Malware Analysis Report

2025-04-03 10:19

Sample ID 250130-vps16azkap
Target JaffaCakes118_64e4580da28c25452a79e455f34f9f15
SHA256 9d9119a14307b53c31fa217e17139c761b27d45694a154dc7b4bf6eacd058466
Tags
blackshades defense_evasion discovery rat upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9d9119a14307b53c31fa217e17139c761b27d45694a154dc7b4bf6eacd058466

Threat Level: Known bad

The file JaffaCakes118_64e4580da28c25452a79e455f34f9f15 was found to be: Known bad.

Malicious Activity Summary

blackshades defense_evasion discovery rat upx

Blackshades

Blackshades family

Modifies firewall policy service

Blackshades payload

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

UPX packed file

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-30 17:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-30 17:10

Reported

2025-01-30 17:12

Platform

win7-20240903-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Rename Server.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Rename Server.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3040 set thread context of 3060 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
Token: 1 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 31 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 32 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 34 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 35 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 3040 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 3040 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 3040 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2664 wrote to memory of 2660 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2664 wrote to memory of 2660 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2664 wrote to memory of 2660 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2664 wrote to memory of 2660 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3040 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3040 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3040 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3040 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3040 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3040 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3040 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3040 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3040 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 3040 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 3040 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 3040 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 3060 wrote to memory of 2512 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 2512 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 2512 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 2512 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2540 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2532 wrote to memory of 2540 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2532 wrote to memory of 2540 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2532 wrote to memory of 2540 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3060 wrote to memory of 2572 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 2572 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 2572 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 2572 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 2584 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 2584 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 2584 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 2584 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 2968 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 2968 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 2968 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 2968 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2512 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2512 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2512 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2512 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2968 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2968 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2968 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2968 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3040 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 3040 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 3040 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 3040 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2572 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2572 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2572 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2572 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2584 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2584 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2584 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2584 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 268 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2752 wrote to memory of 268 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2752 wrote to memory of 268 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2752 wrote to memory of 268 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\th3nylqn.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF8E1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF8E0.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\th3nylqn.cmdline"

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA95.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFA94.tmp"

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Rename Server.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Rename Server.exe:*:Enabled:Windows Messanger" /f

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\th3nylqn.cmdline"

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Rename Server.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Rename Server.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB51.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFB50.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 jaaedyn.no-ip.biz udp
US 78.159.143.172:3080 jaaedyn.no-ip.biz tcp
US 78.159.143.172:3080 jaaedyn.no-ip.biz tcp
US 78.159.143.172:3080 jaaedyn.no-ip.biz tcp
US 78.159.143.172:3080 jaaedyn.no-ip.biz tcp
US 8.8.8.8:53 jaaedyn.no-ip.biz udp
US 78.159.143.172:3080 jaaedyn.no-ip.biz tcp
US 78.159.143.172:3080 jaaedyn.no-ip.biz tcp
US 78.159.143.172:3080 jaaedyn.no-ip.biz tcp
US 78.159.143.172:3080 jaaedyn.no-ip.biz tcp
US 8.8.8.8:53 jaaedyn.no-ip.biz udp
US 78.159.143.172:3080 jaaedyn.no-ip.biz tcp
US 78.159.143.172:3080 jaaedyn.no-ip.biz tcp

Files

memory/3040-0-0x0000000074051000-0x0000000074052000-memory.dmp

memory/3040-1-0x0000000074050000-0x00000000745FB000-memory.dmp

memory/3040-2-0x0000000074050000-0x00000000745FB000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\th3nylqn.cmdline

MD5 1a492b8696bf5ab0e343eb40cb7018cb
SHA1 9b76be5468f631bc8e986e6bca2426f2e17c4059
SHA256 7377b96720e85d10878e603f9ea47f2388a4eeadecd51369ec1b2685dd7e3450
SHA512 fef3bd8acb83a80a6769de8d04148798c8dd76a6cda8a116a229771d0b67a69758b4671eca5237dbfed6dca4262a02439328b2315cf9b86c034469d76e00d19d

\??\c:\Users\Admin\AppData\Local\Temp\th3nylqn.0.cs

MD5 c79c02b8be614ba0ad11b9a2deac9067
SHA1 5338181abf8d8436df240ec8bfe8699ed40eac83
SHA256 aeb41fe4117e42c32d7c61fe9caa02f2ec937418a3ffb6ee64b5a8309e0d7b78
SHA512 4b0efe655b237185454a41c79c1b5cd9b8e80cfa36f7abb8a5d63629f400bb73d58f196584ec5421a8b2e6608b9c00d44514ada9651bcf19aea8ba4cce5b4a4e

memory/2664-8-0x0000000074050000-0x00000000745FB000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSCF8E0.tmp

