Malware Analysis Report

2025-05-28 17:56

Sample ID 250306-krjv6atyex
Target aa14d905fb4baa04b5b6c5739c47a55e1a19b8e6c52183c47a38c87a61af87d6
SHA256 aa14d905fb4baa04b5b6c5739c47a55e1a19b8e6c52183c47a38c87a61af87d6
Tags
blackshades defense_evasion discovery persistence rat upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa14d905fb4baa04b5b6c5739c47a55e1a19b8e6c52183c47a38c87a61af87d6

Threat Level: Known bad

The file aa14d905fb4baa04b5b6c5739c47a55e1a19b8e6c52183c47a38c87a61af87d6 was found to be: Known bad.

Malicious Activity Summary

blackshades defense_evasion discovery persistence rat upx

Blackshades

Modifies firewall policy service

Blackshades family

Blackshades payload

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

UPX packed file

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-06 08:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-06 08:50

Reported

2025-03-06 08:52

Platform

win7-20240903-en

Max time kernel

148s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa14d905fb4baa04b5b6c5739c47a55e1a19b8e6c52183c47a38c87a61af87d6.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svhost32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svhost32.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\csrs.exe = "C:\\Users\\Admin\\AppData\\Roaming\\csrs.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\YgTpC.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Users\\Admin\\AppData\\Roaming\\csrs.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2828 set thread context of 2724 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aa14d905fb4baa04b5b6c5739c47a55e1a19b8e6c52183c47a38c87a61af87d6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\YgTpC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2136 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\aa14d905fb4baa04b5b6c5739c47a55e1a19b8e6c52183c47a38c87a61af87d6.exe C:\Users\Admin\AppData\Local\Temp\YgTpC.exe
PID 2136 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\aa14d905fb4baa04b5b6c5739c47a55e1a19b8e6c52183c47a38c87a61af87d6.exe C:\Users\Admin\AppData\Local\Temp\YgTpC.exe
PID 2136 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\aa14d905fb4baa04b5b6c5739c47a55e1a19b8e6c52183c47a38c87a61af87d6.exe C:\Users\Admin\AppData\Local\Temp\YgTpC.exe
PID 2136 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\aa14d905fb4baa04b5b6c5739c47a55e1a19b8e6c52183c47a38c87a61af87d6.exe C:\Users\Admin\AppData\Local\Temp\YgTpC.exe
PID 2136 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\aa14d905fb4baa04b5b6c5739c47a55e1a19b8e6c52183c47a38c87a61af87d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\aa14d905fb4baa04b5b6c5739c47a55e1a19b8e6c52183c47a38c87a61af87d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\aa14d905fb4baa04b5b6c5739c47a55e1a19b8e6c52183c47a38c87a61af87d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\aa14d905fb4baa04b5b6c5739c47a55e1a19b8e6c52183c47a38c87a61af87d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2136 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\aa14d905fb4baa04b5b6c5739c47a55e1a19b8e6c52183c47a38c87a61af87d6.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2136 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\aa14d905fb4baa04b5b6c5739c47a55e1a19b8e6c52183c47a38c87a61af87d6.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2136 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\aa14d905fb4baa04b5b6c5739c47a55e1a19b8e6c52183c47a38c87a61af87d6.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2136 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\aa14d905fb4baa04b5b6c5739c47a55e1a19b8e6c52183c47a38c87a61af87d6.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2828 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2828 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2828 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2828 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2828 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2828 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2828 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2828 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2828 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2724 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2636 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2636 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2636 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2548 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2548 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2548 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2548 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2656 wrote to memory of 596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2656 wrote to memory of 596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2656 wrote to memory of 596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2656 wrote to memory of 596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2776 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2776 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2776 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2776 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aa14d905fb4baa04b5b6c5739c47a55e1a19b8e6c52183c47a38c87a61af87d6.exe

"C:\Users\Admin\AppData\Local\Temp\aa14d905fb4baa04b5b6c5739c47a55e1a19b8e6c52183c47a38c87a61af87d6.exe"

C:\Users\Admin\AppData\Local\Temp\YgTpC.exe

"C:\Users\Admin\AppData\Local\Temp\YgTpC.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VaycO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "csrs" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrs.exe" /f

C:\Users\Admin\AppData\Roaming\csrs.exe

"C:\Users\Admin\AppData\Roaming\csrs.exe"

