Malware Analysis Report

2025-04-03 10:15

Sample ID 250203-eg9qya1nfr
Target JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f
SHA256 001f9f11da02e10099ad21eff3fca1ec7b155b4efbc205ee9f100fe7c8a35622
Tags
blackshades defense_evasion discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

001f9f11da02e10099ad21eff3fca1ec7b155b4efbc205ee9f100fe7c8a35622

Threat Level: Known bad

The file JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f was found to be: Known bad.

Malicious Activity Summary

blackshades defense_evasion discovery persistence rat

Blackshades

Blackshades family

Modifies firewall policy service

Blackshades payload

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies registry key

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-03 03:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-03 03:55

Reported

2025-02-03 03:58

Platform

win7-20240903-en

Max time kernel

149s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\CMsk1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CMsk1.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\noinstall.exe = "C:\\Users\\Admin\\AppData\\Roaming\\noinstall.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\javaw.exe" C:\Users\Admin\AppData\Local\Temp\b6FC6.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1660 set thread context of 2688 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Users\Admin\AppData\Local\Temp\CMsk1.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b6FC6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AngryBirdsSeasons.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe N/A
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1660 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1660 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1660 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1660 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2236 wrote to memory of 2740 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2236 wrote to memory of 2740 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2236 wrote to memory of 2740 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2236 wrote to memory of 2740 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1660 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Users\Admin\AppData\Local\Temp\b6FC6.exe
PID 1660 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Users\Admin\AppData\Local\Temp\b6FC6.exe
PID 1660 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Users\Admin\AppData\Local\Temp\b6FC6.exe
PID 1660 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Users\Admin\AppData\Local\Temp\b6FC6.exe
PID 1660 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1660 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1660 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1660 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1660 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Users\Admin\AppData\Local\Temp\CMsk1.exe
PID 1660 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Users\Admin\AppData\Local\Temp\CMsk1.exe
PID 1660 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Users\Admin\AppData\Local\Temp\CMsk1.exe
PID 1660 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Users\Admin\AppData\Local\Temp\CMsk1.exe
PID 1660 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Users\Admin\AppData\Local\Temp\CMsk1.exe
PID 1660 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Users\Admin\AppData\Local\Temp\CMsk1.exe
PID 1660 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Users\Admin\AppData\Local\Temp\CMsk1.exe
PID 1660 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Users\Admin\AppData\Local\Temp\CMsk1.exe
PID 1660 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Users\Admin\AppData\Local\Temp\AngryBirdsSeasons.exe
PID 1660 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Users\Admin\AppData\Local\Temp\AngryBirdsSeasons.exe
PID 1660 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Users\Admin\AppData\Local\Temp\AngryBirdsSeasons.exe
PID 1660 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Users\Admin\AppData\Local\Temp\AngryBirdsSeasons.exe
PID 2688 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2572 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2572 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2572 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2588 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2588 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2588 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2588 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2620 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2620 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2620 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2620 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2632 wrote to memory of 304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2632 wrote to memory of 304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2632 wrote to memory of 304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2632 wrote to memory of 304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q6emb6qp.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE448.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE447.tmp"

C:\Users\Admin\AppData\Local\Temp\b6FC6.exe

"C:\Users\Admin\AppData\Local\Temp\b6FC6.exe"

C:\Users\Admin\AppData\Local\Temp\CMsk1.exe

C:\Users\Admin\AppData\Local\Temp\CMsk1.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mikpcowm.cmdline"

C:\Users\Admin\AppData\Local\Temp\AngryBirdsSeasons.exe

"C:\Users\Admin\AppData\Local\Temp\AngryBirdsSeasons.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\CMsk1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CMsk1.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\noinstall.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\noinstall.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\CMsk1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CMsk1.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\noinstall.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\noinstall.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 microsupdate.hopto.org udp
US 8.8.8.8:53 1microsupdate.hopto.org udp
US 8.8.8.8:53 2microsupdate.hopto.org udp
US 8.8.8.8:53 3microsupdate.hopto.org udp
US 8.8.8.8:53 4microsupdate.hopto.org udp
US 8.8.8.8:53 5microsupdate.hopto.org udp
US 8.8.8.8:53 6microsupdate.hopto.org udp
US 8.8.8.8:53 7microsupdate.hopto.org udp
US 8.8.8.8:53 8microsupdate.hopto.org udp

