Malware Analysis Report

2025-05-28 17:57

Sample ID 250307-2a7pbsysgy
Target 873dca0bba8aa4acfa59ad05bdcf61f845aa42bf1c1147a17766fab72204c2fb
SHA256 873dca0bba8aa4acfa59ad05bdcf61f845aa42bf1c1147a17766fab72204c2fb
Tags
upx blackshades defense_evasion discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

873dca0bba8aa4acfa59ad05bdcf61f845aa42bf1c1147a17766fab72204c2fb

Threat Level: Known bad

The file 873dca0bba8aa4acfa59ad05bdcf61f845aa42bf1c1147a17766fab72204c2fb was found to be: Known bad.

Malicious Activity Summary

upx blackshades defense_evasion discovery persistence rat

Blackshades family

Modifies firewall policy service

Blackshades payload

Blackshades

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

UPX packed file

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Modifies registry key

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-07 22:23

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-07 22:23

Reported

2025-03-07 22:26

Platform

win7-20240903-en

Max time kernel

148s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\873dca0bba8aa4acfa59ad05bdcf61f845aa42bf1c1147a17766fab72204c2fb.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svhost32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svhost32.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\csrs.exe = "C:\\Users\\Admin\\AppData\\Roaming\\csrs.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\pDbNr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Users\\Admin\\AppData\\Roaming\\csrs.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2016 set thread context of 2652 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\873dca0bba8aa4acfa59ad05bdcf61f845aa42bf1c1147a17766fab72204c2fb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pDbNr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\873dca0bba8aa4acfa59ad05bdcf61f845aa42bf1c1147a17766fab72204c2fb.exe C:\Users\Admin\AppData\Local\Temp\pDbNr.exe
PID 2364 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\873dca0bba8aa4acfa59ad05bdcf61f845aa42bf1c1147a17766fab72204c2fb.exe C:\Users\Admin\AppData\Local\Temp\pDbNr.exe
PID 2364 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\873dca0bba8aa4acfa59ad05bdcf61f845aa42bf1c1147a17766fab72204c2fb.exe C:\Users\Admin\AppData\Local\Temp\pDbNr.exe
PID 2364 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\873dca0bba8aa4acfa59ad05bdcf61f845aa42bf1c1147a17766fab72204c2fb.exe C:\Users\Admin\AppData\Local\Temp\pDbNr.exe
PID 2364 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\873dca0bba8aa4acfa59ad05bdcf61f845aa42bf1c1147a17766fab72204c2fb.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\873dca0bba8aa4acfa59ad05bdcf61f845aa42bf1c1147a17766fab72204c2fb.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\873dca0bba8aa4acfa59ad05bdcf61f845aa42bf1c1147a17766fab72204c2fb.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\873dca0bba8aa4acfa59ad05bdcf61f845aa42bf1c1147a17766fab72204c2fb.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2756 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2756 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2756 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2364 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\873dca0bba8aa4acfa59ad05bdcf61f845aa42bf1c1147a17766fab72204c2fb.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2364 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\873dca0bba8aa4acfa59ad05bdcf61f845aa42bf1c1147a17766fab72204c2fb.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2364 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\873dca0bba8aa4acfa59ad05bdcf61f845aa42bf1c1147a17766fab72204c2fb.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2364 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\873dca0bba8aa4acfa59ad05bdcf61f845aa42bf1c1147a17766fab72204c2fb.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2016 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2016 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2016 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2016 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2016 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2016 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2016 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2016 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2016 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2652 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1940 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1940 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1940 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2160 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2160 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2160 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2160 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2432 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2432 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2432 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2432 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2156 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2156 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2156 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2156 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\873dca0bba8aa4acfa59ad05bdcf61f845aa42bf1c1147a17766fab72204c2fb.exe

"C:\Users\Admin\AppData\Local\Temp\873dca0bba8aa4acfa59ad05bdcf61f845aa42bf1c1147a17766fab72204c2fb.exe"

C:\Users\Admin\AppData\Local\Temp\pDbNr.exe

"C:\Users\Admin\AppData\Local\Temp\pDbNr.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cPtxJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "csrs" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrs.exe" /f

C:\Users\Admin\AppData\Roaming\csrs.exe

"C:\Users\Admin\AppData\Roaming\csrs.exe"

C:\Users\Admin\AppData\Roaming\csrs.exe

C:\Users\Admin\AppData\Roaming\csrs.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\csrs.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrs.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svhost32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svhost32.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svhost32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svhost32.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\csrs.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrs.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 46657272617269.3utilities.com udp

