Malware Analysis Report

2025-04-03 10:15

Sample ID 250203-g35p8asqdy
Target e53f269da704e873c0c1529ee44ffdefbd0d7f081754239d378a7fef1ef6dc53
SHA256 e53f269da704e873c0c1529ee44ffdefbd0d7f081754239d378a7fef1ef6dc53
Tags
upx blackshades defense_evasion discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e53f269da704e873c0c1529ee44ffdefbd0d7f081754239d378a7fef1ef6dc53

Threat Level: Known bad

The file e53f269da704e873c0c1529ee44ffdefbd0d7f081754239d378a7fef1ef6dc53 was found to be: Known bad.

Malicious Activity Summary

upx blackshades defense_evasion discovery persistence rat

Modifies firewall policy service

Blackshades family

Blackshades

Blackshades payload

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

UPX packed file

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry key

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-03 06:20

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-03 06:20

Reported

2025-02-03 06:23

Platform

win7-20240903-en

Max time kernel

149s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e53f269da704e873c0c1529ee44ffdefbd0d7f081754239d378a7fef1ef6dc53.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe = "C:\\Users\\Admin\\AppData\\Roaming\\JavaWeb\\jusched.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\bot.exe = "C:\\Users\\Admin\\AppData\\Roaming\\bot.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Machine = "C:\\Users\\Admin\\AppData\\Roaming\\JavaWeb\\jusched.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2816 set thread context of 3012 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 2816 set thread context of 2252 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e53f269da704e873c0c1529ee44ffdefbd0d7f081754239d378a7fef1ef6dc53.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: 1 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1700 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\e53f269da704e873c0c1529ee44ffdefbd0d7f081754239d378a7fef1ef6dc53.exe C:\Windows\SysWOW64\cmd.exe
PID 1700 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\e53f269da704e873c0c1529ee44ffdefbd0d7f081754239d378a7fef1ef6dc53.exe C:\Windows\SysWOW64\cmd.exe
PID 1700 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\e53f269da704e873c0c1529ee44ffdefbd0d7f081754239d378a7fef1ef6dc53.exe C:\Windows\SysWOW64\cmd.exe
PID 1700 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\e53f269da704e873c0c1529ee44ffdefbd0d7f081754239d378a7fef1ef6dc53.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1724 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1724 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1724 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1700 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\e53f269da704e873c0c1529ee44ffdefbd0d7f081754239d378a7fef1ef6dc53.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 1700 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\e53f269da704e873c0c1529ee44ffdefbd0d7f081754239d378a7fef1ef6dc53.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 1700 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\e53f269da704e873c0c1529ee44ffdefbd0d7f081754239d378a7fef1ef6dc53.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 1700 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\e53f269da704e873c0c1529ee44ffdefbd0d7f081754239d378a7fef1ef6dc53.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 2816 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 2816 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 2816 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 2816 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 2816 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 2816 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 2816 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 2816 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 2816 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 2816 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 2816 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 2816 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 2816 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 2816 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 2816 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 2816 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 2816 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 2816 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 3012 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2624 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2624 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2624 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2632 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2632 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2632 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2632 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2172 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2172 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2172 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2172 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e53f269da704e873c0c1529ee44ffdefbd0d7f081754239d378a7fef1ef6dc53.exe

"C:\Users\Admin\AppData\Local\Temp\e53f269da704e873c0c1529ee44ffdefbd0d7f081754239d378a7fef1ef6dc53.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NlIXf.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Java Machine" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe" /f

C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe

"C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe"

C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe

C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe

C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe

C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 jingerred2.no-ip.biz udp

Files

memory/1700-0-0x0000000000400000-0x00000000005A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NlIXf.bat

MD5 976ffa9a304b234c039c8739d97bb893
SHA1 f70f7ede8b6e5d1b8a9b53c9bf43882485b55bd6
SHA256 2b77cf051bb584aada8b9e5e07cba06e2077b42f009c33d10e31994ceec10384
SHA512 1bd398b968736efbab740c81776781023a4ef0dc1c0191d6393a7582bd79b452666163691d82a27ee8989a1e293e6d6df57c303aa9b34497ae52be417f9e269c

C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe

MD5 3c34d235d1fc4f8016577a3c99a85034
SHA1 0f0e0c2398e20d6c9b0086ee8140e6de3203da06
SHA256 81335c368ba5abb657ba1647adfe1908e55d890e900de7ff734eded5bff2e7f9
SHA512 7a41e7d17ecd7322f5c409b5effa8f5ed8f98ca5a67f483265721dad5608e70977c28006483857890fae441696f5d91c8cb0388b1f4835fa821492dec43da5fb

memory/1700-30-0x00000000033C0000-0x0000000003568000-memory.dmp

memory/2816-45-0x0000000000400000-0x00000000005A8000-memory.dmp

memory/1700-44-0x00000000033C0000-0x0000000003568000-memory.dmp

memory/1700-47-0x0000000000400000-0x00000000005A8000-memory.dmp

memory/2816-65-0x0000000000400000-0x00000000005A8000-memory.dmp

memory/2252-63-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2816-62-0x0000000002AC0000-0x0000000002C68000-memory.dmp

memory/2252-61-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2252-58-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3012-57-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3012-56-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3012-52-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3012-73-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2252-75-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3012-76-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3012-79-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3012-81-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3012-83-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3012-86-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3012-90-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3012-95-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3012-100-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3012-102-0x0000000000400000-0x000000000045C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-03 06:20