Files

memory/1660-0-0x00000000747D1000-0x00000000747D2000-memory.dmp

memory/1660-1-0x00000000747D0000-0x0000000074D7B000-memory.dmp

memory/1660-2-0x00000000747D0000-0x0000000074D7B000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\q6emb6qp.cmdline

MD5 82f7ec70eb40e65dc3543a8131ecf980
SHA1 b3e1bc8644e190d2a20aa1eabb80345ea25e6436
SHA256 1e26bc9914576a064ba1cae8d427b2f609d5c69130f5e15edd9cefda3f58ab3b
SHA512 7be2cbbdf693c7c9a3b9e5535a196e6268fec4521627e1be7e12472e7300b04610f6dbee851571648f3c3945a83435101aaad76176255befb14694ae4f4e2f29

\??\c:\Users\Admin\AppData\Local\Temp\q6emb6qp.0.cs

MD5 a7afd4e117b8a9f37f12abe4c0a31fe1
SHA1 216cbd4090269590d1086e0560c2d901c8b89dfa
SHA256 0c3690324a85c67a4410624475c3c8ed0ef30e3866c238230f5011a03f527fd8
SHA512 0c329906ee8bc4864f68956852d2495cd1487f67a444d5b2e6b682501ed2472764a37f4956846e033685ece264c37afb20a783728088ddeab0c5f24d4975d751

memory/2236-8-0x00000000747D0000-0x0000000074D7B000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSCE447.tmp

MD5 a1134e17cc7135288e52a56a0feda4ba
SHA1 6ecc9ef1d36c35134818fa8e830cc2d25c7b291f
SHA256 89ea30c4a1a47331dc335e884566201f716ca97a1af66963cb4f9647aeedea11
SHA512 3d9c1a20246c9ba286a953f9a16bb361c4220b12b7c4734c413c4008bcaaa91023253011e319d8f276aafe9fc99d5f0384af324ee9d98ad40f97a6a3a390904e

C:\Users\Admin\AppData\Local\Temp\RESE448.tmp

MD5 35ee8434ef10519653b306a4ee61ceda
SHA1 b4f746b3894ef7c2425e639fc96e018e7aab799d
SHA256 e6a3d0f413d07fd7afe3ccf0fef85b9268dfa84b3ca71c9633be7a07ceaf4aac
SHA512 c4f41e1132c2371576bf232cea729b01dc9fad06d966569a675077716368bbbcabb43bc6f068d9075ee6ef68a1819057a148444ce9e39a9825f0a005a7bd65a4

memory/2236-15-0x00000000747D0000-0x0000000074D7B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b6FC6.exe

MD5 1478cd1f5aa49aadee00cfb26e1b8a82
SHA1 ed001e9d060cd2c52d747884ee98eea753d834ba
SHA256 a8407edd4b7e24737b538942159f144b33aba6942b6217f02732e364e059c07b
SHA512 00020f0dab2c6f0eac6bd507bc378d73e53688edde8a561f6004d5d64edbc42b6cef691358abcd6a7ee80386a99d038886db4ac14a10ac472970379a71bbf3f3

memory/1660-22-0x00000000747D0000-0x0000000074D7B000-memory.dmp

\Users\Admin\AppData\Local\Temp\CMsk1.exe

MD5 ed797d8dc2c92401985d162e42ffa450
SHA1 0f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256 b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512 e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

memory/2688-38-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2688-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2688-35-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2688-33-0x0000000000400000-0x0000000000470000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\mikpcowm.cmdline

MD5 45f4acb9cdf4f7d1ca1319bdd7989783
SHA1 965664ed09a52260b62a7ab1bbe124b632fd5bdc
SHA256 a3552a0b735aa045aafcd67076a334df0cc63f1caef153ef6dd83117405f6146
SHA512 35983f7e10896227d61d695427b867d06cf6446c737441a0ae33c2906c51e9a017ca23631a7a963ab3732d4f5dd849907dd6281c06cbfbce4de161fd5652e7f8

\??\c:\Users\Admin\AppData\Local\Temp\mikpcowm.0.cs

MD5 f77a12a68d89658a3ff87380c7a02fa6
SHA1 382e0bb272bf557a2cc60c5d6a604cc9190c700d
SHA256 31f0e9b8cf8950d4e5aa95af5a6ac6af3a8641b5a56d2aedee69ce55faa5ab0a
SHA512 6ec430f817c5ba410440dddffbda1145af3d8b6d0d945bb09361840fd4048a701b76d25076e6c8be1fd492e52931123e381e45af615bc931664ad4e80588e58e

