Malware Analysis Report

2024-10-19 08:14

Sample ID 240417-ldsftacd9v
Target f576fb70250aecee421413812165b2cf_JaffaCakes118
SHA256 8e7cb0d2a8b6bef4d3593241f68d25043a559db262b51e332cb2dc5e6dc9d76b
Tags
expiro backdoor discovery evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8e7cb0d2a8b6bef4d3593241f68d25043a559db262b51e332cb2dc5e6dc9d76b

Threat Level: Known bad

The file f576fb70250aecee421413812165b2cf_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

expiro backdoor discovery evasion trojan

Expiro, m0yv

Expiro payload

Disables taskbar notifications via registry modification

Windows security modification

Executes dropped EXE

Checks installed software on the system

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 09:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 09:25

Reported

2024-04-17 09:28

Platform

win10v2004-20240412-en

Max time kernel

151s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe"

Signatures

Expiro, m0yv

backdoor expiro

Expiro payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables taskbar notifications via registry modification

evasion

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-776854024-226333264-2052258302-1000 C:\Windows\System32\alg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-776854024-226333264-2052258302-1000\EnableNotifications = "0" C:\Windows\System32\alg.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system32\Appvclient.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\lsass.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\nnpmochj.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\msdtc.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\windows\system32\fgbdmmlf.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\syswow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\sgrmbroker.exe C:\Windows\System32\alg.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\bnfmpeon.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\svchost.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\sgrmbroker.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\vssvc.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\windows\system32\dhhbohpc.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\syswow64\perfhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\locator.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\Agentservice.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\windows\syswow64\hekoedaa.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\tieringengineservice.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\nijcldql.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\hklknpad.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\svchost.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\spectrum.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\windows\system32\elgcncdk.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\lmoafpqg.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\onbgckbq.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\lsass.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\hmliadmc.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\vds.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\mbbpicfj.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\oodlcboa.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\gifanfhh.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\sensordataservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\sensordataservice.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\ekaflqll.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification \??\c:\windows\system32\searchindexer.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\searchindexer.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\igkfpdgc.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\becpkbah.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\msiexec.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\snmptrap.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\windows\system32\eglafbcn.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\alg.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\Appvclient.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\Agentservice.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\perceptionsimulation\noclqphg.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\openssh\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\openssh\amkeblhj.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\gihphogm.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\kgacdccg.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\lhbjhkab.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clmaedbq.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification \??\c:\program files\google\chrome\Application\110.0.5481.104\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File created \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\njlikodj.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files\7-Zip\gkooamha.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification \??\c:\program files\common files\microsoft shared\source engine\ose.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files\7-Zip\jgpijieg.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\microsoft shared\OFFICE16\pgildlkb.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\cedpmnkl.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\ddnfppgh.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification \??\c:\program files\google\chrome\Application\110.0.5481.104\elevation_service.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\program files (x86)\mozilla maintenance service\pmacpaal.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File created C:\Program Files\7-Zip\nccafaqk.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\nnbpngba.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File created \??\c:\program files\google\chrome\Application\110.0.5481.104\pcjhfgbj.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hhfjjgab.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\olemadei.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\jkgaipki.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\pijgofaf.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\miqfjfol.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File created \??\c:\program files\common files\microsoft shared\source engine\hjmpinqi.tmp C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File created C:\Program Files\7-Zip\lncjookl.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\servicing\trustedinstaller.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification \??\c:\windows\servicing\trustedinstaller.exe C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
File created \??\c:\windows\servicing\hejedhkd.tmp C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\alg.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\System32\alg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" C:\Windows\System32\alg.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f576fb70250aecee421413812165b2cf_JaffaCakes118.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 132.250.30.184.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp

Files

memory/5096-0-0x0000000140000000-0x000000014016C000-memory.dmp

memory/5096-2-0x0000000140000000-0x000000014016C000-memory.dmp

C:\Users\Admin\AppData\Local\jqolcaoo\iapbjlon.tmp

MD5 bbb4158ffcdf4d5cdb48bc465b227ce3
SHA1 e28939c6b78aec1bce76a280abfb72281c987828
SHA256 295cc467796dac12833ff45bca14dcbbb596443fe4a72cf891cd872055b266e4
SHA512 286e4faedeb93ec6fe3eb35196798e445beb47e7c2c9e89066d335d1b96195e946cb1ae30154eeabd4b3360648c5dc11d96bc3d4b06544e32026320220cac511

