Malware Analysis Report

2024-10-19 08:14

Sample ID 240417-qza6wabf5t
Target f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118
SHA256 084f787a0c52d0282f9867cb2555ef2ff38185c35f4165115fe6082671623da8
Tags
expiro backdoor discovery evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

084f787a0c52d0282f9867cb2555ef2ff38185c35f4165115fe6082671623da8

Threat Level: Known bad

The file f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

expiro backdoor discovery evasion trojan

Expiro, m0yv

Expiro payload

Disables taskbar notifications via registry modification

Windows security modification

Executes dropped EXE

Checks installed software on the system

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 13:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 13:41

Reported

2024-04-17 13:54

Platform

win10v2004-20240412-en

Max time kernel

169s

Max time network

172s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe"

Signatures

Expiro, m0yv

backdoor expiro

Expiro payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables taskbar notifications via registry modification

evasion

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-776854024-226333264-2052258302-1000 C:\Windows\System32\alg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-776854024-226333264-2052258302-1000\EnableNotifications = "0" C:\Windows\System32\alg.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\windows\system32\klpbopjf.tmp C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\perceptionsimulation\bdaepojn.tmp C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\lsass.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\lsass.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\msiexec.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\locator.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\windows\system32\nnafoopa.tmp C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\bjhclacn.tmp C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\ifkqdgpe.tmp C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\lcjfaebk.tmp C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\openssh\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\Agentservice.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\kncbmnec.tmp C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\bknhhonf.tmp C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\iqjifajm.tmp C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\tieringengineservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File created \??\c:\windows\system32\nobkedhb.tmp C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\adnenbea.tmp C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\alg.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\svchost.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\Agentservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\searchindexer.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\tieringengineservice.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\bdobplpj.tmp C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\vds.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\windows\system32\openssh\nceiegaj.tmp C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\syswow64\perfhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\snmptrap.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\searchindexer.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\oigjjein.tmp C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\diagsvcs\fbdmmjcb.tmp C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\pjmajehl.tmp C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\syswow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\sgrmbroker.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\nhnmcfid.tmp C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\sensordataservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\vssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\wbengine.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\windows\system32\dfdjpkjk.tmp C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\svchost.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\Appvclient.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\Appvclient.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\windows\system32\jjcfgdoa.tmp C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File created \??\c:\windows\system32\wbem\pcfbphak.tmp C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system32\msdtc.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\sgrmbroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\sensordataservice.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\program files (x86)\mozilla maintenance service\hjdjfejk.tmp C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File created \??\c:\program files\windows media player\dhnjeinn.tmp C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification \??\c:\program files\common files\microsoft shared\source engine\ose.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\program files\common files\microsoft shared\source engine\obhlbdfm.tmp C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files\7-Zip\lncjookl.tmp C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\olemadei.tmp C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\jfjkgccl.tmp C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File created \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\jogfcpeh.tmp C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\mgecidfd.tmp C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\dotnet\dotnet.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\pgildlkb.tmp C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\mnmjadqg.tmp C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\occlljkq.tmp C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\hlepeenn.tmp C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\cikbqmip.tmp C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\gkooamha.tmp C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification \??\c:\program files\google\chrome\Application\110.0.5481.104\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification \??\c:\program files\common files\microsoft shared\source engine\ose.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\kgacdccg.tmp C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\nnbpngba.tmp C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\ddnfppgh.tmp C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\nccafaqk.tmp C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\jgpijieg.tmp C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\jkgaipki.tmp C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File created C:\Program Files\7-Zip\jgpijieg.tmp C:\Windows\System32\alg.exe N/A
File created C:\Program Files\7-Zip\nccafaqk.tmp C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification \??\c:\windows\servicing\trustedinstaller.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File created \??\c:\windows\servicing\dkdnacch.tmp C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\servicing\trustedinstaller.exe C:\Windows\System32\alg.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\System32\alg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" C:\Windows\System32\alg.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f5e803f430fcd2bb59b59604d3b42063_JaffaCakes118.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Network

Country Destination Domain Proto
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

memory/2708-0-0x0000000140000000-0x000000014016C000-memory.dmp

memory/2708-2-0x0000000140000000-0x000000014016C000-memory.dmp

C:\Users\Admin\AppData\Local\rdrmlbrm\mclkkcml.tmp

MD5 bf9d5894e0dee248b9da7a8e2b719aca
SHA1 6483dcf948b792493bc35b027cdf8bad62b2533b
SHA256 2823706e1dd72296462b7ed85cb827a796b67fd64c13aa37c9273d0962f29e75
SHA512 d3f02ed02ce6dcbf2bbadc32c41226c89bd1e4614e32c54146b25f9e0a8e2c2843eeb523e97f9d7312a758c38c7c9943752c51ea61c8aeb1fc4ab1a986c5ca13

