.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2496 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\b61d9eb6f0cbbdac1fca08faa6e1cd070c1cc2be344c6eea0488ab671809f1ed.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2496 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\b61d9eb6f0cbbdac1fca08faa6e1cd070c1cc2be344c6eea0488ab671809f1ed.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2276 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2276 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2276 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2276 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2276 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2276 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2276 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2276 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2276 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2724 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2656 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2656 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2656 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2828 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2828 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2828 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2828 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b61d9eb6f0cbbdac1fca08faa6e1cd070c1cc2be344c6eea0488ab671809f1ed.exe

"C:\Users\Admin\AppData\Local\Temp\b61d9eb6f0cbbdac1fca08faa6e1cd070c1cc2be344c6eea0488ab671809f1ed.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PxrJH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Window Updates" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe" /f

C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe

"C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe"

C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe

"C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Updater.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Updater.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Updater.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Updater.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 havefunnuke.servequake.com udp

Files

memory/2496-0-0x0000000000400000-0x00000000005A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PxrJH.bat

MD5 1954c7e666c5b4d1117ef07bc0c9b8ec
SHA1 559e3c0273c1463e9184027b749bdaad0a372681
SHA256 35e0dbc8b455ca38976157ce9d0293fd6cdca20f46f1cb69058a1e0f0af6f693
SHA512 3939de8d0ab7e67b59ff8bebed5580dafd38d8785193fd42a289728500761a68b9e6660605e19e10d4278dd106fea4b273a208f25485e7389c8f19b2958c926a

C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe

MD5 6f9b4da77f322076dbd793561b9bda72
SHA1 ab670d79896a1a525abd029ad843d28b67e6c94b
SHA256 be4cc94ebf7d300695f03cd1ee044920afdf881f53d6f72d488486b41a1dc1a1
SHA512 4e830823a9371880f52968709b7f92854537dded5fa473564b829fc90d069437d1f394728fa0d060e442b2cec81cab7d34f8bcfe9242d44a071c5a1d074782bb

memory/2496-42-0x0000000003640000-0x00000000037E8000-memory.dmp

memory/2496-44-0x0000000000400000-0x00000000005A8000-memory.dmp

memory/2724-49-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2724-52-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2724-54-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2276-55-0x0000000000400000-0x00000000005A8000-memory.dmp

memory/2724-61-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2724-63-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2724-65-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2724-66-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2724-67-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2724-69-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2724-71-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2724-74-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2724-77-0x0000000000400000-0x000000000045C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-24 13:46

Reported

2025-01-24 13:48

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b61d9eb6f0cbbdac1fca08faa6e1cd070c1cc2be344c6eea0488ab671809f1ed.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update\\winupdt.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Windows Updater.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Updater.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b61d9eb6f0cbbdac1fca08faa6e1cd070c1cc2be344c6eea0488ab671809f1ed.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Window Updates = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update\\winupdt.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3604 set thread context of 4512 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b61d9eb6f0cbbdac1fca08faa6e1cd070c1cc2be344c6eea0488ab671809f1ed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3064 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\b61d9eb6f0cbbdac1fca08faa6e1cd070c1cc2be344c6eea0488ab671809f1ed.exe C:\Windows\SysWOW64\cmd.exe
PID 3064 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\b61d9eb6f0cbbdac1fca08faa6e1cd070c1cc2be344c6eea0488ab671809f1ed.exe C:\Windows\SysWOW64\cmd.exe
PID 3064 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\b61d9eb6f0cbbdac1fca08faa6e1cd070c1cc2be344c6eea0488ab671809f1ed.exe C:\Windows\SysWOW64\cmd.exe
PID 4388 wrote to memory of 4612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4388 wrote to memory of 4612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4388 wrote to memory of 4612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3064 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\b61d9eb6f0cbbdac1fca08faa6e1cd070c1cc2be344c6eea0488ab671809f1ed.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 3064 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\b61d9eb6f0cbbdac1fca08faa6e1cd070c1cc2be344c6eea0488ab671809f1ed.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 3064 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\b61d9eb6f0cbbdac1fca08faa6e1cd070c1cc2be344c6eea0488ab671809f1ed.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 3604 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 3604 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 3604 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 3604 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 3604 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 3604 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 3604 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 3604 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 4512 wrote to memory of 444 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 4512 wrote to memory of 444 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 4512 wrote to memory of 444 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 4512 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 4512 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 4512 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 4512 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 4512 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 4512 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 4512 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 4512 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 4512 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 444 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 444 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 444 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4552 wrote to memory of 4968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4552 wrote to memory of 4968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4552 wrote to memory of 4968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3276 wrote to memory of 4624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3276 wrote to memory of 4624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3276 wrote to memory of 4624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4356 wrote to memory of 904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4356 wrote to memory of 904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4356 wrote to memory of 904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b61d9eb6f0cbbdac1fca08faa6e1cd070c1cc2be344c6eea0488ab671809f1ed.exe

"C:\Users\Admin\AppData\Local\Temp\b61d9eb6f0cbbdac1fca08faa6e1cd070c1cc2be344c6eea0488ab671809f1ed.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAxhg.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Window Updates" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe" /f

C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe

"C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe"

C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe

"C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Updater.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Updater.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Updater.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Updater.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 188.77.23.2.in-addr.arpa udp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 havefunnuke.servequake.com udp

Files

memory/3064-0-0x0000000000400000-0x00000000005A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BAxhg.txt

MD5 1954c7e666c5b4d1117ef07bc0c9b8ec
SHA1 559e3c0273c1463e9184027b749bdaad0a372681
SHA256 35e0dbc8b455ca38976157ce9d0293fd6cdca20f46f1cb69058a1e0f0af6f693
SHA512 3939de8d0ab7e67b59ff8bebed5580dafd38d8785193fd42a289728500761a68b9e6660605e19e10d4278dd106fea4b273a208f25485e7389c8f19b2958c926a

C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.txt

MD5 58ff3432a020ad8d78e6aa82dbb35904
SHA1 773f0563bca67bf9b61795da1885b126b453f5ca
SHA256 1abd6e22914d5859430afa40e8038a9485e03642458e96da4e5ab7762e26468a
SHA512 ce286fd42e159770346898f0dc715f932b3d1a6ae91a0b86b48ddf52dc530955fac70a7be68d348394f614501516066ceff96ab869cb5b53ffe4859b46dddbd9

memory/3064-30-0x0000000000400000-0x00000000005A8000-memory.dmp

memory/4512-31-0x0000000000400000-0x000000000045C000-memory.dmp

memory/4512-36-0x0000000000400000-0x000000000045C000-memory.dmp

memory/4512-34-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3604-42-0x0000000000400000-0x00000000005A8000-memory.dmp

memory/4512-43-0x0000000000400000-0x000000000045C000-memory.dmp

memory/4512-45-0x0000000000400000-0x000000000045C000-memory.dmp

memory/4512-47-0x0000000000400000-0x000000000045C000-memory.dmp

memory/4512-48-0x0000000000400000-0x000000000045C000-memory.dmp

memory/4512-49-0x0000000000400000-0x000000000045C000-memory.dmp

memory/4512-52-0x0000000000400000-0x000000000045C000-memory.dmp

memory/4512-53-0x0000000000400000-0x000000000045C000-memory.dmp

memory/4512-56-0x0000000000400000-0x000000000045C000-memory.dmp

memory/4512-61-0x0000000000400000-0x000000000045C000-memory.dmp