MD5 6ec421ae2b9a6a92627384f879cbba07
SHA1 235dda47d5ac52213590734543380a8311f249c6
SHA256 bf6ab0d3c96e0c5473c66542ceb9f3e33cb4ffc419af5a1cbe74bcdff9a8cfdf
SHA512 498e81f2003295c7d4f9c8f4a2f6494da44d305ed6d955d4cdd099483bfcebb2a0e24d47ad896f51d2ab5156d308d4cbce73a179764e52f6ff47687bc6c59922

C:\Users\Admin\AppData\Local\Temp\RESF8E1.tmp

MD5 92e32849be68e7f82efa556f535a19b0
SHA1 3c66ffae1e6fc0a47eae96ca1130761190c901bb
SHA256 70d272f89ae976332a1f6c27f8376a6d12dffad3d7eb0f8a35e41e9a0a647100
SHA512 de8eefe9d373eff28fe3e358743b09100d50029b26a74b8bea33d969107f7b809bab834b9c58489151fe7b6c4e92953185ed8e21a64a9c0c0f4b3b5b4439b988

C:\Users\Admin\AppData\Local\Temp\th3nylqn.dll

MD5 38bb1cf8b89acddfee83c987b523afde
SHA1 62abab20746d25bfc9bc0c012810aceb60a26059
SHA256 a6f8c456e285db7847bc2f61fa4abda79a0149269d9af2224c7939165dc20c3f
SHA512 daea13f6c928411e06d6083adcb01f36e04e6b1d5f6231012bc2f490e166e0e5db7beba9c2a74177a75364ac0ff6a3a39d04f332eefabe136a938a496cb37c85

memory/2664-15-0x0000000074050000-0x00000000745FB000-memory.dmp

memory/3060-20-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3060-31-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3060-18-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3060-30-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3060-29-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3060-28-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3060-24-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3060-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3060-21-0x0000000000400000-0x000000000045D000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\th3nylqn.cmdline

MD5 f32f14e4c1df0b7a26fa9da055ff2c31
SHA1 4f93f1a8784e420e9254e41804c0f93c2dd7819c
SHA256 5ad23318e0f56c23c926fbc60798cd866e0a0376ac63875514fafa2117b16c01
SHA512 ac9cca0e7eb4d268b2201ce2afa311df3fb127001e05ed61404d9a0ebcf5698b3df39a913e2c8624e1ba8ccf9c33ddbe9ab9387f8e79e11b109b810d78c18477

C:\Users\Admin\AppData\Local\Temp\RESFA95.tmp

MD5 4ccf576d345b17de6548077589547315
SHA1 01077f7a4848fc5dc4087a8eb4b98c7c79d2384f
SHA256 cbd335673d7bc3d701aa317df007949ea9d91954979d49b3bc9e0602259e4c2d
SHA512 d0a8717bf518e4503896aa43829729b35228e675c169791467e259d2d0298b2af27a2692e6c88596394a31f85e028aa94d34c9f0279dcda5aa4cc4f7f492cb2c

\??\c:\Users\Admin\AppData\Local\Temp\th3nylqn.0.cs

MD5 7b2710d3c14f50327d82682f1788ac9c
SHA1 db6323843b42649f002accea370f951ad10452bd
SHA256 cf3742c2d19768ac180864c89a57abffca72120fa2fa3d2872ddc5fb9901704f
SHA512 7f0c429790ac2a29c37fa802e150ec6cb96f906c6b33d6b61bda74690a06a68be016e062d141a1499d5bf521ef379f6531e7274e270bbf20aac8af49710d6479

C:\Users\Admin\AppData\Local\Temp\th3nylqn.dll

MD5 3c56633a39ecee5cf87486b402e5a66a
SHA1 6867e4588cd1ccc729fdf405b734f4f842382149
SHA256 8785b93bf5a0167f92068843ff5626a0bc0693c184a95888ea7bf29d80529ac6
SHA512 03f618212f4654a4956ca1b3455f70d0735e1af4a3c1fd7703bcc10c9707bb4f9d750f2dfd315e86db845043394986b5d34105caaedda9c425514ff836049202