Reported

2025-02-03 06:23

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e53f269da704e873c0c1529ee44ffdefbd0d7f081754239d378a7fef1ef6dc53.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\bot.exe = "C:\\Users\\Admin\\AppData\\Roaming\\bot.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe = "C:\\Users\\Admin\\AppData\\Roaming\\JavaWeb\\jusched.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e53f269da704e873c0c1529ee44ffdefbd0d7f081754239d378a7fef1ef6dc53.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Machine = "C:\\Users\\Admin\\AppData\\Roaming\\JavaWeb\\jusched.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2900 set thread context of 2208 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 2900 set thread context of 1140 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e53f269da704e873c0c1529ee44ffdefbd0d7f081754239d378a7fef1ef6dc53.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4872 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\e53f269da704e873c0c1529ee44ffdefbd0d7f081754239d378a7fef1ef6dc53.exe C:\Windows\SysWOW64\cmd.exe
PID 4872 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\e53f269da704e873c0c1529ee44ffdefbd0d7f081754239d378a7fef1ef6dc53.exe C:\Windows\SysWOW64\cmd.exe
PID 4872 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\e53f269da704e873c0c1529ee44ffdefbd0d7f081754239d378a7fef1ef6dc53.exe C:\Windows\SysWOW64\cmd.exe
PID 4060 wrote to memory of 3128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4060 wrote to memory of 3128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4060 wrote to memory of 3128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4872 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\e53f269da704e873c0c1529ee44ffdefbd0d7f081754239d378a7fef1ef6dc53.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 4872 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\e53f269da704e873c0c1529ee44ffdefbd0d7f081754239d378a7fef1ef6dc53.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 4872 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\e53f269da704e873c0c1529ee44ffdefbd0d7f081754239d378a7fef1ef6dc53.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 2900 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 2900 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 2900 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 2900 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 2900 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 2900 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 2900 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 2900 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 2900 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 2900 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 2900 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 2900 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 2900 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 2900 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 2900 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 2208 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe
PID 2208 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1888 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1888 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1876 wrote to memory of 3784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1876 wrote to memory of 3784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1876 wrote to memory of 3784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1724 wrote to memory of 716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1724 wrote to memory of 716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1724 wrote to memory of 716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2620 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2620 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2620 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e53f269da704e873c0c1529ee44ffdefbd0d7f081754239d378a7fef1ef6dc53.exe

"C:\Users\Admin\AppData\Local\Temp\e53f269da704e873c0c1529ee44ffdefbd0d7f081754239d378a7fef1ef6dc53.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KJESN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Java Machine" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe" /f

C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe

"C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe"

C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe

C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe

C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe

C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 jingerred2.no-ip.biz udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 132.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 jingerred2.no-ip.biz udp
US 8.8.8.8:53 jingerred2.no-ip.biz udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 jingerred2.no-ip.biz udp
US 8.8.8.8:53 jingerred2.no-ip.biz udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 jingerred2.no-ip.biz udp
US 8.8.8.8:53 jingerred2.no-ip.biz udp
US 8.8.8.8:53 jingerred2.no-ip.biz udp
US 8.8.8.8:53 jingerred2.no-ip.biz udp
US 8.8.8.8:53 jingerred2.no-ip.biz udp
US 8.8.8.8:53 udp

Files

memory/4872-0-0x0000000000400000-0x00000000005A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KJESN.txt

MD5 976ffa9a304b234c039c8739d97bb893
SHA1 f70f7ede8b6e5d1b8a9b53c9bf43882485b55bd6
SHA256 2b77cf051bb584aada8b9e5e07cba06e2077b42f009c33d10e31994ceec10384
SHA512 1bd398b968736efbab740c81776781023a4ef0dc1c0191d6393a7582bd79b452666163691d82a27ee8989a1e293e6d6df57c303aa9b34497ae52be417f9e269c

C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.txt

MD5 5e3ec94b0c31e0b03159ab93d8a7bf33
SHA1 8aea57695bc4260a9bb9cc8ff51ed912424478bb
SHA256 0c7a5db848b3195cf83c888bbbc689961862d37f6ae8115e81f8e69a71ede285
SHA512 1c4b2ebfb52e9cc94b7b246ccd79504dbe53bac06288c30054e84fb03044c1685bf8e9818850bef84031f34cd1dc80c62f45e652715161cddbe7be7a596ee29b

memory/4872-29-0x0000000000400000-0x00000000005A8000-memory.dmp

memory/2208-32-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2208-37-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2208-35-0x0000000000400000-0x000000000045C000-memory.dmp

memory/1140-43-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1140-46-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2900-52-0x0000000000400000-0x00000000005A8000-memory.dmp

memory/1140-48-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2208-53-0x0000000000400000-0x000000000045C000-memory.dmp

memory/1140-54-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2208-55-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2208-57-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2208-60-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2208-62-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2208-64-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2208-67-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2208-69-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2208-71-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2208-76-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2208-78-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2208-81-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2208-85-0x0000000000400000-0x000000000045C000-memory.dmp