C:\Windows\System32\alg.exe

MD5 7ef56091aa7fad52ac6ad0e085c52d7b
SHA1 084c29fb1d0f4048a287c3da85b5ded7d1880271
SHA256 5af6894a84a17eacbc23ffa27a324ae24f18d4b62024d3bdbc35c1c2946ec015
SHA512 34843577811fe870e5cc7bb57e07cf2019648bd7c2cf8c217a63f0e41ecc88654ecfec0202a7816c3c5d604d54787233f3146b3b973bd9ca9d2f62e1b8267572

memory/1180-17-0x0000000140000000-0x0000000140136000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 ed6debd678960acf2543a0e65acab077
SHA1 bdef1655ba7501d110de4f51f59b427fe69100d0
SHA256 05256ed56a94a9daf6dcdb2088d3b7440e00c43d9c50bf2fdbd2e0aaab2369c3
SHA512 9a25a7796e0d2e55556b5a36f0bbdf0e2439404ecf3966ff4027e6e46af6fc7467e02be375c94250150fa74a7aeb2c378e4ceec6a77a022c0b41f39ab03de5f5

memory/788-29-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 eb229355a3df44551eee45d34cb16dad
SHA1 e38afef85034a1e1b54095634126f049d27d1434
SHA256 4a80663fddfec69102497e79e7b6ea4ded9dac07c088e8ac04a6bb6896a4338c
SHA512 45419fa96f5cc2ce38367c5a5e022f4a1871fec049961b52beaf1108a0ef3f151f0be11e48775078a12b46ad1214c75a414954ee5a8f4c9ae1b352d38b12e519

memory/8-36-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/8-37-0x0000000140000000-0x00000001401C2000-memory.dmp

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

MD5 2decc1a4d41f890591a0396ea351d4bb
SHA1 dfb1af01c73f8532f284e169656579396f77b36c
SHA256 db69b1874aded596550a3f0c766598b6dd67b5a4d7a4b7056dbe27ea5de1cda9
SHA512 5bb9d8905e125cb0b5ad91a27538fb9345960d3f631088917136e55078404169683e21035234f370c88dd1b0d4008f10e0d7363641e635e5dee1cd239acf9c32

memory/1180-44-0x0000000140000000-0x0000000140136000-memory.dmp

\??\c:\windows\system32\Appvclient.exe

MD5 5509f3585c29c6e12f9816ef5a737c94
SHA1 e93b5ee8a3dbb95a27eb2471f0d343bd927efce4
SHA256 dd715cc386effa8edf0f0d1ad6994fe6357d5b870b52cc1b49aa289dec4ac7c5
SHA512 1b5a882a585d741d25a18c07a496ba170e125e334b283cd0585f3ba935ea09bbe29066428ab85371fb2c0dc035db3cbbcb4fa9b934d3b63d1d1520f53a61e13f

\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe

MD5 7f01b0c7f5baa130bd5aa91057989bde
SHA1 4a489ce49e2a47eca1abac52148defd8e09ffd3e
SHA256 a6897f28ccf77cf9f010460a53585d64087353fece81305d4b6c0db9a114531f
SHA512 5932c81b50de10d522ec4caa5f2ef45a8461dd81e54ce086f6610e3b35c27677f1c4584f3304e580280d8841ae28aca60e62cc047d4dcdc62f4ea580c0aa1e2c

C:\Program Files (x86)\Mozilla Maintenance Service\hjdjfejk.tmp

MD5 e9024cc3ebe62d0ef5665438a5189593
SHA1 bb85b88eb140ddd0e43aae1a9e7a2ba47d30421b
SHA256 7937452bd1f279d36be3ee64d96c3ffd272a028ca94864cb81452adcb15aca40
SHA512 8fb379cfa1972c8888ec59a8a1b9fa9db944636459cbcf7d563c8bcb4216430df1cefd2803071b45602c983cfd9e10a80a97afb2d1a438c6d56b2bc09530008a

C:\Windows\System32\msdtc.exe

MD5 f867682db04427536796e09a21bd64e1
SHA1 3aee779473c77528fb8920b1b88b9d0b6e102c74
SHA256 32bf17506988efe78d89ddb69c44c13d13c57d07a85e657272ab1946d6b5a01f
SHA512 123a6c9e931515a1a798e338073ab4d772b93ac73e31137d9f60039d164246db1f0e5c3e6e86e876a1bd64682c1e7618c790b011603aad72dbdee50c9f623c3c

memory/2708-71-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3344-72-0x0000000140000000-0x0000000140145000-memory.dmp

C:\Windows\System32\msiexec.exe

MD5 ddbff94a22b8acd4d4f7a5c0ef47f839
SHA1 6d78a746091545882376fad6f908f9ef25134041
SHA256 8c744e822d8225a444ccdeb65c2f48e5d91cc2fa09edb178feef402cb0e63774
SHA512 45a770fe2ae7635ecdfa357b4ac9669d08425fafab2d028cb524885174985d93cf041f9d948b291dd092639a5d18c84d47efe5e6ff5c73c6700df5a03e2e2d58

memory/4896-83-0x0000000140000000-0x0000000140131000-memory.dmp

\??\c:\program files\common files\microsoft shared\source engine\ose.exe

MD5 e596d8b6baf596acace85ae7cade698f
SHA1 ea21d9240f6065c34b55aa7fcba807db7bdd51b1
SHA256 71e9ab4222b094dd707f921d259f5542631a8447afd93d6f9826509474f39a43
SHA512 0213c113d0a680897d66630027604a5ab4cf4b2289e23944b14cc942811117eba182916fc5b0e9fd8aae8d373ddc3869f84bdb7ab22e589c257db81bfd1cf8f2