\??\c:\Users\Admin\AppData\Local\Temp\th3nylqn.cmdline

MD5 d2daa8bf1fbb0265f3ab80912c773339
SHA1 58b21c350ff004c16d83b8ff7cb3b78e94553883
SHA256 759706a92dd21bc1da1b80d9a648d75b47a075cb54ff69ab83d78d6656c6ed23
SHA512 b6ccf51c9c8e8b49214d6694547b25d43640127542780628587a3e289b7c63d29859700107e4b827c49a49d808f76c5a7bffed43208897dbab06329ce3d4cf2f

\??\c:\Users\Admin\AppData\Local\Temp\th3nylqn.0.cs

MD5 412e1c803f61cea207aa4b53c9b4a3bb
SHA1 79b56c2016e0eb4e0de20ef8085dd8caa2b0a810
SHA256 03928f10904ba363d8e763f42883e9c9e6a54f5514b323c48fca4ace6f8d2b71
SHA512 9cb9f92cee9e2b22424c8c0f60b53143ff7799a61a06a02291102912208311fb41ea95e16a175f46fbf0cce41b2f18f4eacaa5ae60625aa0e89beec5ac299b3b

C:\Users\Admin\AppData\Local\Temp\RESFB51.tmp

MD5 d0653d525a02ac9c9a95f4e8498855a7
SHA1 41bd913de9510f7e8d971baf085edbbbe05f984c
SHA256 c0787ffcc4bc48e775e28fefcbcf3ac92cc3d44cca9623088a2ee34d5a5a8acf
SHA512 678aba225a3b3985055f09fe4af4b515a8a92e562a73cc62c69564a8cf5ab73014358c0550f09214e4e3f9036f4ca76444267167a5f7467c4da0c81b4259840e

C:\Users\Admin\AppData\Local\Temp\th3nylqn.dll

MD5 4b2c2ffaf528281b8b3a41b598c031ee
SHA1 735af9fc92032b003b2f22a52cfb16259e04338f
SHA256 dcff2fa61ebb8895b964bf84e97ea4ac851328d8a0a8764f0dd0b2ae7d5ea65b
SHA512 17796ce12e62a71e4dfadeb9c4af10bee28ad6ea3a384355eccc5eb67982915e0e829b2a7b58bd0a88131fb61b4798494f54c30d21537d8e4fe3915d1ef2de84

memory/3040-61-0x0000000074050000-0x00000000745FB000-memory.dmp

memory/3060-62-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3060-63-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3060-65-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3060-66-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3060-67-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3060-69-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3060-70-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3060-71-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3060-73-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3060-74-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3060-75-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3060-77-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3060-78-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3060-79-0x0000000000400000-0x000000000045D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-30 17:10

Reported

2025-01-30 17:12

Platform

win10v2004-20250129-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Rename Server.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Rename Server.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4896 set thread context of 1720 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe N/A
Token: 1 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 31 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 32 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 34 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 35 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4896 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 4896 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 4896 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 4652 wrote to memory of 2444 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4652 wrote to memory of 2444 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4652 wrote to memory of 2444 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4896 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4896 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4896 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4896 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4896 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4896 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4896 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4896 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4896 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 4896 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 4896 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2136 wrote to memory of 5068 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2136 wrote to memory of 5068 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2136 wrote to memory of 5068 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1720 wrote to memory of 2400 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 2400 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 2400 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 2944 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 2944 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 2944 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 4896 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 4896 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 4896 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1720 wrote to memory of 5092 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 5092 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 5092 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 3500 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 3500 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 3500 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 3600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2944 wrote to memory of 3600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2944 wrote to memory of 3600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2400 wrote to memory of 1036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2400 wrote to memory of 1036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2400 wrote to memory of 1036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5092 wrote to memory of 868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5092 wrote to memory of 868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5092 wrote to memory of 868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3500 wrote to memory of 4856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3500 wrote to memory of 4856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3500 wrote to memory of 4856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2864 wrote to memory of 2368 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2864 wrote to memory of 2368 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2864 wrote to memory of 2368 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8ailbhu9.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA104.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA0F3.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8ailbhu9.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA307.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA306.tmp"

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8ailbhu9.cmdline"

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Rename Server.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Rename Server.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Rename Server.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Rename Server.exe:*:Enabled:Windows Messanger" /f

