Malware Analysis Report

2025-05-06 00:11

Sample ID 250224-dbgmjaznv5
Target 86e431507f38ada31e45211d943f0cb53a9c452467389d9e82a2251cbb717c06
SHA256 86e431507f38ada31e45211d943f0cb53a9c452467389d9e82a2251cbb717c06
Tags
blackshades defense_evasion discovery persistence rat upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

86e431507f38ada31e45211d943f0cb53a9c452467389d9e82a2251cbb717c06

Threat Level: Known bad

The file 86e431507f38ada31e45211d943f0cb53a9c452467389d9e82a2251cbb717c06 was found to be: Known bad.

Malicious Activity Summary

blackshades defense_evasion discovery persistence rat upx

Blackshades

Blackshades payload

Modifies firewall policy service

Blackshades family

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

UPX packed file

Suspicious use of SetThreadContext

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Modifies registry key

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-24 02:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-24 02:49

Reported

2025-02-24 02:52

Platform

win7-20240903-en

Max time kernel

148s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\86e431507f38ada31e45211d943f0cb53a9c452467389d9e82a2251cbb717c06.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Windows Updater.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Updater.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update\\winupdt.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Window Updates = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update\\winupdt.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2864 set thread context of 2828 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\86e431507f38ada31e45211d943f0cb53a9c452467389d9e82a2251cbb717c06.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1232 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\86e431507f38ada31e45211d943f0cb53a9c452467389d9e82a2251cbb717c06.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\86e431507f38ada31e45211d943f0cb53a9c452467389d9e82a2251cbb717c06.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\86e431507f38ada31e45211d943f0cb53a9c452467389d9e82a2251cbb717c06.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\86e431507f38ada31e45211d943f0cb53a9c452467389d9e82a2251cbb717c06.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1232 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\86e431507f38ada31e45211d943f0cb53a9c452467389d9e82a2251cbb717c06.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 1232 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\86e431507f38ada31e45211d943f0cb53a9c452467389d9e82a2251cbb717c06.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 1232 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\86e431507f38ada31e45211d943f0cb53a9c452467389d9e82a2251cbb717c06.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 1232 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\86e431507f38ada31e45211d943f0cb53a9c452467389d9e82a2251cbb717c06.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2864 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2864 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2864 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2864 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2864 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2864 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2864 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2864 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2864 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2828 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2748 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2748 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2748 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2656 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2656 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2656 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2656 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2668 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2668 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2668 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2668 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2612 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2612 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2612 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2612 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\86e431507f38ada31e45211d943f0cb53a9c452467389d9e82a2251cbb717c06.exe

"C:\Users\Admin\AppData\Local\Temp\86e431507f38ada31e45211d943f0cb53a9c452467389d9e82a2251cbb717c06.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gTpDS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Window Updates" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe" /f

C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe

"C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe"

C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe

"C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Updater.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Updater.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Updater.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Updater.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 havefunnuke.servequake.com udp

Files

memory/1232-0-0x0000000000400000-0x00000000005A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gTpDS.bat

MD5 1954c7e666c5b4d1117ef07bc0c9b8ec
SHA1 559e3c0273c1463e9184027b749bdaad0a372681
SHA256 35e0dbc8b455ca38976157ce9d0293fd6cdca20f46f1cb69058a1e0f0af6f693
SHA512 3939de8d0ab7e67b59ff8bebed5580dafd38d8785193fd42a289728500761a68b9e6660605e19e10d4278dd106fea4b273a208f25485e7389c8f19b2958c926a

C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe

MD5 ad4a6ecb88eb2b4c73f5ae8166a61370
SHA1 6a6b6c6341a982d4f4437f8eb61bf75d3106966c
SHA256 059d696d55712f7633c48418f589f380d8e2da408301bf21d7f882a3cbca48e7
SHA512 2e9a7161d5e48b05a40eb8a026959f9a9f66c7b0317f77406f89ba4282fe783d98b0384024ff4c933af13b9b1b7e9f26d15094246636a11059a35f49fd28cfb4

memory/2828-48-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2828-51-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2828-54-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2828-53-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2828-52-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2828-60-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2828-62-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2828-64-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2828-65-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2828-66-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2828-68-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2828-70-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2828-73-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2828-76-0x0000000000400000-0x000000000045C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-24 02:49