\Users\Admin\AppData\Local\Temp\AngryBirdsSeasons.exe

MD5 e987de1586ef2e544822b89957fbb842
SHA1 80e562c8f00806163ef93f91331882d430fba762
SHA256 9d1c3d99596ae3b66b31d17a1d586a8379deb9a76208a8fc6f1359a2653dbd19
SHA512 b506e638e2b72382e5367f4b60a6eac703de157a3fb02f31b8fd8b0288bbed90b7c0dab1f55706d1dfdbe6ee6adf3a5842a8e20083146e301dffeea403673782

memory/2688-31-0x0000000000400000-0x0000000000470000-memory.dmp

memory/1660-58-0x00000000747D0000-0x0000000074D7B000-memory.dmp

memory/2688-59-0x0000000000400000-0x0000000000470000-memory.dmp

memory/1660-61-0x00000000747D0000-0x0000000074D7B000-memory.dmp

memory/2688-62-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2688-64-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2688-65-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2688-66-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2688-68-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2688-69-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2688-70-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2688-74-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2688-76-0x0000000000400000-0x0000000000470000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-03 03:55

Reported

2025-02-03 03:58

Platform

win10v2004-20250129-en

Max time kernel

150s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\noinstall.exe = "C:\\Users\\Admin\\AppData\\Roaming\\noinstall.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\CMsk1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CMsk1.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\javaw.exe" C:\Users\Admin\AppData\Local\Temp\b6FC6.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 552 set thread context of 2756 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Users\Admin\AppData\Local\Temp\CMsk1.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b6FC6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AngryBirdsSeasons.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe N/A
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 552 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 552 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 552 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1592 wrote to memory of 2876 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1592 wrote to memory of 2876 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1592 wrote to memory of 2876 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 552 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Users\Admin\AppData\Local\Temp\b6FC6.exe
PID 552 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Users\Admin\AppData\Local\Temp\b6FC6.exe
PID 552 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Users\Admin\AppData\Local\Temp\b6FC6.exe
PID 552 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 552 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 552 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 552 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Users\Admin\AppData\Local\Temp\CMsk1.exe
PID 552 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Users\Admin\AppData\Local\Temp\CMsk1.exe
PID 552 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Users\Admin\AppData\Local\Temp\CMsk1.exe
PID 552 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Users\Admin\AppData\Local\Temp\CMsk1.exe
PID 552 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Users\Admin\AppData\Local\Temp\CMsk1.exe
PID 552 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Users\Admin\AppData\Local\Temp\CMsk1.exe
PID 552 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Users\Admin\AppData\Local\Temp\CMsk1.exe
PID 552 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Users\Admin\AppData\Local\Temp\CMsk1.exe
PID 552 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Users\Admin\AppData\Local\Temp\AngryBirdsSeasons.exe
PID 552 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Users\Admin\AppData\Local\Temp\AngryBirdsSeasons.exe
PID 552 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Users\Admin\AppData\Local\Temp\AngryBirdsSeasons.exe
PID 1264 wrote to memory of 1192 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1264 wrote to memory of 1192 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1264 wrote to memory of 1192 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2756 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\CMsk1.exe C:\Windows\SysWOW64\cmd.exe
PID 552 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe
PID 552 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe
PID 552 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe
PID 3292 wrote to memory of 4676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3292 wrote to memory of 4676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3292 wrote to memory of 4676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4556 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4556 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4556 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1480 wrote to memory of 2088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1480 wrote to memory of 2088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1480 wrote to memory of 2088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 644 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 644 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 644 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_843418d201e93a3f3f41cc94f0b6841f.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h4hg5wbj.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9AE9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9AE8.tmp"

C:\Users\Admin\AppData\Local\Temp\b6FC6.exe

"C:\Users\Admin\AppData\Local\Temp\b6FC6.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eniuzdgq.cmdline"

C:\Users\Admin\AppData\Local\Temp\CMsk1.exe

C:\Users\Admin\AppData\Local\Temp\CMsk1.exe

C:\Users\Admin\AppData\Local\Temp\AngryBirdsSeasons.exe

"C:\Users\Admin\AppData\Local\Temp\AngryBirdsSeasons.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA00A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA009.tmp"