C:\Users\Admin\AppData\Roaming\csrs.exe

C:\Users\Admin\AppData\Roaming\csrs.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\csrs.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrs.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svhost32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svhost32.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\csrs.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrs.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svhost32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svhost32.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 46657272617269.3utilities.com udp

Files

memory/2136-0-0x0000000000400000-0x00000000005D9000-memory.dmp

\Users\Admin\AppData\Local\Temp\YgTpC.exe

MD5 466773bfcbd01059584cdae36e3c281c
SHA1 81e68615ef27cf363d6fe96582433c8a7ce8043b
SHA256 21f0910a1d71dfc63744474b2ba6b8248d893226576ea48791dc0cef7dd52105
SHA512 1088e7180a7d4ed717307c03884aebd945c5f78ffd6c4a4d7e84e504dc2da0434fe4173c63f1afd5a57e83e1783b3359ce123e85bb62699fb663bc9b1c02129f

memory/2136-12-0x0000000002690000-0x00000000026A7000-memory.dmp

memory/2136-7-0x0000000002690000-0x00000000026A7000-memory.dmp

memory/2136-19-0x0000000002690000-0x00000000026A7000-memory.dmp

memory/2572-21-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VaycO.bat

MD5 34a635bb69f9dc2d8e8ceba2f6b25308
SHA1 66bbd6b4eb975af0a799c6be7aaed6917f5df10c
SHA256 eb18b0e443ffb00db0eb4438c0d3ec49cf67c3b7cbc9da8e25c60298c970a59a
SHA512 ae355a265391afe02a37d82ffb0df6664788dc4aee975678aeb524ff47f889d1e5ecab42b073093d71494c9868276dc9794d4bebce4c967d866b189c136a9545

C:\Users\Admin\AppData\Roaming\csrs.exe

MD5 418ce09be632ae72e5b9b54c9923cd6f
SHA1 da2b29de1111d38e4e5fb313f8c1caab3cbc2f4c
SHA256 371f08db3395e3dc83a4fe941c125be55567393455a4c905585aae42864d11ef
SHA512 53176c4c81bc890e5e996b259f658b5b5c2060a2fb4138b83cd1e084abd9677a0021b50638da4f3c4ff2838f1483e775b063815348ca208409f9135e5a4186fc

memory/2724-69-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2724-68-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2724-65-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2572-75-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2724-76-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2724-80-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2724-83-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2724-85-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2724-87-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2724-90-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2724-94-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2724-99-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2724-104-0x0000000000400000-0x000000000045D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-06 08:50

Reported

2025-03-06 08:52

Platform

win10v2004-20250217-en

Max time kernel

149s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa14d905fb4baa04b5b6c5739c47a55e1a19b8e6c52183c47a38c87a61af87d6.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svhost32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svhost32.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\csrs.exe = "C:\\Users\\Admin\\AppData\\Roaming\\csrs.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\aa14d905fb4baa04b5b6c5739c47a55e1a19b8e6c52183c47a38c87a61af87d6.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dsAxh.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Users\\Admin\\AppData\\Roaming\\csrs.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1628 set thread context of 3512 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aa14d905fb4baa04b5b6c5739c47a55e1a19b8e6c52183c47a38c87a61af87d6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dsAxh.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4572 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\aa14d905fb4baa04b5b6c5739c47a55e1a19b8e6c52183c47a38c87a61af87d6.exe C:\Users\Admin\AppData\Local\Temp\dsAxh.exe
PID 4572 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\aa14d905fb4baa04b5b6c5739c47a55e1a19b8e6c52183c47a38c87a61af87d6.exe C:\Users\Admin\AppData\Local\Temp\dsAxh.exe
PID 4572 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\aa14d905fb4baa04b5b6c5739c47a55e1a19b8e6c52183c47a38c87a61af87d6.exe C:\Users\Admin\AppData\Local\Temp\dsAxh.exe
PID 4572 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\aa14d905fb4baa04b5b6c5739c47a55e1a19b8e6c52183c47a38c87a61af87d6.exe C:\Windows\SysWOW64\cmd.exe
PID 4572 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\aa14d905fb4baa04b5b6c5739c47a55e1a19b8e6c52183c47a38c87a61af87d6.exe C:\Windows\SysWOW64\cmd.exe
PID 4572 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\aa14d905fb4baa04b5b6c5739c47a55e1a19b8e6c52183c47a38c87a61af87d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 3852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2336 wrote to memory of 3852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2336 wrote to memory of 3852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4572 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\aa14d905fb4baa04b5b6c5739c47a55e1a19b8e6c52183c47a38c87a61af87d6.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 4572 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\aa14d905fb4baa04b5b6c5739c47a55e1a19b8e6c52183c47a38c87a61af87d6.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 4572 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\aa14d905fb4baa04b5b6c5739c47a55e1a19b8e6c52183c47a38c87a61af87d6.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 1628 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 1628 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 1628 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 1628 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 1628 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 1628 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 1628 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 1628 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 3512 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3512 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3512 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3512 wrote to memory of 832 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3512 wrote to memory of 832 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3512 wrote to memory of 832 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3512 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3512 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3512 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3512 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3512 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 3512 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2540 wrote to memory of 456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2540 wrote to memory of 456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2480 wrote to memory of 2296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2480 wrote to memory of 2296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2480 wrote to memory of 2296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4564 wrote to memory of 2084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4564 wrote to memory of 2084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4564 wrote to memory of 2084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 832 wrote to memory of 4416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 832 wrote to memory of 4416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 832 wrote to memory of 4416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aa14d905fb4baa04b5b6c5739c47a55e1a19b8e6c52183c47a38c87a61af87d6.exe

