Malware Analysis Report

2025-04-03 10:13

Sample ID 250214-zhfvgaymay
Target 20f82792b16f9e473fb0b4fb1b2173281091bf64cafb176b796245a45f2d40eb
SHA256 20f82792b16f9e473fb0b4fb1b2173281091bf64cafb176b796245a45f2d40eb
Tags
upx blackshades defense_evasion discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

20f82792b16f9e473fb0b4fb1b2173281091bf64cafb176b796245a45f2d40eb

Threat Level: Known bad

The file 20f82792b16f9e473fb0b4fb1b2173281091bf64cafb176b796245a45f2d40eb was found to be: Known bad.

Malicious Activity Summary

upx blackshades defense_evasion discovery persistence rat

Blackshades family

Modifies firewall policy service

Blackshades payload

Blackshades

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

UPX packed file

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry key

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-14 20:42

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-14 20:42

Reported

2025-02-14 20:45

Platform

win7-20240903-en

Max time kernel

148s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20f82792b16f9e473fb0b4fb1b2173281091bf64cafb176b796245a45f2d40eb.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svhost32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svhost32.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\csrs.exe = "C:\\Users\\Admin\\AppData\\Roaming\\csrs.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VAuPx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Users\\Admin\\AppData\\Roaming\\csrs.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2880 set thread context of 2796 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VAuPx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\20f82792b16f9e473fb0b4fb1b2173281091bf64cafb176b796245a45f2d40eb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\csrs.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2396 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\20f82792b16f9e473fb0b4fb1b2173281091bf64cafb176b796245a45f2d40eb.exe C:\Users\Admin\AppData\Local\Temp\VAuPx.exe
PID 2396 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\20f82792b16f9e473fb0b4fb1b2173281091bf64cafb176b796245a45f2d40eb.exe C:\Users\Admin\AppData\Local\Temp\VAuPx.exe
PID 2396 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\20f82792b16f9e473fb0b4fb1b2173281091bf64cafb176b796245a45f2d40eb.exe C:\Users\Admin\AppData\Local\Temp\VAuPx.exe
PID 2396 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\20f82792b16f9e473fb0b4fb1b2173281091bf64cafb176b796245a45f2d40eb.exe C:\Users\Admin\AppData\Local\Temp\VAuPx.exe
PID 2396 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\20f82792b16f9e473fb0b4fb1b2173281091bf64cafb176b796245a45f2d40eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\20f82792b16f9e473fb0b4fb1b2173281091bf64cafb176b796245a45f2d40eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\20f82792b16f9e473fb0b4fb1b2173281091bf64cafb176b796245a45f2d40eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\20f82792b16f9e473fb0b4fb1b2173281091bf64cafb176b796245a45f2d40eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2844 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2844 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2844 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2396 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\20f82792b16f9e473fb0b4fb1b2173281091bf64cafb176b796245a45f2d40eb.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2396 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\20f82792b16f9e473fb0b4fb1b2173281091bf64cafb176b796245a45f2d40eb.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2396 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\20f82792b16f9e473fb0b4fb1b2173281091bf64cafb176b796245a45f2d40eb.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2396 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\20f82792b16f9e473fb0b4fb1b2173281091bf64cafb176b796245a45f2d40eb.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2880 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2880 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2880 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2880 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2880 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2880 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2880 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2880 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2880 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2796 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 812 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 812 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 812 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 812 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 1064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3040 wrote to memory of 1064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3040 wrote to memory of 1064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3040 wrote to memory of 1064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2544 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2544 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2544 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2544 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 812 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 812 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 812 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 812 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1684 wrote to memory of 1236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1684 wrote to memory of 1236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1684 wrote to memory of 1236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1684 wrote to memory of 1236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\20f82792b16f9e473fb0b4fb1b2173281091bf64cafb176b796245a45f2d40eb.exe

"C:\Users\Admin\AppData\Local\Temp\20f82792b16f9e473fb0b4fb1b2173281091bf64cafb176b796245a45f2d40eb.exe"

C:\Users\Admin\AppData\Local\Temp\VAuPx.exe

"C:\Users\Admin\AppData\Local\Temp\VAuPx.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DToCS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "csrs" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrs.exe" /f

C:\Users\Admin\AppData\Roaming\csrs.exe

"C:\Users\Admin\AppData\Roaming\csrs.exe"

C:\Users\Admin\AppData\Roaming\csrs.exe

C:\Users\Admin\AppData\Roaming\csrs.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\csrs.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrs.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svhost32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svhost32.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svhost32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svhost32.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\csrs.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrs.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 46657272617269.3utilities.com udp

