Malware Analysis Report

2024-10-19 08:14

Sample ID 240415-nj4r5sfe6s
Target f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118
SHA256 ec83c2c1eec33e0da96d042d70338877a95ab967b5882e1c6a2ebe8f11f62f0a
Tags
expiro backdoor discovery evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ec83c2c1eec33e0da96d042d70338877a95ab967b5882e1c6a2ebe8f11f62f0a

Threat Level: Known bad

The file f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

expiro backdoor discovery evasion trojan

Expiro, m0yv

Expiro payload

Disables taskbar notifications via registry modification

Executes dropped EXE

Windows security modification

Enumerates connected drives

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: LoadsDriver

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-15 11:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 11:26

Reported

2024-04-15 11:29

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe"

Signatures

Expiro, m0yv

backdoor expiro

Expiro payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables taskbar notifications via registry modification

evasion

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3198953144-1466794930-246379610-1000 C:\Windows\System32\alg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3198953144-1466794930-246379610-1000\EnableNotifications = "0" C:\Windows\System32\alg.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\alg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system32\svchost.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\cmjopade.tmp C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\syswow64\perfhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\sgrmbroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification \??\c:\windows\syswow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\alg.exe C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\cnicpnje.tmp C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\snmptrap.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\spectrum.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\windows\system32\bjeklmpe.tmp C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\lsass.exe C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\nhdkjacl.tmp C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\sgrmbroker.exe C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\hgjpndbk.tmp C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File created \??\c:\windows\syswow64\kfiankje.tmp C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\tieringengineservice.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\windows\system32\ohnmkapl.tmp C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\msiexec.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\openssh\ssh-agent.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\vds.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\windows\system32\lqngeecf.tmp C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\sensordataservice.exe C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\aefcoifa.tmp C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\vds.exe C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\lsass.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\wbengine.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\windows\system32\bfnkjjnp.tmp C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\Appvclient.exe C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\windows\system32\jgajqmin.tmp C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\cacaeimp.tmp C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\svchost.exe C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\sensordataservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\Agentservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\Agentservice.exe C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\msdtc.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\searchindexer.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\windows\system32\perceptionsimulation\kacibend.tmp C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\diphkkog.tmp C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\diagsvcs\kdadkefk.tmp C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\vssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\openssh\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\aflolfpg.tmp C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\locator.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\tieringengineservice.exe C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\Appvclient.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\windows\system32\openssh\cbdfglpp.tmp C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\cljifenh.tmp C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\program files (x86)\mozilla maintenance service\ainmjnej.tmp C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files\7-Zip\gkooamha.tmp C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\program files\google\chrome\Application\110.0.5481.104\fclgdgan.tmp C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File created C:\Program Files\7-Zip\lncjookl.tmp C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\program files\google\chrome\Application\110.0.5481.104\elevation_service.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\program files\common files\microsoft shared\source engine\ose.exe C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files\7-Zip\jgpijieg.tmp C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\cedpmnkl.tmp C:\Windows\System32\alg.exe N/A
File created \??\c:\program files\common files\microsoft shared\source engine\fihjefke.tmp C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\program files\google\chrome\Application\110.0.5481.104\elevation_service.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File created C:\Program Files\7-Zip\nccafaqk.tmp C:\Windows\System32\alg.exe N/A
File created \??\c:\program files\google\chrome\Application\110.0.5481.104\lbjleflp.tmp C:\Windows\System32\alg.exe N/A
File created \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\oengeomi.tmp C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File opened for modification \??\c:\program files\common files\microsoft shared\source engine\ose.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File opened for modification \??\c:\program files\google\chrome\Application\110.0.5481.104\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification \??\c:\windows\servicing\trustedinstaller.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\servicing\trustedinstaller.exe C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
File created \??\c:\windows\servicing\dhkkhhla.tmp C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\System32\alg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" C:\Windows\System32\alg.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f0f21b42ad4fc3652edd2111eac1099b_JaffaCakes118.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 26.244.122.92.in-addr.arpa udp
NL 52.111.243.30:443 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.73.50.20.in-addr.arpa udp

Files

memory/2572-1-0x00007FF6D0840000-0x00007FF6D09C0000-memory.dmp

memory/2572-2-0x00007FF6D0840000-0x00007FF6D09C0000-memory.dmp

C:\Users\Admin\AppData\Local\dkiroaap\cmd.exe

MD5 13002bbaa205db9ae35b1e747973bfc5
SHA1 041b6d53d426cad51ac5731d2d6586495d2a0f62
SHA256 c7c96a30787b0f8229eaf59b4399f47357a864b5930d9c297c3640a4d0c9e588
SHA512 0409a730358033985021d0dc64c4357f9dce5b4aa8a8c7f8dab70ba823c3212e3bfe22af848638481c0db30010172a2e7701112bfb576fd6ee5e02d3e3b0100d

