Analysis Overview
SHA256
2f5b4fba89a5ab0062a4718be94d6420334b9c597308998243b41546924f1aff
Threat Level: Known bad
The file 2f5b4fba89a5ab0062a4718be94d6420334b9c597308998243b41546924f1affN.exe was found to be: Known bad.
Malicious Activity Summary
Modifies firewall policy service
Blackshades payload
Blackshades
Blackshades family
Downloads MZ/PE file
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
UPX packed file
Suspicious use of SetThreadContext
System Network Configuration Discovery: Internet Connection Discovery
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Modifies registry key
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-11 10:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-11 10:17
Reported
2025-02-11 10:19
Platform
win7-20240903-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\RUNE.exe = "C:\\Users\\Admin\\AppData\\Roaming\\RUNE.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\svchost.exe = "C:\\Windows\\SysWOW64\\svchost.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Jload\Jload.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Jload\Jload.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jload = "C:\\Users\\Admin\\AppData\\Roaming\\Jload\\Jload.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2780 set thread context of 2760 | N/A | C:\Users\Admin\AppData\Local\Temp\2f5b4fba89a5ab0062a4718be94d6420334b9c597308998243b41546924f1affN.exe | C:\Users\Admin\AppData\Local\Temp\2f5b4fba89a5ab0062a4718be94d6420334b9c597308998243b41546924f1affN.exe |
| PID 2264 set thread context of 2660 | N/A | C:\Users\Admin\AppData\Roaming\Jload\Jload.exe | C:\Users\Admin\AppData\Roaming\Jload\Jload.exe |
| PID 2264 set thread context of 3016 | N/A | C:\Users\Admin\AppData\Roaming\Jload\Jload.exe | C:\Windows\SysWOW64\svchost.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2f5b4fba89a5ab0062a4718be94d6420334b9c597308998243b41546924f1affN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Jload\Jload.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2f5b4fba89a5ab0062a4718be94d6420334b9c597308998243b41546924f1affN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Jload\Jload.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f5b4fba89a5ab0062a4718be94d6420334b9c597308998243b41546924f1affN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f5b4fba89a5ab0062a4718be94d6420334b9c597308998243b41546924f1affN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Jload\Jload.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Jload\Jload.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2f5b4fba89a5ab0062a4718be94d6420334b9c597308998243b41546924f1affN.exe
"C:\Users\Admin\AppData\Local\Temp\2f5b4fba89a5ab0062a4718be94d6420334b9c597308998243b41546924f1affN.exe"
C:\Users\Admin\AppData\Local\Temp\2f5b4fba89a5ab0062a4718be94d6420334b9c597308998243b41546924f1affN.exe
"C:\Users\Admin\AppData\Local\Temp\2f5b4fba89a5ab0062a4718be94d6420334b9c597308998243b41546924f1affN.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TKUQL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Jload" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Jload\Jload.exe" /f
C:\Users\Admin\AppData\Roaming\Jload\Jload.exe
"C:\Users\Admin\AppData\Roaming\Jload\Jload.exe"
C:\Users\Admin\AppData\Roaming\Jload\Jload.exe
"C:\Users\Admin\AppData\Roaming\Jload\Jload.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\SysWOW64\svchost.exe" /t REG_SZ /d "C:\Windows\SysWOW64\svchost.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\RUNE.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RUNE.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\SysWOW64\svchost.exe" /t REG_SZ /d "C:\Windows\SysWOW64\svchost.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\RUNE.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RUNE.exe:*:Enabled:Windows Messanger" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xdarkx.zapto.org | udp |