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\CMsk1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CMsk1.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\noinstall.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\noinstall.exe:*:Enabled:Windows Messanger" /f

C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe

"C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\noinstall.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\noinstall.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\CMsk1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CMsk1.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 microsupdate.hopto.org udp
GB 95.101.143.219:443 www.bing.com tcp
US 8.8.8.8:53 219.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 microsupdate.hopto.org udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 1microsupdate.hopto.org udp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 2microsupdate.hopto.org udp
US 8.8.8.8:53 3microsupdate.hopto.org udp
US 8.8.8.8:53 4microsupdate.hopto.org udp
US 8.8.8.8:53 5microsupdate.hopto.org udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 6microsupdate.hopto.org udp
US 8.8.8.8:53 7microsupdate.hopto.org udp
US 8.8.8.8:53 8microsupdate.hopto.org udp

Files

memory/552-0-0x0000000075062000-0x0000000075063000-memory.dmp

memory/552-1-0x0000000075060000-0x0000000075611000-memory.dmp

memory/552-2-0x0000000075060000-0x0000000075611000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\h4hg5wbj.cmdline

MD5 d6bd853d2ca945fbb389edb2d5517aa3
SHA1 b44e3278515d73269bdda2c329965fd313d8d530
SHA256 f891fae53dfeb692ee807f3e44280262991ddb576bf9ff43290276f914c5d8e9
SHA512 593323d3404b5d7ac3ec4c3fe2cc67c714e3b4d16db413061d0d47fcc3136fdbffbcb173c1f9837ca24ad6efd9c9bda37ab61f22a9f3409d31f2e4e004919860

\??\c:\Users\Admin\AppData\Local\Temp\h4hg5wbj.0.cs

MD5 a7afd4e117b8a9f37f12abe4c0a31fe1
SHA1 216cbd4090269590d1086e0560c2d901c8b89dfa
SHA256 0c3690324a85c67a4410624475c3c8ed0ef30e3866c238230f5011a03f527fd8
SHA512 0c329906ee8bc4864f68956852d2495cd1487f67a444d5b2e6b682501ed2472764a37f4956846e033685ece264c37afb20a783728088ddeab0c5f24d4975d751

memory/1592-8-0x0000000075060000-0x0000000075611000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC9AE8.tmp

MD5 a1134e17cc7135288e52a56a0feda4ba
SHA1 6ecc9ef1d36c35134818fa8e830cc2d25c7b291f
SHA256 89ea30c4a1a47331dc335e884566201f716ca97a1af66963cb4f9647aeedea11
SHA512 3d9c1a20246c9ba286a953f9a16bb361c4220b12b7c4734c413c4008bcaaa91023253011e319d8f276aafe9fc99d5f0384af324ee9d98ad40f97a6a3a390904e

C:\Users\Admin\AppData\Local\Temp\RES9AE9.tmp

MD5 4a4b3957b29ed201fe3196dadf142cfe
SHA1 bab76367974fbb351a10fcadf042ba27eb096833
SHA256 0cc1e1f91f0965aa7559d4914ead7afc4a03455785aa1bde8378bbc851aa8593
SHA512 f024977dd510c595b13b15d6ecf55a88cb3ffb90e5f0aaa2758391bf7ec4a92176b6bf948b1755da7c62cc1a016d3c0a218f2616d81e68e1551556c2b542c94a

memory/1592-15-0x0000000075060000-0x0000000075611000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b6FC6.exe

MD5 c9f8df07644d5af32589f3b24a742a80
SHA1 d91de36e9bd83ec222b5b4593a46f3ca83f70d66
SHA256 53583989ec762133823a67431337da8065a4f6652ec928a45861cf39aea696ef
SHA512 aac27fd9db6a8f4482e47f50ecac9d335f20df99a7621d432f99cabbb917c1ffe947a07744260c4b4e2458be6fe6e60c5b463fc37951d726b73b790ed19832d0

memory/3040-21-0x0000000075060000-0x0000000075611000-memory.dmp

memory/552-22-0x0000000075060000-0x0000000075611000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CMsk1.exe

MD5 e118330b4629b12368d91b9df6488be0
SHA1 ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA256 3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512 ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

memory/2756-29-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AngryBirdsSeasons.exe