C:\Windows\System32\alg.exe

MD5 7c6cac95772c914885e8b33b481eccf4
SHA1 7b5d22429048b95044f3e8730deae465f6eeb5b0
SHA256 353bc0d1c6ef96bd038fec7d69b1fbcb13a078639c4275118f1a7cd8209fe683
SHA512 047477a039800e972ba220c778b26d284ba1a601c423df2f835897ab010a3b6f710a4325598f2f5421e397c2cb7d7ac3d54c4bedc610d4b082bcd6dc614b5c5e

memory/4444-17-0x0000000140000000-0x0000000140136000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 0d5c784ac8a2f4998dc5469b07af1f38
SHA1 10df10993bb763d565dc106d0f7dd04d13cf960d
SHA256 41446ceaafbb04028a7c0601d015f21dd2ba2362552d83e2385ad716dda331a2
SHA512 f06eebba0003654984104eb5fc295ed8fcc81cdfdd5beb149bb01246a464790e56f1554529db200e6dde0bcb0bb3f66f946df5237f637496757072a58484d88f

memory/1556-29-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 3d6d58fb88c177b14dfbf9ca846e1662
SHA1 b7193eb1dd885641f98dc320a4cb1ae6392b5eff
SHA256 bea130e6ce51b06dde0a6b3e0887ab0a6db340944a4ef98ac0a814b67640f3b4
SHA512 f2a6ca8c394ace43dd4477cc6e261cdfee67134c11f930fb8f4f2e4d19adcf2ef9f94f98e9fcc2b7f24b1344bc8079f61a9befca7e83c50c7b3565a08dfdb7ae

memory/2072-36-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/2072-37-0x0000000140000000-0x00000001401C2000-memory.dmp

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

MD5 a9f14d3ee2358180d5b370d32a77d945
SHA1 5987eff4c4096b1f707992585526d0904f14e5c5
SHA256 8d813091a0fd71b46b08cb11c3a80cf6182cfff32136ed7b03957d074d145d7e
SHA512 576f5dbd9f70b8ef1f645416af36709e8f753b93db89828179d8a2c789bb39c205b4a7891cca640504f28fc232acd3a9384082b96b9fe96428742e4cb75449cf

memory/4444-44-0x0000000140000000-0x0000000140136000-memory.dmp

\??\c:\windows\system32\Appvclient.exe

MD5 7d68553da0bad961b0d28b6520e702f6
SHA1 8662fb85753d591531fe438884a092cf09b30074
SHA256 959c5ca4fff9e9618d14dfd1844d668ac69100bd10719f5469b13ba712425ab7
SHA512 08373c0cf4948fa16965f260a18f2bd09f0b0fd3fdac19f14f2237ffd66dd4a34b70ee6fa209b5b7826eae1fe474310ab4e618dcea42c572e0f8237c9a04a902

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 fd7bc9b4494dc29518fa32226b3033dc
SHA1 02ec7bdbdde894b8270fdb6bc9982c884a8b79b6
SHA256 a6d5ee5bda9542edd9567f7d5aaac3c3a47f5353233d7bd7ba8dc2539bbee0e3
SHA512 25c40e6dbc6642829c38dcf037f922e17f449cba455a17efbeeda4aa85c0ee339b0c93045639964d3b8368dfc5e5f2ca6554dff99cea0970f77e446869921beb

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 da213edee6e29dee1bd9655ed914dc71
SHA1 e95bb17eae4f2ef07d1d580a0c14dd5037f9cac2
SHA256 5fdd2b61a5b2d02ff83f013904cd666dce5941eaa0436e16e04ad5165d4817d7
SHA512 8df26d5c943f357503c9ecd5dad8d782c4f64b06a3a226035b217632f202b2c15eb5454037ba5709d524cf6df4286f8979a9b9fb20ce3aa6a619d3c9b3fd0289

memory/5096-61-0x0000000140000000-0x000000014016C000-memory.dmp

memory/5000-63-0x00007FF6FE070000-0x00007FF6FE1CC000-memory.dmp

memory/5000-64-0x00007FF6FE070000-0x00007FF6FE1CC000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\hjmpinqi.tmp

MD5 7048625ede7b0b20393ddcaf12480f18
SHA1 6cfe91119e221799d3c2052a94b283a07ff92eef
SHA256 848e468ddd5360a37acbab607c15880735b238f338dd30ec16e587f1bf8b29b4
SHA512 16507c17374037304e523bdde32ffbe8c33988f8775d4626af41f344d56c18e02df890f3a6632636902c88f6813ea080319da08d03954c4f71088f5847cc6e76