Files

memory/2396-1-0x0000000000400000-0x00000000005DD000-memory.dmp

memory/2396-12-0x0000000002590000-0x00000000025A7000-memory.dmp

memory/2396-11-0x0000000002590000-0x00000000025A7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VAuPx.exe

MD5 466773bfcbd01059584cdae36e3c281c
SHA1 81e68615ef27cf363d6fe96582433c8a7ce8043b
SHA256 21f0910a1d71dfc63744474b2ba6b8248d893226576ea48791dc0cef7dd52105
SHA512 1088e7180a7d4ed717307c03884aebd945c5f78ffd6c4a4d7e84e504dc2da0434fe4173c63f1afd5a57e83e1783b3359ce123e85bb62699fb663bc9b1c02129f

memory/2396-19-0x0000000002590000-0x00000000025A7000-memory.dmp

memory/1488-21-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DToCS.bat

MD5 34a635bb69f9dc2d8e8ceba2f6b25308
SHA1 66bbd6b4eb975af0a799c6be7aaed6917f5df10c
SHA256 eb18b0e443ffb00db0eb4438c0d3ec49cf67c3b7cbc9da8e25c60298c970a59a
SHA512 ae355a265391afe02a37d82ffb0df6664788dc4aee975678aeb524ff47f889d1e5ecab42b073093d71494c9868276dc9794d4bebce4c967d866b189c136a9545

C:\Users\Admin\AppData\Roaming\csrs.exe

MD5 220e6ee380d819a3f9b913c0d880735f
SHA1 cbea523c67fbe262005d7589cc8401dfe3247d31
SHA256 e50be019776dde2753f27f143d973d7a47cdba385a636dc1685bac015f97b63c
SHA512 0121c2c2ce993fdc7f8570544a5750fde4c4545f65b3d3952bd3bdcd45e77301d21fe7b3eff8ce4cb071f201a4d55dcc8243f2f222da3707618e5c869627582f

memory/2396-61-0x00000000031E0000-0x00000000033BD000-memory.dmp

memory/2880-64-0x0000000000400000-0x00000000005DD000-memory.dmp

memory/2396-62-0x0000000000400000-0x00000000005DD000-memory.dmp

memory/2880-69-0x00000000029E0000-0x0000000002BBD000-memory.dmp

memory/2796-77-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2796-75-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2796-73-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2880-71-0x0000000000400000-0x00000000005DD000-memory.dmp

memory/1488-83-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2796-84-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2796-88-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2796-91-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2796-93-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2796-95-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2796-97-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2796-102-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2796-107-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2796-112-0x0000000000400000-0x000000000045D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-14 20:42

Reported

2025-02-14 20:45

Platform

win10v2004-20250207-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20f82792b16f9e473fb0b4fb1b2173281091bf64cafb176b796245a45f2d40eb.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svhost32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svhost32.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\csrs.exe = "C:\\Users\\Admin\\AppData\\Roaming\\csrs.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\20f82792b16f9e473fb0b4fb1b2173281091bf64cafb176b796245a45f2d40eb.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HGsux.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Users\\Admin\\AppData\\Roaming\\csrs.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4788 set thread context of 3956 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HGsux.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\20f82792b16f9e473fb0b4fb1b2173281091bf64cafb176b796245a45f2d40eb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\csrs.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4152 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\20f82792b16f9e473fb0b4fb1b2173281091bf64cafb176b796245a45f2d40eb.exe C:\Users\Admin\AppData\Local\Temp\HGsux.exe
PID 4152 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\20f82792b16f9e473fb0b4fb1b2173281091bf64cafb176b796245a45f2d40eb.exe C:\Users\Admin\AppData\Local\Temp\HGsux.exe
PID 4152 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\20f82792b16f9e473fb0b4fb1b2173281091bf64cafb176b796245a45f2d40eb.exe C:\Users\Admin\AppData\Local\Temp\HGsux.exe
PID 4152 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\20f82792b16f9e473fb0b4fb1b2173281091bf64cafb176b796245a45f2d40eb.exe C:\Windows\SysWOW64\cmd.exe
PID 4152 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\20f82792b16f9e473fb0b4fb1b2173281091bf64cafb176b796245a45f2d40eb.exe C:\Windows\SysWOW64\cmd.exe
PID 4152 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\20f82792b16f9e473fb0b4fb1b2173281091bf64cafb176b796245a45f2d40eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 4252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2856 wrote to memory of 4252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2856 wrote to memory of 4252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4152 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\20f82792b16f9e473fb0b4fb1b2173281091bf64cafb176b796245a45f2d40eb.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 4152 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\20f82792b16f9e473fb0b4fb1b2173281091bf64cafb176b796245a45f2d40eb.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 4152 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\20f82792b16f9e473fb0b4fb1b2173281091bf64cafb176b796245a45f2d40eb.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 4788 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 4788 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 4788 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 4788 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 4788 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 4788 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 4788 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 4788 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 3956 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 3488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2260 wrote to memory of 3488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2260 wrote to memory of 3488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3040 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3040 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3040 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3680 wrote to memory of 3708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3680 wrote to memory of 3708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3680 wrote to memory of 3708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2256 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2256 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2256 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\20f82792b16f9e473fb0b4fb1b2173281091bf64cafb176b796245a45f2d40eb.exe

