Malware Analysis Report

2025-05-28 17:56

Sample ID 250305-jdrs6ssqw3
Target acdd8f02ebe69742c598b6654207c38bb8044fa7b2833245a72aebf6d67bec7b
SHA256 acdd8f02ebe69742c598b6654207c38bb8044fa7b2833245a72aebf6d67bec7b
Tags
upx blackshades defense_evasion discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

acdd8f02ebe69742c598b6654207c38bb8044fa7b2833245a72aebf6d67bec7b

Threat Level: Known bad

The file acdd8f02ebe69742c598b6654207c38bb8044fa7b2833245a72aebf6d67bec7b was found to be: Known bad.

Malicious Activity Summary

upx blackshades defense_evasion discovery persistence rat

Blackshades

Modifies firewall policy service

Blackshades payload

Blackshades family

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

UPX packed file

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-05 07:33

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-05 07:33

Reported

2025-03-05 07:36

Platform

win7-20240903-en

Max time kernel

148s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\acdd8f02ebe69742c598b6654207c38bb8044fa7b2833245a72aebf6d67bec7b.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svhost32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svhost32.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\csrs.exe = "C:\\Users\\Admin\\AppData\\Roaming\\csrs.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lLwkG.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Users\\Admin\\AppData\\Roaming\\csrs.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2716 set thread context of 1988 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\acdd8f02ebe69742c598b6654207c38bb8044fa7b2833245a72aebf6d67bec7b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\lLwkG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2684 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\acdd8f02ebe69742c598b6654207c38bb8044fa7b2833245a72aebf6d67bec7b.exe C:\Users\Admin\AppData\Local\Temp\lLwkG.exe
PID 2684 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\acdd8f02ebe69742c598b6654207c38bb8044fa7b2833245a72aebf6d67bec7b.exe C:\Users\Admin\AppData\Local\Temp\lLwkG.exe
PID 2684 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\acdd8f02ebe69742c598b6654207c38bb8044fa7b2833245a72aebf6d67bec7b.exe C:\Users\Admin\AppData\Local\Temp\lLwkG.exe
PID 2684 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\acdd8f02ebe69742c598b6654207c38bb8044fa7b2833245a72aebf6d67bec7b.exe C:\Users\Admin\AppData\Local\Temp\lLwkG.exe
PID 2684 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\acdd8f02ebe69742c598b6654207c38bb8044fa7b2833245a72aebf6d67bec7b.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\acdd8f02ebe69742c598b6654207c38bb8044fa7b2833245a72aebf6d67bec7b.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\acdd8f02ebe69742c598b6654207c38bb8044fa7b2833245a72aebf6d67bec7b.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\acdd8f02ebe69742c598b6654207c38bb8044fa7b2833245a72aebf6d67bec7b.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2832 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2832 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2832 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\acdd8f02ebe69742c598b6654207c38bb8044fa7b2833245a72aebf6d67bec7b.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2684 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\acdd8f02ebe69742c598b6654207c38bb8044fa7b2833245a72aebf6d67bec7b.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2684 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\acdd8f02ebe69742c598b6654207c38bb8044fa7b2833245a72aebf6d67bec7b.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2684 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\acdd8f02ebe69742c598b6654207c38bb8044fa7b2833245a72aebf6d67bec7b.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2716 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2716 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2716 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2716 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2716 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2716 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2716 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2716 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2716 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 1988 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1608 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1608 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1608 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1988 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2220 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2220 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2220 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2652 wrote to memory of 1232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2652 wrote to memory of 1232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2652 wrote to memory of 1232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2652 wrote to memory of 1232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2172 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2172 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2172 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2172 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\acdd8f02ebe69742c598b6654207c38bb8044fa7b2833245a72aebf6d67bec7b.exe

"C:\Users\Admin\AppData\Local\Temp\acdd8f02ebe69742c598b6654207c38bb8044fa7b2833245a72aebf6d67bec7b.exe"

C:\Users\Admin\AppData\Local\Temp\lLwkG.exe

"C:\Users\Admin\AppData\Local\Temp\lLwkG.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PycOt.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "csrs" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrs.exe" /f

C:\Users\Admin\AppData\Roaming\csrs.exe

"C:\Users\Admin\AppData\Roaming\csrs.exe"