C:\Windows\System32\msdtc.exe

MD5 c3a6be13fc503833f7bd917e0fb5a8de
SHA1 dac59553f09118f9c83ed9a845404b7c2f792e69
SHA256 4bc5d7cbcedc0384dacb346339fde724989eb475a0ed3eea2174f14bf85af9ba
SHA512 e9f2bed981a3bc599768c54d3d24f4123c74bd5da41b0906b0ec00dc6f38860c97ddc11f56c15370d2a4ac5abc06427ad0476132e3b7160f2f0ac3ca701f07bf

memory/1116-77-0x0000000140000000-0x0000000140145000-memory.dmp

memory/4444-152-0x0000000140000000-0x0000000140136000-memory.dmp

memory/1556-168-0x0000000140000000-0x0000000140135000-memory.dmp

memory/1116-194-0x0000000140000000-0x0000000140145000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 26f90aa02f1c6f06be07f7d44396c250
SHA1 662f0db085fc9e279a82fe4087224b28a58f28f4
SHA256 a2489efb37653db1beb9647c32d65cb0e7d4968cf07f512709a5136bfd11beeb
SHA512 9aae7eed4aa425beafbfba2eab3ec3589a108475b6cf5cdc893d4a0b4c90d1c0e384a3332b9a253ae9e529ecc4425385de8dd9067f3f417385a022affca0bb85

C:\Program Files\7-Zip\7zFM.exe

MD5 5c0f3e9bfb61e77f647c76edaed24eb8
SHA1 e31672668d3822af49275405bdce660ae9cf219c
SHA256 6292405c4c239d41d64b2e19b7981f0a754d831873f6ed82d5bb64bead437022
SHA512 ad68ea2e2b628af935ea585849c0dbbcc6461f90595ecffbb6f6646e3a37d55fc7b3765f63ca579de5d1a2f7018304403d8bec362ecfca69e5160a2ed5e70e9b

C:\Program Files\7-Zip\Uninstall.exe

MD5 23d052b442ffeb9fd1bdcecadb31b489
SHA1 beafe79a7a463bde076f32e54660fc0b54efaaf4
SHA256 3d7740b7ffca89229747d0add16fe5c35a5ad31f615cacb54f4763bdf939a96d
SHA512 8d6a362ed61f1929bade60d5bbc38c5dfdee747520af9c8c2c9602afc413564a4b4e5871bedf04748387f6c6363d320928e50a39ddb9513f4fb67bc3ad466906

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 76b3f1740cd837fb56bb9d1e51523981
SHA1 33b3721fff9a17594b03799de752c35e71403af6
SHA256 cdd9ca39e2560c0b0b3427c157863d74c715faa9749fcb888eebc43db372a2fb
SHA512 f83e84f0b9096ad65741fee55dab44b76f7c6778eb3d9ac3d9cca48f0319f3250bc5f16d1805cf22514fb6db0f3e074d69239d71531a6bb34f6cf8d813d2fc46

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 57bbd0ca00e9d6e5cf7e59592ec8f3eb
SHA1 d8e686ad4993c68ba4bf9045e9330a55e5c71a01
SHA256 6a1b81ce8834be95e949a9ef83e00c5e59c7acfad3576c340d9a3781b07ce6db
SHA512 a9de4bc7a0de634fed4a125277ff6c0a4ad8787264d67d5494e4969b2f47e804db23f1e0323d59e987be118033ed9b372612ea9c1ab945f4d287c1fbc622ed72

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 86bd0f030d8bbd88020df287ef0551a2
SHA1 ba4b9ce9349a85251430444a78e0229aab787cdc
SHA256 6d331014271d082923a2e466fac37897d08e621954bf3c075b88c8c50554bd84
SHA512 69236c24469f8473161533199c31e43145d1312fc9e3365c1e64a89062525df7fff93783ea3c9213dd7bb6d3cfd064e49b18b957a12e44ba898874c7f83632d5

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 95ed14dc1955bfb2f449f4dd22301e1d
SHA1 3630be3214d7867f968a621670f7662c2be99440
SHA256 bf451aba18000dd106a117965a22ef582899143a30e31dd4a29a77bdce05c5fa
SHA512 b7093f3e8702e3335e808c919fb125e405e88b77f30e1d136f4784c63c5c76ca6db8cc0fee4c5805539f4c5278969bea21fba22c704e696b65a9625ae8831bd5

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 8c4f9ff3b4b945c24a9d9bf665d17afa
SHA1 76000da1e48227a38f5a3d52fab90e2b6a395c41
SHA256 a25c9f6eabfad4d48c7cd1948d5b9d689e13815302d517b3cb26223d00ffd286
SHA512 7e364dc06bf8992ced0834513b2936f77709239ef507c2cd2b3e22555ab434ff2235997937aacef07b32997b4d87428039c9c5f21826f15c77fe02247f55dfc9