memory/1180-135-0x0000000140000000-0x0000000140136000-memory.dmp

memory/788-141-0x0000000140000000-0x0000000140135000-memory.dmp

memory/3344-162-0x0000000140000000-0x0000000140145000-memory.dmp

memory/4896-178-0x0000000140000000-0x0000000140131000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 17fe65e9797e4b6bfe8381c696a583b8
SHA1 f69370d3c1e8c14c9fc2aec620832653bef78008
SHA256 5c8e88d20f3bd36a0ef4ff34c966edd91700f8caab47ba76b9193ddcaacc8216
SHA512 b7adf5df40c635b78a342bb0433acda6c9041f84a319b49969df33733a4ddeec94f9af88ef9964e713eb8335a164b18e075b7957fa02a880733e5cf6737b67be

C:\Program Files\7-Zip\7zFM.exe

MD5 333cde0b5a3ef63e3f3ff556dcf69b21
SHA1 0d29c082891af5ab300d1b8b2ba67beb618941d9
SHA256 6675b041d536794227dd306aab71a9be8ea3d1e7cfe8943e35c1849fe2147fdb
SHA512 714cdd9b21fd2779c5e7c134df3bc54946aa21898f94bd826aebb540fff2e22980b878923fbf59d0ebe1b69e6dd332de528ee8bd0e1669711ba43b48f5d3d3c2

C:\Program Files\7-Zip\7zG.exe

MD5 fb8aff3fe4580b8854c50158b0676a3b
SHA1 d09c20b2899bd55b8aa81f8dd8208abeba2c48f1
SHA256 da21243cc5490ac66eae80bcd14ace01031681d46878d3b337cb151bfaaa2f64
SHA512 5ab23c2c3d79ca6f6653bf1e9793c97e198bc187aeb828f483f2499f60ddf79adb2b543e60b1583ec2c466218837048d50b813bdcc87f1496e90a49c239474d2

C:\Program Files\7-Zip\Uninstall.exe

MD5 2930287660243b5b92a6633bb775297f
SHA1 ae4c780a29374344c1c4b3662864fa7aaf38cd79
SHA256 d1b26e36ecda068173e4f1d8707b1dce5b843a7d2ed1f7b89df6b07b4154c244
SHA512 bdf818efa67126f60190b60c382d6bba2de431a888025315b780f06378c166ee0649ba013ef48405d680277f1fd9f22d636f4c16a8acef65e319e358ea237cf7

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 e030e9eb118315318ec3089062937d88
SHA1 beea9de7223d048c7d30fd83cd1300133d0b1c61
SHA256 482be16853f7dce0b351102bd3a6040ebe40fce5136f7988a5c205cec5177262
SHA512 0afda596f53f06a3466fb22d8d78ce9560af5ca9edbd85c7466ff3d643c029b48e63cb606e3cd9963fdc924fb9b5e2e32666b7d20404ab3d197c99ed8f359ad2

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 7e36c90f774b89dc10cf070498d82196
SHA1 ea0d91fb0846f4dfa4dfd33a987dd46fb17c6bab
SHA256 c4d012039166dc4c53228adec243ccb9bf53e9fa7bc2dbde5e5c811ca030de80
SHA512 735ae32f003d9210fcf83b49a66882bb82e1c8e0c03cc4209f7d1563737a5242a9d86316a39116d36d8da6474734a0c334cc9e565fbeb8d5d87848b20f8d391a

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 48b4f58568be0bc76a31bca42c89608d
SHA1 7031eb790c4ba3983338492a7d74d8b2d5d8b6fe
SHA256 9898e14e098676b1101d061ea1244fd0d5b5d3fb257ca0f94973f53ea51c2029
SHA512 c5164814712ce6e2b5b4a8d593c8f4cb49ff36a78fd40a435dca935edca225fd6a7631b459dbf8121f9b505ff1945859e20f65d373ac938b8d910cf2825f7422

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 8596c6a9e61740e371b829f900fa9c48
SHA1 36febda21bd1ee56d64538ad8a5f79760304dfc6
SHA256 b55d9a6d0bfcfb4aed026ea984223066baf0884e49f9d908aab2ef033932cec3
SHA512 f8563085e048d4d4ca920711e9748a5e89d50f7542b11f85fa2febabceca629dc848afd61d7fb29422ebffeef4eb02588eea872db252618260ffc47989427fbe

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 fbccf125d51fe0a761949300453c88d2
SHA1 588e8dac53ff6917459287f744f95acc144d2aec
SHA256 37879ddbd57de04b167fcd838d3ee322abe486aa97823a02e41802ea46779967
SHA512 f7ab38b19afab2ff1a321b5e7f20358ed7dae6fd7f1f0349b21ec505b8840244544168be9811df2c74fd59f510be9487b10e3466c2738a21a0266af8db2dfdfa