C:\Users\Admin\AppData\Roaming\csrs.exe

C:\Users\Admin\AppData\Roaming\csrs.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\csrs.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrs.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svhost32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svhost32.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svhost32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svhost32.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\csrs.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrs.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 46657272617269.3utilities.com udp

Files

memory/2684-2-0x0000000000400000-0x00000000005DD000-memory.dmp

\Users\Admin\AppData\Local\Temp\lLwkG.exe

MD5 466773bfcbd01059584cdae36e3c281c
SHA1 81e68615ef27cf363d6fe96582433c8a7ce8043b
SHA256 21f0910a1d71dfc63744474b2ba6b8248d893226576ea48791dc0cef7dd52105
SHA512 1088e7180a7d4ed717307c03884aebd945c5f78ffd6c4a4d7e84e504dc2da0434fe4173c63f1afd5a57e83e1783b3359ce123e85bb62699fb663bc9b1c02129f

memory/2684-12-0x0000000001FB0000-0x0000000001FC7000-memory.dmp

memory/2684-7-0x0000000001FB0000-0x0000000001FC7000-memory.dmp

memory/2684-20-0x0000000001FB0000-0x0000000001FC7000-memory.dmp

memory/2684-19-0x0000000001FB0000-0x0000000001FC7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PycOt.bat

MD5 34a635bb69f9dc2d8e8ceba2f6b25308
SHA1 66bbd6b4eb975af0a799c6be7aaed6917f5df10c
SHA256 eb18b0e443ffb00db0eb4438c0d3ec49cf67c3b7cbc9da8e25c60298c970a59a
SHA512 ae355a265391afe02a37d82ffb0df6664788dc4aee975678aeb524ff47f889d1e5ecab42b073093d71494c9868276dc9794d4bebce4c967d866b189c136a9545

C:\Users\Admin\AppData\Roaming\csrs.exe

MD5 546f17031a05df74bc8cc80e42112f49
SHA1 1f22d8dba46af9e7565d826b30fb90653a027894
SHA256 b073b722d98c21b94fb90963ba47fa5d8330b20be2e76c9f36e3c31a8dee26dd
SHA512 a331365469cbd954d64d0be86f1f87c1d187228a4ea2ecf308fe61e21e2cd61313d763bcb50b8909e3893687565700d534bbf9a717b57f37f01a4986762a4aee

memory/2684-66-0x0000000000400000-0x00000000005DD000-memory.dmp

memory/2716-63-0x0000000000400000-0x00000000005DD000-memory.dmp

memory/2684-61-0x0000000003430000-0x000000000360D000-memory.dmp

memory/1988-72-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1988-74-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1988-73-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1988-69-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2716-76-0x0000000000400000-0x00000000005DD000-memory.dmp

memory/1976-81-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1988-82-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1988-86-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1988-89-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1988-91-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1988-93-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1988-95-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1988-100-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1988-105-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1988-110-0x0000000000400000-0x000000000045D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-05 07:33

