Malware Analysis Report

2025-04-03 10:09

Sample ID 250204-28sm3axlhv
Target 5bd7bf800feb28d830ce2bf332f93842e0ab1570a07631e2c3f6cd02fbf6fc40.exe
SHA256 5bd7bf800feb28d830ce2bf332f93842e0ab1570a07631e2c3f6cd02fbf6fc40
Tags
blackshades defense_evasion discovery persistence rat upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5bd7bf800feb28d830ce2bf332f93842e0ab1570a07631e2c3f6cd02fbf6fc40

Threat Level: Known bad

The file 5bd7bf800feb28d830ce2bf332f93842e0ab1570a07631e2c3f6cd02fbf6fc40.exe was found to be: Known bad.

Malicious Activity Summary

blackshades defense_evasion discovery persistence rat upx

Blackshades payload

Modifies firewall policy service

Blackshades

Blackshades family

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

UPX packed file

Suspicious use of SetThreadContext

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry key

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-04 23:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-04 23:15

Reported

2025-02-04 23:17

Platform

win7-20240903-en

Max time kernel

117s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5bd7bf800feb28d830ce2bf332f93842e0ab1570a07631e2c3f6cd02fbf6fc40.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update\\winupdt.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Windows Updater.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Updater.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Window Updates = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update\\winupdt.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2896 set thread context of 2724 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5bd7bf800feb28d830ce2bf332f93842e0ab1570a07631e2c3f6cd02fbf6fc40.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\5bd7bf800feb28d830ce2bf332f93842e0ab1570a07631e2c3f6cd02fbf6fc40.exe C:\Windows\SysWOW64\cmd.exe
PID 3020 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\5bd7bf800feb28d830ce2bf332f93842e0ab1570a07631e2c3f6cd02fbf6fc40.exe C:\Windows\SysWOW64\cmd.exe
PID 3020 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\5bd7bf800feb28d830ce2bf332f93842e0ab1570a07631e2c3f6cd02fbf6fc40.exe C:\Windows\SysWOW64\cmd.exe
PID 3020 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\5bd7bf800feb28d830ce2bf332f93842e0ab1570a07631e2c3f6cd02fbf6fc40.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2756 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2756 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2756 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3020 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\5bd7bf800feb28d830ce2bf332f93842e0ab1570a07631e2c3f6cd02fbf6fc40.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 3020 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\5bd7bf800feb28d830ce2bf332f93842e0ab1570a07631e2c3f6cd02fbf6fc40.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 3020 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\5bd7bf800feb28d830ce2bf332f93842e0ab1570a07631e2c3f6cd02fbf6fc40.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 3020 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\5bd7bf800feb28d830ce2bf332f93842e0ab1570a07631e2c3f6cd02fbf6fc40.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2896 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2896 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2896 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2896 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2896 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2896 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2896 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2896 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2896 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2724 wrote to memory of 392 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 392 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 392 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 392 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 392 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 392 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 392 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 392 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2724 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2228 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2228 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2228 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2036 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2036 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2036 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2036 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5bd7bf800feb28d830ce2bf332f93842e0ab1570a07631e2c3f6cd02fbf6fc40.exe

"C:\Users\Admin\AppData\Local\Temp\5bd7bf800feb28d830ce2bf332f93842e0ab1570a07631e2c3f6cd02fbf6fc40.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xzIYf.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Window Updates" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe" /f

C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe

"C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe"

C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe

"C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Updater.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Updater.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Updater.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Updater.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 havefunnuke.servequake.com udp

Files

memory/3020-0-0x0000000000400000-0x00000000005A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xzIYf.bat

MD5 1954c7e666c5b4d1117ef07bc0c9b8ec
SHA1 559e3c0273c1463e9184027b749bdaad0a372681
SHA256 35e0dbc8b455ca38976157ce9d0293fd6cdca20f46f1cb69058a1e0f0af6f693
SHA512 3939de8d0ab7e67b59ff8bebed5580dafd38d8785193fd42a289728500761a68b9e6660605e19e10d4278dd106fea4b273a208f25485e7389c8f19b2958c926a

