Analysis Overview
SHA256
8c5f30c945924e1703e7efa3f9fbd335f26d4bec587a6d0fdf930e954736a0f7
Threat Level: Known bad
The file 8c5f30c945924e1703e7efa3f9fbd335f26d4bec587a6d0fdf930e954736a0f7 was found to be: Known bad.
Malicious Activity Summary
Blackshades
Blackshades payload
Modifies firewall policy service
Blackshades family
Downloads MZ/PE file
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
UPX packed file
Suspicious use of SetThreadContext
System Network Configuration Discovery: Internet Connection Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry key
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-14 08:55
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-14 08:55
Reported
2025-02-14 08:57
Platform
win7-20241010-en
Max time kernel
149s
Max time network
128s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Window Updates\\winupdt2.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Windows Updater.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Updater.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdt = "C:\\Users\\Admin\\AppData\\Roaming\\Window Updates\\winupdt2.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2920 set thread context of 2588 | N/A | C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe | C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe |
| PID 2920 set thread context of 2668 | N/A | C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe | C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8c5f30c945924e1703e7efa3f9fbd335f26d4bec587a6d0fdf930e954736a0f7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8c5f30c945924e1703e7efa3f9fbd335f26d4bec587a6d0fdf930e954736a0f7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8c5f30c945924e1703e7efa3f9fbd335f26d4bec587a6d0fdf930e954736a0f7.exe
"C:\Users\Admin\AppData\Local\Temp\8c5f30c945924e1703e7efa3f9fbd335f26d4bec587a6d0fdf930e954736a0f7.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RcqJE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WinUpdt" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe" /f
C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe
"C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe"
C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe
"C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe"
C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe
"C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Updater.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Updater.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Updater.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Updater.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | havefunnuke.servequake.com | udp |
Files
memory/844-0-0x0000000000400000-0x00000000005CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RcqJE.bat
| MD5 | 49bb161b07149b1bda99901c71d98b1f |
| SHA1 | e5e3b389c09d551bd8f3a4cf71ee30e566fdf6e2 |
| SHA256 | 734c4f48449a118dbdfbbe4971ecf112b26b2b45d1889678c01dea98eb5767d8 |
| SHA512 | da09a2af9b7f9528916ab719ed97ee8b61179bba92016eaed64b3e7d6bf08646801aeeb0eb332bdde175eb64b48106f7cf2fe2bf01ea6128753e4ce1d48707be |
C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe
| MD5 | 5ea761534db458d2bf3ef2fc8382c978 |
| SHA1 | 0fa184b3e3d06371729392f60126330d9b5831e3 |
| SHA256 | 9b8f5329a80564f8c101bf9fadd4d7f58f8bf164dc49a6660a59d1981c2cfdc0 |
| SHA512 | 3da3dd144416bd5e632d7eff1140953ffc8393d7e77cf8156b12f4f52e36b34fc8a079d081856d1a71f16d2eff4a4d59d0c1659063d6df24963e6727702369dd |
memory/844-43-0x0000000002EC0000-0x000000000308A000-memory.dmp
memory/844-42-0x0000000002EC0000-0x000000000308A000-memory.dmp
memory/844-47-0x0000000000400000-0x00000000005CA000-memory.dmp
memory/2588-49-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2588-52-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2588-54-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2668-63-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2668-64-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2920-65-0x0000000000400000-0x00000000005CA000-memory.dmp
memory/2668-62-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2588-68-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2668-70-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2588-71-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2588-74-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2588-76-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2588-78-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2588-81-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2588-83-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2588-85-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2588-90-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2588-94-0x0000000000400000-0x000000000045C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-14 08:55
Reported
2025-02-14 08:57
Platform