"C:\Users\Admin\AppData\Local\Temp\20f82792b16f9e473fb0b4fb1b2173281091bf64cafb176b796245a45f2d40eb.exe"

C:\Users\Admin\AppData\Local\Temp\HGsux.exe

"C:\Users\Admin\AppData\Local\Temp\HGsux.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BuyqZ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "csrs" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrs.exe" /f

C:\Users\Admin\AppData\Roaming\csrs.exe

"C:\Users\Admin\AppData\Roaming\csrs.exe"

C:\Users\Admin\AppData\Roaming\csrs.exe

C:\Users\Admin\AppData\Roaming\csrs.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\csrs.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrs.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svhost32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svhost32.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\csrs.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrs.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svhost32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svhost32.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RTgzRjQyNjEtQzdBNi00NEQzLTk5NDYtMzEzNjJCMkU0QkZCfSIgdXNlcmlkPSJ7MDk0QThGNjgtMkM3MS00NUU3LTg5OTQtQUE1NjgwQUUzMzAzfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MDVCM0QwNDAtQzVCNS00MzUxLTg5MTItRUFBNTEzODMxNTM5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI3IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5ODUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODQ0NDQzNjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDg5MjAxNDEwIi8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
US 8.8.8.8:53 46657272617269.3utilities.com udp
GB 2.18.66.114:443 www.bing.com tcp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
IE 4.245.161.190:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 199.232.210.172:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 46657272617269.3utilities.com udp

Files

memory/4152-0-0x0000000000400000-0x00000000005DD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HGsux.exe

MD5 466773bfcbd01059584cdae36e3c281c
SHA1 81e68615ef27cf363d6fe96582433c8a7ce8043b
SHA256 21f0910a1d71dfc63744474b2ba6b8248d893226576ea48791dc0cef7dd52105
SHA512 1088e7180a7d4ed717307c03884aebd945c5f78ffd6c4a4d7e84e504dc2da0434fe4173c63f1afd5a57e83e1783b3359ce123e85bb62699fb663bc9b1c02129f

memory/5004-10-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BuyqZ.txt

MD5 34a635bb69f9dc2d8e8ceba2f6b25308
SHA1 66bbd6b4eb975af0a799c6be7aaed6917f5df10c
SHA256 eb18b0e443ffb00db0eb4438c0d3ec49cf67c3b7cbc9da8e25c60298c970a59a
SHA512 ae355a265391afe02a37d82ffb0df6664788dc4aee975678aeb524ff47f889d1e5ecab42b073093d71494c9868276dc9794d4bebce4c967d866b189c136a9545

C:\Users\Admin\AppData\Roaming\csrs.txt

MD5 6560483641c2fd27c703a44b69ec501d
SHA1 e1d6f1cd2f740b4122731f782d1de3f9ddbe75c7
SHA256 8dd439a440adcf56ac02cb009b72b28a6bdfeab1f998e41ba297c289ef5af935
SHA512 cb18ac3362a4552327fa0db7bba3a5b4c696b34e3749e0de2367ad1c53e662bd1367635e5cfad68dcb3d02cc84adeac5bc067111772dae8793306d2973594eba

memory/4152-37-0x0000000000400000-0x00000000005DD000-memory.dmp

memory/3956-40-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3956-46-0x0000000000400000-0x000000000045D000-memory.dmp

memory/4788-44-0x0000000000400000-0x00000000005DD000-memory.dmp

memory/3956-43-0x0000000000400000-0x000000000045D000-memory.dmp

memory/5004-52-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3956-54-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3956-58-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3956-61-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3956-63-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3956-65-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3956-68-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3956-72-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3956-77-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3956-86-0x0000000000400000-0x000000000045D000-memory.dmp