C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe

MD5 28ff233a2dad8c0919054c5e0540e719
SHA1 0dd4eea3f1ca31ace14a2f2decdba10b4c10c8a9
SHA256 1551792c112d02302dbb55290406790143867aeb6d0c3243471d796e5d842aeb
SHA512 07664b01efe95e69e118f4ac819ae23693a1584d9c31c0f57188ccb0f41a23a28eacb1b627d7d449c41c26dc4357f161aaa6e493cff3640cb579c83d54ef9900

memory/2724-48-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2724-51-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2724-53-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2724-59-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2724-61-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2724-63-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2724-64-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2724-65-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2724-66-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2724-68-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2724-69-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2724-72-0x0000000000400000-0x000000000045C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-04 23:15

Reported

2025-02-04 23:17

Platform

win10v2004-20250129-en

Max time kernel

117s

Max time network

109s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5bd7bf800feb28d830ce2bf332f93842e0ab1570a07631e2c3f6cd02fbf6fc40.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update\\winupdt.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Windows Updater.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Updater.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5bd7bf800feb28d830ce2bf332f93842e0ab1570a07631e2c3f6cd02fbf6fc40.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Window Updates = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update\\winupdt.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3964 set thread context of 2172 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5bd7bf800feb28d830ce2bf332f93842e0ab1570a07631e2c3f6cd02fbf6fc40.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2288 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\5bd7bf800feb28d830ce2bf332f93842e0ab1570a07631e2c3f6cd02fbf6fc40.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\5bd7bf800feb28d830ce2bf332f93842e0ab1570a07631e2c3f6cd02fbf6fc40.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\5bd7bf800feb28d830ce2bf332f93842e0ab1570a07631e2c3f6cd02fbf6fc40.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 4244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4712 wrote to memory of 4244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4712 wrote to memory of 4244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2288 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\5bd7bf800feb28d830ce2bf332f93842e0ab1570a07631e2c3f6cd02fbf6fc40.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2288 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\5bd7bf800feb28d830ce2bf332f93842e0ab1570a07631e2c3f6cd02fbf6fc40.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2288 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\5bd7bf800feb28d830ce2bf332f93842e0ab1570a07631e2c3f6cd02fbf6fc40.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 3964 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 3964 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 3964 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 3964 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 3964 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 3964 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 3964 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 3964 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2172 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 836 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 836 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 836 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 836 wrote to memory of 4404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 836 wrote to memory of 4404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 836 wrote to memory of 4404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4328 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4328 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4328 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 4048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 4048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 4048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5bd7bf800feb28d830ce2bf332f93842e0ab1570a07631e2c3f6cd02fbf6fc40.exe

"C:\Users\Admin\AppData\Local\Temp\5bd7bf800feb28d830ce2bf332f93842e0ab1570a07631e2c3f6cd02fbf6fc40.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yKZTS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Window Updates" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe" /f

C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe

"C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe"

C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe

"C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Updater.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Updater.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Updater.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Updater.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
GB 88.221.135.35:443 www.bing.com tcp
US 8.8.8.8:53 35.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 havefunnuke.servequake.com udp

Files

memory/2288-0-0x0000000000400000-0x00000000005A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yKZTS.txt

MD5 1954c7e666c5b4d1117ef07bc0c9b8ec
SHA1 559e3c0273c1463e9184027b749bdaad0a372681
SHA256 35e0dbc8b455ca38976157ce9d0293fd6cdca20f46f1cb69058a1e0f0af6f693
SHA512 3939de8d0ab7e67b59ff8bebed5580dafd38d8785193fd42a289728500761a68b9e6660605e19e10d4278dd106fea4b273a208f25485e7389c8f19b2958c926a

C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.txt

MD5 ccbe4fad3417a30ef24987ef64ccfa70
SHA1 dad70ef22efa16d7393c92618e03c63ba5c57d4f
SHA256 2564a0e530c4427d540229d84cabad57f5fe24413d6940891fdcc7b5b416772f
SHA512 343803e06cf936910a227bbf9a33c6b27e9f3288c5d551d2522d2c476b79774ed9ff88eebf29f1e44cbd860e9651568e1d0cf258ce1811d5e72484f63d568787

memory/2172-31-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2172-37-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2172-36-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2172-35-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2172-43-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2172-44-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2172-45-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2172-47-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2172-48-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2172-49-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2172-51-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2172-52-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2172-53-0x0000000000400000-0x000000000045C000-memory.dmp