Reported

2025-02-24 02:52

Platform

win10v2004-20250217-en

Max time kernel

149s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\86e431507f38ada31e45211d943f0cb53a9c452467389d9e82a2251cbb717c06.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update\\winupdt.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Windows Updater.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Updater.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\86e431507f38ada31e45211d943f0cb53a9c452467389d9e82a2251cbb717c06.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Window Updates = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update\\winupdt.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1184 set thread context of 992 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\86e431507f38ada31e45211d943f0cb53a9c452467389d9e82a2251cbb717c06.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1496 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\86e431507f38ada31e45211d943f0cb53a9c452467389d9e82a2251cbb717c06.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\86e431507f38ada31e45211d943f0cb53a9c452467389d9e82a2251cbb717c06.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\86e431507f38ada31e45211d943f0cb53a9c452467389d9e82a2251cbb717c06.exe C:\Windows\SysWOW64\cmd.exe
PID 3512 wrote to memory of 3724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3512 wrote to memory of 3724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3512 wrote to memory of 3724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1496 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\86e431507f38ada31e45211d943f0cb53a9c452467389d9e82a2251cbb717c06.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 1496 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\86e431507f38ada31e45211d943f0cb53a9c452467389d9e82a2251cbb717c06.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 1496 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\86e431507f38ada31e45211d943f0cb53a9c452467389d9e82a2251cbb717c06.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 1184 wrote to memory of 992 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 1184 wrote to memory of 992 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 1184 wrote to memory of 992 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 1184 wrote to memory of 992 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 1184 wrote to memory of 992 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 1184 wrote to memory of 992 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 1184 wrote to memory of 992 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 1184 wrote to memory of 992 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 992 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 4824 wrote to memory of 232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4824 wrote to memory of 232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4824 wrote to memory of 232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4800 wrote to memory of 4368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4800 wrote to memory of 4368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4800 wrote to memory of 4368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1968 wrote to memory of 4536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1968 wrote to memory of 4536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1968 wrote to memory of 4536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5024 wrote to memory of 1492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5024 wrote to memory of 1492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5024 wrote to memory of 1492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\86e431507f38ada31e45211d943f0cb53a9c452467389d9e82a2251cbb717c06.exe

"C:\Users\Admin\AppData\Local\Temp\86e431507f38ada31e45211d943f0cb53a9c452467389d9e82a2251cbb717c06.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KJEpo.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Window Updates" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe" /f

C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe

"C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe"

C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe

"C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Updater.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Updater.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Updater.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Updater.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 havefunnuke.servequake.com udp

Files

memory/1496-0-0x0000000000400000-0x00000000005A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KJEpo.txt

MD5 1954c7e666c5b4d1117ef07bc0c9b8ec
SHA1 559e3c0273c1463e9184027b749bdaad0a372681
SHA256 35e0dbc8b455ca38976157ce9d0293fd6cdca20f46f1cb69058a1e0f0af6f693
SHA512 3939de8d0ab7e67b59ff8bebed5580dafd38d8785193fd42a289728500761a68b9e6660605e19e10d4278dd106fea4b273a208f25485e7389c8f19b2958c926a

C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.txt

MD5 875563fb509256422f98ca91cf77bceb
SHA1 9320abb37b6c22f0792aef31b66e45608caa6d77
SHA256 d722198284b1bfb6e5f22a4d0ff8b5fbc6e94e4bc36c9f131240e421dcc97f2c
SHA512 a733a3758c7c987f3c6e031c89aef6f6276c973a34e7c8939cae8f67ab5d2f719b051b525971afe766dd370f8ce63dd940e55385283c2f42175a3e254e3f4ee5

memory/992-31-0x0000000000400000-0x000000000045C000-memory.dmp

memory/992-34-0x0000000000400000-0x000000000045C000-memory.dmp

memory/992-36-0x0000000000400000-0x000000000045C000-memory.dmp

memory/992-42-0x0000000000400000-0x000000000045C000-memory.dmp

memory/992-44-0x0000000000400000-0x000000000045C000-memory.dmp

memory/992-46-0x0000000000400000-0x000000000045C000-memory.dmp

memory/992-47-0x0000000000400000-0x000000000045C000-memory.dmp

memory/992-48-0x0000000000400000-0x000000000045C000-memory.dmp

memory/992-50-0x0000000000400000-0x000000000045C000-memory.dmp

memory/992-52-0x0000000000400000-0x000000000045C000-memory.dmp

memory/992-55-0x0000000000400000-0x000000000045C000-memory.dmp

memory/992-57-0x0000000000400000-0x000000000045C000-memory.dmp

memory/992-60-0x0000000000400000-0x000000000045C000-memory.dmp