"C:\Users\Admin\AppData\Local\Temp\aa14d905fb4baa04b5b6c5739c47a55e1a19b8e6c52183c47a38c87a61af87d6.exe"

C:\Users\Admin\AppData\Local\Temp\dsAxh.exe

"C:\Users\Admin\AppData\Local\Temp\dsAxh.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqJED.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "csrs" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrs.exe" /f

C:\Users\Admin\AppData\Roaming\csrs.exe

"C:\Users\Admin\AppData\Roaming\csrs.exe"

C:\Users\Admin\AppData\Roaming\csrs.exe

C:\Users\Admin\AppData\Roaming\csrs.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\csrs.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrs.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svhost32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svhost32.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\csrs.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrs.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svhost32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svhost32.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 46657272617269.3utilities.com udp

Files

memory/4572-0-0x0000000000400000-0x00000000005D9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dsAxh.exe

MD5 466773bfcbd01059584cdae36e3c281c
SHA1 81e68615ef27cf363d6fe96582433c8a7ce8043b
SHA256 21f0910a1d71dfc63744474b2ba6b8248d893226576ea48791dc0cef7dd52105
SHA512 1088e7180a7d4ed717307c03884aebd945c5f78ffd6c4a4d7e84e504dc2da0434fe4173c63f1afd5a57e83e1783b3359ce123e85bb62699fb663bc9b1c02129f

memory/4376-11-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xqJED.txt

MD5 34a635bb69f9dc2d8e8ceba2f6b25308
SHA1 66bbd6b4eb975af0a799c6be7aaed6917f5df10c
SHA256 eb18b0e443ffb00db0eb4438c0d3ec49cf67c3b7cbc9da8e25c60298c970a59a
SHA512 ae355a265391afe02a37d82ffb0df6664788dc4aee975678aeb524ff47f889d1e5ecab42b073093d71494c9868276dc9794d4bebce4c967d866b189c136a9545

C:\Users\Admin\AppData\Roaming\csrs.txt

MD5 08048307e43130509162975cb97f076b
SHA1 854bf2e663b42a8a8d9f9ba31ac0500d4196f581
SHA256 f95a8a2a875bb02bfa0f423cd1e3f740d331fab7dd60716ffedc717e379fc2ef
SHA512 f4756e30a12694038ab67c94d88cd4d6192de79b9b993681fadb5181f2db723f878d8026f00487bf37a24fe577aea7e2e48c8a4a7bd2f0fac564d21bb4b1e443

memory/3512-37-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3512-40-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3512-42-0x0000000000400000-0x000000000045D000-memory.dmp

memory/4376-48-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3512-49-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3512-53-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3512-56-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3512-58-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3512-60-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3512-63-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3512-65-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3512-67-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3512-72-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3512-79-0x0000000000400000-0x000000000045D000-memory.dmp