Reported

2025-03-05 07:36

Platform

win10v2004-20250217-en

Max time kernel

149s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\acdd8f02ebe69742c598b6654207c38bb8044fa7b2833245a72aebf6d67bec7b.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\csrs.exe = "C:\\Users\\Admin\\AppData\\Roaming\\csrs.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svhost32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svhost32.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\acdd8f02ebe69742c598b6654207c38bb8044fa7b2833245a72aebf6d67bec7b.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\porMH.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Users\\Admin\\AppData\\Roaming\\csrs.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2344 set thread context of 3892 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\acdd8f02ebe69742c598b6654207c38bb8044fa7b2833245a72aebf6d67bec7b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\porMH.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2252 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\acdd8f02ebe69742c598b6654207c38bb8044fa7b2833245a72aebf6d67bec7b.exe C:\Users\Admin\AppData\Local\Temp\porMH.exe
PID 2252 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\acdd8f02ebe69742c598b6654207c38bb8044fa7b2833245a72aebf6d67bec7b.exe C:\Users\Admin\AppData\Local\Temp\porMH.exe
PID 2252 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\acdd8f02ebe69742c598b6654207c38bb8044fa7b2833245a72aebf6d67bec7b.exe C:\Users\Admin\AppData\Local\Temp\porMH.exe
PID 2252 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\acdd8f02ebe69742c598b6654207c38bb8044fa7b2833245a72aebf6d67bec7b.exe C:\Windows\SysWOW64\cmd.exe
PID 2252 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\acdd8f02ebe69742c598b6654207c38bb8044fa7b2833245a72aebf6d67bec7b.exe C:\Windows\SysWOW64\cmd.exe
PID 2252 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\acdd8f02ebe69742c598b6654207c38bb8044fa7b2833245a72aebf6d67bec7b.exe C:\Windows\SysWOW64\cmd.exe
PID 4840 wrote to memory of 2332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4840 wrote to memory of 2332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4840 wrote to memory of 2332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2252 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\acdd8f02ebe69742c598b6654207c38bb8044fa7b2833245a72aebf6d67bec7b.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2252 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\acdd8f02ebe69742c598b6654207c38bb8044fa7b2833245a72aebf6d67bec7b.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2252 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\acdd8f02ebe69742c598b6654207c38bb8044fa7b2833245a72aebf6d67bec7b.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2344 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2344 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2344 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2344 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2344 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2344 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2344 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2344 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 3892 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3892 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3892 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3892 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3892 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3892 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3892 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3892 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3892 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3892 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3892 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3892 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 4088 wrote to memory of 4980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4088 wrote to memory of 4980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4088 wrote to memory of 4980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2156 wrote to memory of 3980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2156 wrote to memory of 3980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2156 wrote to memory of 3980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3160 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3160 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3160 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1404 wrote to memory of 1204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1404 wrote to memory of 1204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1404 wrote to memory of 1204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\acdd8f02ebe69742c598b6654207c38bb8044fa7b2833245a72aebf6d67bec7b.exe

"C:\Users\Admin\AppData\Local\Temp\acdd8f02ebe69742c598b6654207c38bb8044fa7b2833245a72aebf6d67bec7b.exe"

C:\Users\Admin\AppData\Local\Temp\porMH.exe

"C:\Users\Admin\AppData\Local\Temp\porMH.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MHdsu.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "csrs" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrs.exe" /f

C:\Users\Admin\AppData\Roaming\csrs.exe

"C:\Users\Admin\AppData\Roaming\csrs.exe"

C:\Users\Admin\AppData\Roaming\csrs.exe

C:\Users\Admin\AppData\Roaming\csrs.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\csrs.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrs.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svhost32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svhost32.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\csrs.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrs.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svhost32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svhost32.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 46657272617269.3utilities.com udp

Files

memory/2252-0-0x0000000000400000-0x00000000005DD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\porMH.exe

MD5 466773bfcbd01059584cdae36e3c281c
SHA1 81e68615ef27cf363d6fe96582433c8a7ce8043b
SHA256 21f0910a1d71dfc63744474b2ba6b8248d893226576ea48791dc0cef7dd52105
SHA512 1088e7180a7d4ed717307c03884aebd945c5f78ffd6c4a4d7e84e504dc2da0434fe4173c63f1afd5a57e83e1783b3359ce123e85bb62699fb663bc9b1c02129f

memory/2408-11-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MHdsu.txt

MD5 34a635bb69f9dc2d8e8ceba2f6b25308
SHA1 66bbd6b4eb975af0a799c6be7aaed6917f5df10c
SHA256 eb18b0e443ffb00db0eb4438c0d3ec49cf67c3b7cbc9da8e25c60298c970a59a
SHA512 ae355a265391afe02a37d82ffb0df6664788dc4aee975678aeb524ff47f889d1e5ecab42b073093d71494c9868276dc9794d4bebce4c967d866b189c136a9545

C:\Users\Admin\AppData\Roaming\csrs.txt

MD5 786f055d7b6db006f01952036e4fd374
SHA1 1e2eab28e9644fc5bddb68af9b051ad0fe316020
SHA256 f254d651191c2f18ce2c014b56bfd9b9140b8feaead1decbc0139e0b60710213
SHA512 dd0df807b5753a284ce61e2d76ceeb5ea205c50f4b90c40b7187a388d0d2cea2533e62ec81ace7e340033fe852dc2d75e1af82719d593e4bdaa2425f82c0d72e

memory/2252-36-0x0000000000400000-0x00000000005DD000-memory.dmp

memory/3892-40-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3892-46-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3892-45-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3892-44-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3892-43-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2344-48-0x0000000000400000-0x00000000005DD000-memory.dmp

memory/2408-53-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3892-55-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3892-58-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3892-60-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3892-63-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3892-65-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3892-68-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3892-70-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3892-72-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3892-77-0x0000000000400000-0x000000000045D000-memory.dmp