| US | 8.8.8.8:53 | 1xdarkx.zapto.org | udp |
| US | 8.8.8.8:53 | 2xdarkx.zapto.org | udp |
| US | 8.8.8.8:53 | 3xdarkx.zapto.org | udp |
| ES | 94.73.32.235:3082 | 3xdarkx.zapto.org | tcp |
| US | 8.8.8.8:53 | 4xdarkx.zapto.org | udp |
| US | 8.8.8.8:53 | 5xdarkx.zapto.org | udp |
| US | 8.8.8.8:53 | 6xdarkx.zapto.org | udp |
Files
memory/2780-2-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2780-85-0x00000000004B0000-0x00000000004B1000-memory.dmp
memory/2760-431-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TKUQL.bat
| MD5 | bc18986a524cd5015b00135cbf312330 |
| SHA1 | 65c0fa726aa3b129e2d94a5518186c3cd866f3c0 |
| SHA256 | f27d92575749ef19cccc68a524662607f5be5ed2fb415fe7de4f4927f521709c |
| SHA512 | afae8a27a1c64fedd75e9786bbeb4fc8c21795bb2cfd23a749e8de3f102977b391186597d8892cce7be71360b264b22c38a2eaf9507375c1d4e75a5586e8db2e |
\Users\Admin\AppData\Roaming\Jload\Jload.exe
| MD5 | 5da3d7198190eb4a787c03e22ed9ee01 |
| SHA1 | 0fc9cf4e42e920ef13d155aaf59d45bbe6b24ad1 |
| SHA256 | dbe71fd5e2a455a29ac39ca9c3d2b11896bbe6c4247915dc664b26a1be4c303d |
| SHA512 | 8584e44719ccc57b7dce45f3baa5600b549e07221ed02cd240eb3dc53c445b013c521674dd9bcccf390d1ad2bc25aec9b00676caff4b7851972d263a86b31304 |
memory/2660-977-0x0000000000400000-0x000000000040B000-memory.dmp
memory/2760-997-0x0000000000400000-0x000000000040B000-memory.dmp
memory/2660-1001-0x0000000000400000-0x000000000040B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-11 10:17
Reported
2025-02-11 10:19
Platform
win10v2004-20250207-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\RUNE.exe = "C:\\Users\\Admin\\AppData\\Roaming\\RUNE.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\svchost.exe = "C:\\Windows\\SysWOW64\\svchost.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1290774215-692483676-1419523182-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2f5b4fba89a5ab0062a4718be94d6420334b9c597308998243b41546924f1affN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Jload\Jload.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Jload\Jload.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1290774215-692483676-1419523182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jload = "C:\\Users\\Admin\\AppData\\Roaming\\Jload\\Jload.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2712 set thread context of 216 | N/A | C:\Users\Admin\AppData\Local\Temp\2f5b4fba89a5ab0062a4718be94d6420334b9c597308998243b41546924f1affN.exe | C:\Users\Admin\AppData\Local\Temp\2f5b4fba89a5ab0062a4718be94d6420334b9c597308998243b41546924f1affN.exe |
| PID 4156 set thread context of 4504 | N/A | C:\Users\Admin\AppData\Roaming\Jload\Jload.exe | C:\Users\Admin\AppData\Roaming\Jload\Jload.exe |
| PID 4156 set thread context of 372 | N/A | C:\Users\Admin\AppData\Roaming\Jload\Jload.exe | C:\Windows\SysWOW64\svchost.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2f5b4fba89a5ab0062a4718be94d6420334b9c597308998243b41546924f1affN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Jload\Jload.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Jload\Jload.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2f5b4fba89a5ab0062a4718be94d6420334b9c597308998243b41546924f1affN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f5b4fba89a5ab0062a4718be94d6420334b9c597308998243b41546924f1affN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f5b4fba89a5ab0062a4718be94d6420334b9c597308998243b41546924f1affN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Jload\Jload.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Jload\Jload.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2f5b4fba89a5ab0062a4718be94d6420334b9c597308998243b41546924f1affN.exe
"C:\Users\Admin\AppData\Local\Temp\2f5b4fba89a5ab0062a4718be94d6420334b9c597308998243b41546924f1affN.exe"