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA3D2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA3D1.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 11.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 jaaedyn.no-ip.biz udp
US 78.159.143.172:3080 jaaedyn.no-ip.biz tcp
US 78.159.143.172:3080 jaaedyn.no-ip.biz tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 78.159.143.172:3080 jaaedyn.no-ip.biz tcp
US 78.159.143.172:3080 jaaedyn.no-ip.biz tcp
US 8.8.8.8:53 13.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 jaaedyn.no-ip.biz udp
US 78.159.143.172:3080 jaaedyn.no-ip.biz tcp
US 78.159.143.172:3080 jaaedyn.no-ip.biz tcp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 78.159.143.172:3080 jaaedyn.no-ip.biz tcp
US 78.159.143.172:3080 jaaedyn.no-ip.biz tcp
US 8.8.8.8:53 jaaedyn.no-ip.biz udp
US 78.159.143.172:3080 jaaedyn.no-ip.biz tcp
US 78.159.143.172:3080 jaaedyn.no-ip.biz tcp
US 8.8.8.8:53 udp

Files

memory/4896-0-0x0000000074672000-0x0000000074673000-memory.dmp

memory/4896-1-0x0000000074670000-0x0000000074C21000-memory.dmp

memory/4896-2-0x0000000074670000-0x0000000074C21000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\8ailbhu9.cmdline

MD5 2d3667e1244b4d1fe6b84fb2bdeea529
SHA1 eb8799cc36bb6384dbda3cb0839442bbcc5f3596
SHA256 15fe19ecb60a8be70c4529d84007988c69d8efe33eec833420d825bb2c49d0de
SHA512 db2eaf8698210dcce0fb4b879b70c0562fd0cc347d9690d3fb08e50893730889b7452f972cdd8e99fd73a5c78b190fbd3970ceea8c3b039ee700ae6703c07e9b

\??\c:\Users\Admin\AppData\Local\Temp\8ailbhu9.0.cs

MD5 c79c02b8be614ba0ad11b9a2deac9067
SHA1 5338181abf8d8436df240ec8bfe8699ed40eac83
SHA256 aeb41fe4117e42c32d7c61fe9caa02f2ec937418a3ffb6ee64b5a8309e0d7b78
SHA512 4b0efe655b237185454a41c79c1b5cd9b8e80cfa36f7abb8a5d63629f400bb73d58f196584ec5421a8b2e6608b9c00d44514ada9651bcf19aea8ba4cce5b4a4e

memory/4652-8-0x0000000074670000-0x0000000074C21000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSCA0F3.tmp

MD5 fa76b56b8b8f96dec85f3c0584c134ea
SHA1 7a435737cdce2adcbe70c2439e7627ce7f3de56f
SHA256 a72a973f235b503d9d280ead1664255cf182a27e7786d7b5d457d8262cab9f6a
SHA512 4a4729b5ad0fe5fa2b9cf2a24547e9c472b2f9dbf510b652d4ab87fa6c5440d8c3b421c838c2225824cdf34e824db009e6e705ae0eafc5534c0e9296045f9fe4

C:\Users\Admin\AppData\Local\Temp\RESA104.tmp

MD5 80422d0d2e7563e31bb3885ddfe3b3ce
SHA1 601f5587c35ab5eff033085d0ebd9b6444f33fa8
SHA256 f156a171a40b27f45392d5938228cf3f4ba9543104ea8d1b13329f094c52d2ae
SHA512 58b54b3ba01b5a841cb6d42a8c28601367ba0c650973f607d7a1ec4f5b58d923f4ffb31d0ae901a8ff0a3a5f86343b4609d886191ee5504d88b700a80ffa4555

memory/4652-15-0x0000000074670000-0x0000000074C21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8ailbhu9.dll

MD5 5a0f5d155702770e06e9aa741cc9596f
SHA1 1f4be2e1a2653d7582fdfe2c977b03be186d70cd
SHA256 4e1016bc49c15bbdffd84c20fd55634b3c01fb62e9562cd239ad4a0623b5ecfb
SHA512 271fcf3a06a2365f8b993c10089dd24acec433d1191d753d0da46e253ffdba5bbfb05a9732287383adc6b2d4c447881de981f448e1a438545c0af2983903a137

memory/1720-18-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1720-23-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1720-25-0x0000000000400000-0x000000000045D000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\8ailbhu9.cmdline

MD5 c8c669a1b858b6a38d68e7a56810aaab
SHA1 3945e0842f964e15611dd76b5bc7e7519c70707e
SHA256 2e9499a2021479ab9474542465071eb849529e1bd3cfa0ef9c855f1b70eb83ec
SHA512 1ba347caa59a480cca9f81e30f7fea142f869e997b2bb270b7de42c7686df41acbf727d6816b8cd36d676c07683aac3580ed4e9085ab330ee0a7396ddd4bcb98