Files

memory/2364-0-0x0000000000400000-0x00000000005DC000-memory.dmp

\Users\Admin\AppData\Local\Temp\pDbNr.exe

MD5 466773bfcbd01059584cdae36e3c281c
SHA1 81e68615ef27cf363d6fe96582433c8a7ce8043b
SHA256 21f0910a1d71dfc63744474b2ba6b8248d893226576ea48791dc0cef7dd52105
SHA512 1088e7180a7d4ed717307c03884aebd945c5f78ffd6c4a4d7e84e504dc2da0434fe4173c63f1afd5a57e83e1783b3359ce123e85bb62699fb663bc9b1c02129f

memory/2364-12-0x00000000032C0000-0x00000000032D7000-memory.dmp

memory/2364-11-0x00000000032C0000-0x00000000032D7000-memory.dmp

memory/2540-20-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cPtxJ.bat

MD5 34a635bb69f9dc2d8e8ceba2f6b25308
SHA1 66bbd6b4eb975af0a799c6be7aaed6917f5df10c
SHA256 eb18b0e443ffb00db0eb4438c0d3ec49cf67c3b7cbc9da8e25c60298c970a59a
SHA512 ae355a265391afe02a37d82ffb0df6664788dc4aee975678aeb524ff47f889d1e5ecab42b073093d71494c9868276dc9794d4bebce4c967d866b189c136a9545

C:\Users\Admin\AppData\Roaming\csrs.exe

MD5 d67c61a069583095100d15e284b6c656
SHA1 a0674f2a78fb77d784e828fc4c16acac69520781
SHA256 8ed301f5eaff9b373eeea1122f256e8fe47aae311554cf5d13e4ff846699c86f
SHA512 ea0042faaf1dbdcb3cde0cd1219473bd82843659e2adf128d8b71799c60c1e9dd037c8b09a2bbe837d44f074bc43c8b72855bcbb51a20b70de3fe61dbc0b1afe

memory/2364-61-0x00000000037A0000-0x000000000397C000-memory.dmp

memory/2364-60-0x00000000037A0000-0x000000000397C000-memory.dmp

memory/2016-63-0x0000000000400000-0x00000000005DC000-memory.dmp

memory/2364-65-0x0000000000400000-0x00000000005DC000-memory.dmp

memory/2652-76-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2652-75-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2652-74-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2652-73-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2652-70-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2016-81-0x0000000000400000-0x00000000005DC000-memory.dmp

memory/2540-84-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2652-85-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2652-89-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2652-92-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2652-94-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2652-96-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2652-98-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2652-103-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2652-108-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2652-113-0x0000000000400000-0x000000000045D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-07 22:23

Reported

2025-03-07 22:26

Platform

win10v2004-20250217-en

Max time kernel

149s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\873dca0bba8aa4acfa59ad05bdcf61f845aa42bf1c1147a17766fab72204c2fb.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\csrs.exe = "C:\\Users\\Admin\\AppData\\Roaming\\csrs.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svhost32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svhost32.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\873dca0bba8aa4acfa59ad05bdcf61f845aa42bf1c1147a17766fab72204c2fb.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dVQPK.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Users\\Admin\\AppData\\Roaming\\csrs.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3532 set thread context of 1216 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\873dca0bba8aa4acfa59ad05bdcf61f845aa42bf1c1147a17766fab72204c2fb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dVQPK.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\csrs.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\csrs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2896 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\873dca0bba8aa4acfa59ad05bdcf61f845aa42bf1c1147a17766fab72204c2fb.exe C:\Users\Admin\AppData\Local\Temp\dVQPK.exe
PID 2896 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\873dca0bba8aa4acfa59ad05bdcf61f845aa42bf1c1147a17766fab72204c2fb.exe C:\Users\Admin\AppData\Local\Temp\dVQPK.exe
PID 2896 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\873dca0bba8aa4acfa59ad05bdcf61f845aa42bf1c1147a17766fab72204c2fb.exe C:\Users\Admin\AppData\Local\Temp\dVQPK.exe
PID 2896 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\873dca0bba8aa4acfa59ad05bdcf61f845aa42bf1c1147a17766fab72204c2fb.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\873dca0bba8aa4acfa59ad05bdcf61f845aa42bf1c1147a17766fab72204c2fb.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\873dca0bba8aa4acfa59ad05bdcf61f845aa42bf1c1147a17766fab72204c2fb.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 4048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1676 wrote to memory of 4048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1676 wrote to memory of 4048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2896 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\873dca0bba8aa4acfa59ad05bdcf61f845aa42bf1c1147a17766fab72204c2fb.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2896 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\873dca0bba8aa4acfa59ad05bdcf61f845aa42bf1c1147a17766fab72204c2fb.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 2896 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\873dca0bba8aa4acfa59ad05bdcf61f845aa42bf1c1147a17766fab72204c2fb.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 3532 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 3532 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 3532 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 3532 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 3532 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 3532 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 3532 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 3532 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Users\Admin\AppData\Roaming\csrs.exe
PID 1216 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 1216 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 1216 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 1216 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 1216 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 1216 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 1216 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 1216 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 1216 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 1216 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 1216 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 1216 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\csrs.exe C:\Windows\SysWOW64\cmd.exe
PID 4704 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4704 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4704 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4836 wrote to memory of 4700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4836 wrote to memory of 4700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4836 wrote to memory of 4700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5060 wrote to memory of 3324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5060 wrote to memory of 3324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5060 wrote to memory of 3324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\873dca0bba8aa4acfa59ad05bdcf61f845aa42bf1c1147a17766fab72204c2fb.exe