C:\Users\Admin\AppData\Local\Temp\2f5b4fba89a5ab0062a4718be94d6420334b9c597308998243b41546924f1affN.exe
"C:\Users\Admin\AppData\Local\Temp\2f5b4fba89a5ab0062a4718be94d6420334b9c597308998243b41546924f1affN.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YMCPL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Jload" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Jload\Jload.exe" /f
C:\Users\Admin\AppData\Roaming\Jload\Jload.exe
"C:\Users\Admin\AppData\Roaming\Jload\Jload.exe"
C:\Users\Admin\AppData\Roaming\Jload\Jload.exe
"C:\Users\Admin\AppData\Roaming\Jload\Jload.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\SysWOW64\svchost.exe" /t REG_SZ /d "C:\Windows\SysWOW64\svchost.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\RUNE.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RUNE.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\SysWOW64\svchost.exe" /t REG_SZ /d "C:\Windows\SysWOW64\svchost.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\RUNE.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RUNE.exe:*:Enabled:Windows Messanger" /f
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NUY4ODFCNUYtQjlGNy00NkZELTg4OTMtQjRFODkzRDJCREQ2fSIgdXNlcmlkPSJ7MDA3N0EzQ0ItNEI3NC00OUMwLTk2NkEtMUVCQ0MzOTg0RjY0fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7M0NEMEQ2MjItMzkwNC00NDVFLTg3OEItRjI2OEUzNkJFMjdCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDQ5MjgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxNzQzMjM4OTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjQ5OTQ0OTcwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | xdarkx.zapto.org | udp |
| GB | 2.16.153.206:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | xdarkx.zapto.org | udp |
| US | 8.8.8.8:53 | 1xdarkx.zapto.org | udp |
| US | 8.8.8.8:53 | 2xdarkx.zapto.org | udp |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| NL | 4.175.87.113:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| IT | 91.80.49.86:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | 3xdarkx.zapto.org | udp |
| ES | 94.73.32.235:3082 | 3xdarkx.zapto.org | tcp |
| US | 8.8.8.8:53 | 4xdarkx.zapto.org | udp |
| US | 8.8.8.8:53 | 5xdarkx.zapto.org | udp |
| US | 8.8.8.8:53 | 6xdarkx.zapto.org | udp |
Files
memory/2712-4-0x00000000029D0000-0x00000000029D1000-memory.dmp
memory/2712-3-0x0000000002990000-0x0000000002991000-memory.dmp
memory/2712-2-0x0000000002950000-0x0000000002951000-memory.dmp
memory/216-5-0x0000000000400000-0x000000000040B000-memory.dmp
memory/216-7-0x0000000000400000-0x000000000040B000-memory.dmp
memory/216-9-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\YMCPL.txt
| MD5 | bc18986a524cd5015b00135cbf312330 |
| SHA1 | 65c0fa726aa3b129e2d94a5518186c3cd866f3c0 |
| SHA256 | f27d92575749ef19cccc68a524662607f5be5ed2fb415fe7de4f4927f521709c |
| SHA512 | afae8a27a1c64fedd75e9786bbeb4fc8c21795bb2cfd23a749e8de3f102977b391186597d8892cce7be71360b264b22c38a2eaf9507375c1d4e75a5586e8db2e |
C:\Users\Admin\AppData\Roaming\Jload\Jload.exe
| MD5 | 67f6169a0f4c1b39b3fdf2bc691a6a90 |
| SHA1 | 4e078680475ded507faa781d54c4594dd45129e1 |
| SHA256 | 76cb695f97b4e32db15d8430d45d0daf57c572d6655ad8036f1835fdbdfced62 |
| SHA512 | 1e5993b0d5a55aa8cacc7a40b578a4e98ece9c45cded32a57e5ac283411634c2fec06e348b78821c32b4d6c05ba12883877c7a1cc761c38e459d754316411baa |
memory/4156-35-0x0000000000400000-0x0000000000497000-memory.dmp
memory/4156-36-0x0000000000400000-0x0000000000497000-memory.dmp
memory/372-43-0x0000000000400000-0x0000000000478000-memory.dmp
memory/372-46-0x0000000000400000-0x0000000000478000-memory.dmp
memory/216-47-0x0000000000400000-0x000000000040B000-memory.dmp
memory/4156-51-0x0000000000400000-0x0000000000497000-memory.dmp
memory/216-54-0x0000000000400000-0x000000000040B000-memory.dmp
memory/4504-56-0x0000000000400000-0x000000000040B000-memory.dmp
memory/372-58-0x0000000000400000-0x0000000000478000-memory.dmp