\??\c:\Users\Admin\AppData\Local\Temp\8ailbhu9.0.cs

MD5 7b2710d3c14f50327d82682f1788ac9c
SHA1 db6323843b42649f002accea370f951ad10452bd
SHA256 cf3742c2d19768ac180864c89a57abffca72120fa2fa3d2872ddc5fb9901704f
SHA512 7f0c429790ac2a29c37fa802e150ec6cb96f906c6b33d6b61bda74690a06a68be016e062d141a1499d5bf521ef379f6531e7274e270bbf20aac8af49710d6479

memory/2136-33-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2136-38-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8ailbhu9.dll

MD5 5cfcf08f765322d440005a82bf2f6d8f
SHA1 ad0aeb17a46f939b0421b64c599b76dbd66117a6
SHA256 6236d3fb0f81ffebbdb84584c98e88a009394437826d264b34f564d215acf44c
SHA512 2e84277a9372503bd91c47dd3c98da83cad67d192de8b293fd9c47859bbbe7ca4b4259a8a4b5e4ccf292582d258b2e2d603f463567f512b854ff7cb7d96e9a38

C:\Users\Admin\AppData\Local\Temp\RESA307.tmp

MD5 de1d54b49d72fc7863b5547ccf88070a
SHA1 665e979e96f3ade86dd02d0b61fefdbd54e7077c
SHA256 a655b3e731ef2faba1d5499322e6def6b2a0e80fc7e991148cecadeb64167bbb
SHA512 fcb1270296c5e79bd02988f2c4b84fe9468ae1b8d606babe73114e765103b52518338474d13462b1e9b777df5f858389e12b92c6b11dbc6ca4c8d6e8f9a82c24

\??\c:\Users\Admin\AppData\Local\Temp\8ailbhu9.cmdline

MD5 d717fdd1850d31203b714ad4816b21fb
SHA1 2ddd6497b6036f5e6ebb20d7e1ad28c59b87e36c
SHA256 022019f5dcc61e9284ebe396652a0b29944a4271c47b0bdae7f7e8a9c8b0a49d
SHA512 dbcb7b6377fbd6ac0db0e61407cf98fb86629eaa57bf86a08defc6802d68bf801f34b6460e8cc79d9c638eabf9b8c5db5b061e5c0b90136f64fd35dca13975d7

\??\c:\Users\Admin\AppData\Local\Temp\8ailbhu9.0.cs

MD5 412e1c803f61cea207aa4b53c9b4a3bb
SHA1 79b56c2016e0eb4e0de20ef8085dd8caa2b0a810
SHA256 03928f10904ba363d8e763f42883e9c9e6a54f5514b323c48fca4ace6f8d2b71
SHA512 9cb9f92cee9e2b22424c8c0f60b53143ff7799a61a06a02291102912208311fb41ea95e16a175f46fbf0cce41b2f18f4eacaa5ae60625aa0e89beec5ac299b3b

C:\Users\Admin\AppData\Local\Temp\RESA3D2.tmp

MD5 92e5aa9ac9c7a2542d6993b6ec14837f
SHA1 73edcdbe181645fb6ab75ab97f56cee7f62ade17
SHA256 1cbf662494ad55d316feaccfcd1e92ebdac44fdb050fffa931b4a8c8f65d8e57
SHA512 93a22ed75a9f91644c76d7fc5dfe2b43aee36d1806e0f0287a0118f6bc83de0b14bd069ae5bd08cdaa00f686f318f0ed5f462c7ecc598fa0e74112bc4e97e186

C:\Users\Admin\AppData\Local\Temp\8ailbhu9.dll

MD5 5e415e3ebf69cb8c23ff2dec042d009a
SHA1 4a6378ecc3e12e2d16891e6eda3ef22509c83740
SHA256 ea74c626c40c6fb3f66c68d0a2ec2fd41d5f9dd71252edb873442fa6d38d8aa1
SHA512 5f723017e7125ad4968d9ee303e7f61376212a2aea584afe3c3a2e9479acb80137a3caee884671f75f84817fc348b8b0ec36aafa2d74d90c070eccabf494aa22

memory/4896-56-0x0000000074672000-0x0000000074673000-memory.dmp

memory/4896-57-0x0000000074670000-0x0000000074C21000-memory.dmp

memory/4896-58-0x0000000074670000-0x0000000074C21000-memory.dmp

memory/1720-59-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1720-61-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1720-63-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1720-64-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1720-65-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1720-67-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1720-68-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1720-69-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1720-70-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1720-72-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1720-73-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1720-74-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1720-76-0x0000000000400000-0x000000000045D000-memory.dmp