"C:\Users\Admin\AppData\Local\Temp\873dca0bba8aa4acfa59ad05bdcf61f845aa42bf1c1147a17766fab72204c2fb.exe"

C:\Users\Admin\AppData\Local\Temp\dVQPK.exe

"C:\Users\Admin\AppData\Local\Temp\dVQPK.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xhgpS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "csrs" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrs.exe" /f

C:\Users\Admin\AppData\Roaming\csrs.exe

"C:\Users\Admin\AppData\Roaming\csrs.exe"

C:\Users\Admin\AppData\Roaming\csrs.exe

C:\Users\Admin\AppData\Roaming\csrs.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\csrs.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrs.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svhost32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svhost32.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\csrs.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrs.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svhost32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svhost32.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 46657272617269.3utilities.com udp
US 8.8.8.8:53 46657272617269.3utilities.com udp

Files

memory/2896-0-0x0000000000400000-0x00000000005DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dVQPK.exe

MD5 466773bfcbd01059584cdae36e3c281c
SHA1 81e68615ef27cf363d6fe96582433c8a7ce8043b
SHA256 21f0910a1d71dfc63744474b2ba6b8248d893226576ea48791dc0cef7dd52105
SHA512 1088e7180a7d4ed717307c03884aebd945c5f78ffd6c4a4d7e84e504dc2da0434fe4173c63f1afd5a57e83e1783b3359ce123e85bb62699fb663bc9b1c02129f

memory/4904-11-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xhgpS.txt

MD5 34a635bb69f9dc2d8e8ceba2f6b25308
SHA1 66bbd6b4eb975af0a799c6be7aaed6917f5df10c
SHA256 eb18b0e443ffb00db0eb4438c0d3ec49cf67c3b7cbc9da8e25c60298c970a59a
SHA512 ae355a265391afe02a37d82ffb0df6664788dc4aee975678aeb524ff47f889d1e5ecab42b073093d71494c9868276dc9794d4bebce4c967d866b189c136a9545

C:\Users\Admin\AppData\Roaming\csrs.txt

MD5 7016bf85e73e82bbc8c09f444271b6d3
SHA1 4d332ebd3062610984f6b29e48940cc54878f781
SHA256 ccb21f3a37ad03b5e70a5ad08bc245fc0a7cc56569b0f12b48c380a96ae793b5
SHA512 16810f8387b5e3a7985c7eefbf276ec2e31a251d1e4695f47e59665c86d234d1e7461cddaac74eb84b316c0febcbdf3f1696f863ccefb78f3f369c346b6d7cbc

memory/2896-40-0x0000000000400000-0x00000000005DC000-memory.dmp

memory/3532-41-0x0000000000400000-0x00000000005DC000-memory.dmp

memory/1216-42-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1216-46-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1216-47-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1216-48-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3532-49-0x0000000000400000-0x00000000005DC000-memory.dmp

memory/4904-55-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1216-56-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1216-60-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1216-65-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1216-67-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1216-70-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1216-72-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1216-74-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1216-76-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1216-79-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1216-81-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1216-83-0x0000000000400000-0x000000000045D000-memory.dmp