win10v2004-20250207-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Window Updates\\winupdt2.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Windows Updater.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Updater.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8c5f30c945924e1703e7efa3f9fbd335f26d4bec587a6d0fdf930e954736a0f7.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinUpdt = "C:\\Users\\Admin\\AppData\\Roaming\\Window Updates\\winupdt2.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3588 set thread context of 4612 | N/A | C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe | C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe |
| PID 3588 set thread context of 4480 | N/A | C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe | C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8c5f30c945924e1703e7efa3f9fbd335f26d4bec587a6d0fdf930e954736a0f7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8c5f30c945924e1703e7efa3f9fbd335f26d4bec587a6d0fdf930e954736a0f7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8c5f30c945924e1703e7efa3f9fbd335f26d4bec587a6d0fdf930e954736a0f7.exe
"C:\Users\Admin\AppData\Local\Temp\8c5f30c945924e1703e7efa3f9fbd335f26d4bec587a6d0fdf930e954736a0f7.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pSNlk.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WinUpdt" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe" /f
C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe
"C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe"
C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe
"C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe"
C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe
"C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Updater.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Updater.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Updater.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Updater.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OEY0N0NDOTctNjNBNy00Mjg0LTk5N0YtOEMyNURENDJFRUM5fSIgdXNlcmlkPSJ7NTk2RTJDNTUtRkI3Qi00QjM1LUFGMDQtQ0MxNjAxNjc2NDE4fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MjcxMEMzRDItNUZFNi00MzBFLUJCQ0EtQzNENzJCMTA2QjUzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI2IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU4NjAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODIxNjMwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDc2NzU2NzY0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | havefunnuke.servequake.com | udp |
| US | 8.8.8.8:53 | havefunnuke.servequake.com | udp |
| US | 8.8.8.8:53 | havefunnuke.servequake.com | udp |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| US | 4.151.228.221:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | havefunnuke.servequake.com | udp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 199.232.214.172:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | havefunnuke.servequake.com | udp |
| US | 8.8.8.8:53 | havefunnuke.servequake.com | udp |
| US | 8.8.8.8:53 | havefunnuke.servequake.com | udp |
| US | 8.8.8.8:53 | havefunnuke.servequake.com | udp |
| US | 8.8.8.8:53 | havefunnuke.servequake.com | udp |
| US | 8.8.8.8:53 | havefunnuke.servequake.com | udp |
Files
memory/3600-0-0x0000000000400000-0x00000000005CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pSNlk.txt
| MD5 | 49bb161b07149b1bda99901c71d98b1f |
| SHA1 | e5e3b389c09d551bd8f3a4cf71ee30e566fdf6e2 |
| SHA256 | 734c4f48449a118dbdfbbe4971ecf112b26b2b45d1889678c01dea98eb5767d8 |
| SHA512 | da09a2af9b7f9528916ab719ed97ee8b61179bba92016eaed64b3e7d6bf08646801aeeb0eb332bdde175eb64b48106f7cf2fe2bf01ea6128753e4ce1d48707be |
C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.txt
| MD5 | cffa0447041ea5c32d7d7a7d91fb60bf |
| SHA1 | 2d665b881f02a60fac9857d1517650c6c9fc6bf3 |
| SHA256 | eb83c932543aa273eae8029321b4ea02a0807aa7bbeda9135c56f7b36e675610 |
| SHA512 | 465ef54746d43a80ec6f898cef433a15ec45fe4f48fc6c987cd09807236223cec0d575dbe5b6dd22985ddb3335bf5d6e817f817ced82cf33f53e1099649b4ac3 |
memory/3600-30-0x0000000000400000-0x00000000005CA000-memory.dmp
memory/4612-31-0x0000000000400000-0x000000000045C000-memory.dmp
memory/4612-36-0x0000000000400000-0x000000000045C000-memory.dmp
memory/4612-34-0x0000000000400000-0x000000000045C000-memory.dmp
memory/4480-42-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4480-38-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4480-44-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3588-49-0x0000000000400000-0x00000000005CA000-memory.dmp
memory/4612-52-0x0000000000400000-0x000000000045C000-memory.dmp
memory/4480-53-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4612-54-0x0000000000400000-0x000000000045C000-memory.dmp
memory/4612-56-0x0000000000400000-0x000000000045C000-memory.dmp
memory/4612-59-0x0000000000400000-0x000000000045C000-memory.dmp
memory/4612-62-0x0000000000400000-0x000000000045C000-memory.dmp
memory/4612-64-0x0000000000400000-0x000000000045C000-memory.dmp
memory/4612-67-0x0000000000400000-0x000000000045C000-memory.dmp
memory/4612-69-0x0000000000400000-0x000000000045C000-memory.dmp
memory/4612-76-0x0000000000400000-0x000000000045C000-memory.dmp