MD5 e987de1586ef2e544822b89957fbb842
SHA1 80e562c8f00806163ef93f91331882d430fba762
SHA256 9d1c3d99596ae3b66b31d17a1d586a8379deb9a76208a8fc6f1359a2653dbd19
SHA512 b506e638e2b72382e5367f4b60a6eac703de157a3fb02f31b8fd8b0288bbed90b7c0dab1f55706d1dfdbe6ee6adf3a5842a8e20083146e301dffeea403673782

memory/2756-42-0x0000000000400000-0x0000000000470000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\eniuzdgq.0.cs

MD5 63e5aee854b95119845f32cfd50daeec
SHA1 411c321a68cfa2e79f2a3d541038f3f3441cf7c0
SHA256 2a4506735bf9c47a0b1ae39c467d3e839646aa2e698a7a6050c59dc034375580
SHA512 1216bb919425692e99c7a916cfe399f2c877523f03bd62f6ff23d79509ea42e5a41c62696a0abbb53cb0d1c31000e7d9432205ffeb38e9a19fbee3b99504f790

\??\c:\Users\Admin\AppData\Local\Temp\eniuzdgq.cmdline

MD5 a8e5d1cf4f3cbaea49ddc7ed2b7e5378
SHA1 d3ccbba7b9b0a2cd3454f41835e4de7d3840bbfa
SHA256 4d6454a0ec3974a13a9eb2d933c0fcbb7e87485d88839bf8a25a192535f73694
SHA512 fd4ae10b18345f15e2da8fa63c9a0b1b17b23a605cef0335187b4ba3376aabd1c201c2ac4e0a11b9b7247148b759f10a7e8ecb976510ca17656b184a7c342780

\??\c:\Users\Admin\AppData\Local\Temp\resource.resources

MD5 201b2dbfc9f9906cf9c4b9117acbe283
SHA1 44f14fab1e5fae13a8c5026a0730c17b8c54c958
SHA256 3109e96501a07a3d837298681fbaacf5962b56810021293bd1cc1c2e7895064f
SHA512 db9a1cba1ff3fae70824f91ae12dc9a88a5b98d4d5bec5ad09edb3672408470bc9b18e51deec206c423edae4b166678d3b773cb3058d02e3d5ae7d2060466f85

\??\c:\Users\Admin\AppData\Local\Temp\CSCA009.tmp

MD5 d9181a8d5ad15cea9bd83d124adfafe6
SHA1 5117311ee4365edc718331c4672974d112b7c30a
SHA256 d771893d41089369afd786e4eaf2187d5787ed24aef9ebdd597ea0dda34c8528
SHA512 77a94bf90e036ad1ae06b673fe82d0fe8218bc9731dcd3152e48b9910bc91f9ca048e4f0b35b2f3d8d73c43371baa5f8dcdfb1a1f8315e5f2842bf17ba5670ba

C:\Users\Admin\AppData\Local\Temp\RESA00A.tmp

MD5 628fbd672d7c8cd833d5cca006ba1615
SHA1 12dd838a8d66313221e4d22bfce15912fe570f48
SHA256 b8d092b6da6a93d0a9e296f8b0a618f634053a0907eacf0c7c39e17a67c79d4c
SHA512 d58dda65a1d0cfd388615af0e6d9c1c8ec48e7dcde00bfebd01987ce3e1eea0f95f4a57e452971c3b556dabaf554237c386769e87c9ccd323433460c907a2b79

C:\Users\Admin\AppData\Local\Temp\BGa7RW.exe

MD5 dc711cd45f201e4a34978d92ebb5804e
SHA1 9c5c13c20e88e2292c90618800fe5353e1426fe8
SHA256 0e845ca27a25de729939d794f84a321b862c2b35072c9fe58199efac34f88d10
SHA512 e9e298c06031bfc13ff5fa69edbc85738c660ce7f63ae22684f1c10f23be46c54547e469c989b91703d9c3f936926f05131800bf38930fa8f22af0a07917c768

memory/552-63-0x0000000075060000-0x0000000075611000-memory.dmp

memory/3040-64-0x0000000075060000-0x0000000075611000-memory.dmp

memory/2756-66-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2756-67-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2756-70-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2756-71-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2756-73-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2756-74-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2756-75-0x0000000000400000-0x0000000000470000-memory.dmp