C:\Windows\System32\alg.exe

MD5 17ed3ea573334ce5831ebd0ef514390b
SHA1 a306cf5674b29c406013f5cda8c6a8f50d8e85eb
SHA256 e88d7882d2996d07a6f8e20419fb46dd103175c447779a05f05f6899a185aa96
SHA512 4a2df5c824d25eeafae1403d6f2024bf30908e9d6088cf08397c405991092fef162ead1c14aa992c97d8912cf9b101f496e5d61e0fdb966f02276f1e59bdba55

memory/1484-17-0x00007FF71B450000-0x00007FF71B587000-memory.dmp

memory/1484-23-0x00007FF71B450000-0x00007FF71B587000-memory.dmp

\??\c:\windows\system32\Appvclient.exe

MD5 5d6fc1027c3e34ea0084f5763dfee5ea
SHA1 b37e5726c0db7722340434a05036be3cbe4f0057
SHA256 22c3e98f58bb51ddc62113bf70560d131b407cf5e275fdaf78d7fdbd105ff55b
SHA512 6a09ed89b21cc41c140a124979e3acf24c782eeb203691e9dd2fe7527ebc4a61f48689ff949bf3932631396d9b3e6aee861e429f2951b005622b2683de53235a

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 18d57ffc76363af1fbfcb5d1ef65a3ef
SHA1 b154abb2f88e1bcf9c52b92e93805c63bb541db9
SHA256 5979bc4fc282a9ae32bf237eb11a24b929aff2bd2817280fe83969f68d1f682a
SHA512 7aa0c21d01971c2a12eaa27f28fa948b36c9ba26119a80ad37c152ce2899e1a17f05c5800ce419ab5b34211e724ec30f59b298c10669c528c6cc135fc98060be

memory/4904-31-0x00007FF7C3070000-0x00007FF7C31A6000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 526927b3dccb1e69abcab6b0aa7d6086
SHA1 2e403da115730bc64a8ace1493290244d34d0a1e
SHA256 629c12f45cf89043aae1cb59d8239cd248d7a451ad53ffe03530311f1ae819cb
SHA512 ac763d04d72eef904e7981ac4dcdf38bb342f9b101e09280a9f3a69771530a619dc7b56e09e286c3f619df6d9b8a5ff1469ff316adbd2904a9622eabc54d3c18

memory/2572-39-0x00007FF6D0840000-0x00007FF6D09C0000-memory.dmp

memory/5068-40-0x00007FF7A6770000-0x00007FF7A6932000-memory.dmp

memory/5068-45-0x00007FF7A6770000-0x00007FF7A6932000-memory.dmp

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

MD5 ba57de6587dcf695c81067a977c0a454
SHA1 c3ea79da6f8482b5a0f4c8bc7aeeafe2a715afd6
SHA256 e83baeef5e3764099a8d9d9111cff71d774afa8b2838a933de7988865ed21867
SHA512 b49ee778ac9494b6bc4ef246ccca5dd01bc5aee2b00d08e718c780c930d7407f1dc67c3a469c5c37ac1899b735470b176e43031651c466fb232ae5998fde6434

memory/3184-57-0x00007FF6E0240000-0x00007FF6E0518000-memory.dmp

\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe

MD5 a99116296796ddf1e7370d0679043337
SHA1 eb4a7160a7bba1b9de17d5b5d1539ca957f5c03a
SHA256 e6173c8129e64c3e89a8cb7aacc02ae0d5c950a85067bc73e886e60a222a0e9c
SHA512 464a909e794615f2c516201b0080c738c033d4a07f1a0d37583f045f59d85a981da07fb32d0f1b36874f3ac81cc7fe60d9c58def63769d1c500ff1356ab2455f

memory/2492-60-0x00007FF7B2C90000-0x00007FF7B2F48000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 145f294892622995d680508e6b3a59c5
SHA1 f449a7816742693a68b2c88013478ccc09274105
SHA256 e81356c57b6f1ba277a441b78b00daff5988e1771112ef372281a8d51b3d6600
SHA512 2392113b51c7fb919f7f58291edc07118b2eedb6e8fb7ec91df0d35a7f25d9043ad573268564f45f488b3ca0ce28bb719f8bf2bd6ca6c63ba52f15dc1d090e85

memory/4536-73-0x00007FF7A4E80000-0x00007FF7A4FC6000-memory.dmp

memory/1484-72-0x00007FF71B450000-0x00007FF71B587000-memory.dmp

\??\c:\program files\common files\microsoft shared\source engine\ose.exe

MD5 990d189bb14a21d96acd358a8a3ff80f
SHA1 4be302011bad2d002179b483ab6be091d45a7b60
SHA256 456cfe0e4e4bc4f70d37adf2926fb590af9b08c64530a2a3b238c254626a6664
SHA512 4df016026ccd6ec6ef41dd3a7c1286daf3c05f9acaec101de1d802c9fcaa7abfa2af9d79c94bb1c8f65893ba5c9f06c27a5745393fdc74781a6fd7fe5950a87f

memory/4904-88-0x00007FF7C3070000-0x00007FF7C31A6000-memory.dmp

memory/3184-104-0x00007FF6E0240000-0x00007FF6E0518000-memory.dmp

memory/2492-105-0x00007FF7B2C90000-0x00007FF7B2F48000-memory.dmp

memory/4536-111-0x00007FF7A4E80000-0x00007FF7A4FC6000-memory.dmp