expiro | 0a0dffb9263cc14e99591456be36003b52d5bf33fd5411070d36b492b495e705

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
Size

625KB
MD5

6c5f25d10330db5c8696a728d0a3ba60
SHA1

ddaa100fcefbfbdc354e3e18357667db79e827e1
SHA256

0a0dffb9263cc14e99591456be36003b52d5bf33fd5411070d36b492b495e705
SHA512

f4a54010adccb4fc51d1ff8cdebe35c1231af833d9df69e2046435e7b7ff78ec09e0f8a8b218e0b8bdcf50d26ae60c87ef8ef6d8ef73eb8d52b44d611cf0a572
SSDEEP

12288:FVt+w8wyv/U66WoJM5fDPqj7VkyBJotJq9X5DL8T9LvxtHa:Tt+w5ykDJ6fbqj7VkGayXJUtt

Score

10^/10

expiro backdoor discovery evasion trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 5 IoCs

backdoor

resource	yara_rule
behavioral1/memory/640-0-0x00000000004BC000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/640-1-0x0000000000400000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/640-3-0x0000000000400000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/640-47-0x00000000004BC000-0x000000000054F000-memory.dmp	family_expiro1
behavioral1/memory/640-49-0x0000000000400000-0x000000000054F000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 9 IoCs

pid	Process
3724	alg.exe
4052	DiagnosticsHub.StandardCollector.Service.exe
2196	fxssvc.exe
2532	elevation_service.exe
4144	elevation_service.exe
3408	maintenanceservice.exe
1428	msdtc.exe
5024	msiexec.exe
1140	SearchIndexer.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4089630652-1596403869-279772308-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4089630652-1596403869-279772308-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\K:	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened (read-only)	\??\N:	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened (read-only)	\??\Q:	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\Z:	alg.exe
File opened (read-only)	\??\S:	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened (read-only)	\??\V:	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened (read-only)	\??\X:	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\E:	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\J:	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened (read-only)	\??\R:	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\L:	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened (read-only)	\??\M:	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened (read-only)	\??\Z:	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\P:	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened (read-only)	\??\Y:	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\I:	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened (read-only)	\??\O:	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened (read-only)	\??\W:	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\G:	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened (read-only)	\??\T:	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened (read-only)	\??\U:	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\X:	alg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File created	\??\c:\windows\system32\nfcocnih.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\windows\SysWOW64\sgrmbroker.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File created	\??\c:\windows\system32\ffacanoa.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File created	\??\c:\windows\system32\egokaooa.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\windows\system32\vds.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File created	\??\c:\windows\SysWOW64\alehedha.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	alg.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File created	\??\c:\windows\system32\wbem\ipjqdpmh.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\windows\SysWOW64\Agentservice.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\locator.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File created	\??\c:\windows\system32\nppgmoll.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pkjcpoed.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vds.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File created	\??\c:\windows\system32\njkinpmk.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\windows\SysWOW64\perfhost.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\windows\SysWOW64\spectrum.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File created	\??\c:\windows\system32\cnpgcpoj.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\windows\SysWOW64\tieringengineservice.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File created	\??\c:\windows\system32\pbhnlggm.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File created	\??\c:\windows\system32\WindowsPowerShell\v1.0\ipemjlhh.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File created	\??\c:\windows\system32\openssh\mlgjebai.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	alg.exe
File created	\??\c:\windows\system32\cmgfefkf.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File created	\??\c:\windows\SysWOW64\immimgic.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File created	\??\c:\windows\system32\hbbdmocc.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	alg.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	alg.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File created	\??\c:\windows\SysWOW64\dbhinjpf.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File created	\??\c:\windows\SysWOW64\khjlifmh.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File created	\??\c:\windows\system32\diagsvcs\biiokgcf.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File created	\??\c:\windows\SysWOW64\nakbdhjf.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File created	\??\c:\program files\common files\microsoft shared\source engine\epaagbkf.tmp	alg.exe
File created	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\cfclhhpg.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File created	C:\Program Files\Internet Explorer\kjkookie.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ekchdkjb.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File created	C:\Program Files\Java\jdk-1.8\bin\iilmmhmc.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File created	\??\c:\program files\windows media player\oneaohhp.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File created	C:\Program Files\7-Zip\jgpijieg.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File created	C:\Program Files\Java\jdk-1.8\bin\lgamkbac.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\lhbjhkab.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\njnngikm.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\obkakffi.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File created	C:\Program Files\Java\jdk-1.8\bin\cobmhpje.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cedpmnkl.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\pgildlkb.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\kgacdccg.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File created	C:\Program Files\Java\jdk-1.8\bin\knkmmeba.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\hlepeenn.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\jfjkgccl.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File created	C:\Program Files\Java\jdk-1.8\bin\mngianin.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File created	C:\Program Files\Java\jdk-1.8\bin\lbhckibj.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File created	C:\Program Files\Internet Explorer\dendjgfp.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File created	C:\Program Files\Internet Explorer\hfoijjjp.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ifpcoece.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File created	C:\Program Files\Java\jdk-1.8\bin\onbaidqf.tmp	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000073fe3e06d55ddb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000032898304d55ddb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003c385906d55ddb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000016945005d55ddb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4b1c502d55ddb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac796d02d55ddb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000527f5c05d55ddb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000535ed904d55ddb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe
3724	alg.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	640	JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
Token: SeAuditPrivilege	2196	fxssvc.exe
Token: SeTakeOwnershipPrivilege	3724	alg.exe
Token: SeSecurityPrivilege	5024	msiexec.exe
Token: 33	1140	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 1588	1140	SearchIndexer.exe	117
PID 1140 wrote to memory of 1588	1140	SearchIndexer.exe	117
PID 1140 wrote to memory of 4540	1140	SearchIndexer.exe	118
PID 1140 wrote to memory of 4540	1140	SearchIndexer.exe	118

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:640

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3724

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1676

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2532

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4144

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3408

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1428

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1588
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 788
  2⤵
  - Modifies data under HKEY_USERS
  PID:4540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
1.9MB

MD5
8f383360f56b0f200796297f20ae9820

SHA1
ce8d6928ff05f87aacaf900f1d4260a10a1a498a

SHA256
b3e95984dc162615a791b26d108b8460ff1e22427909c3a817eee4dd336cffb8

SHA512
0a0352a4c7e3288dff6a204dc7e10e8822d2ebad1c6dcec4dab81e022ae1b085d47ee3adec1c126cf6a5b1fa94be2a8d1bf30b3fc26279f7cb422f5c356d7845

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
621KB

MD5
eaaae2f5b18b899b2381478d2cdc818d

SHA1
0159959dcfa957b2aaba4669ba85baa1202405c4

SHA256
a22638aaed047d83bb9a949a79d07a53f0f95283bced642591b5b5184ab91e8b

SHA512
7bf42a7770c2341ea0c89faeb9f52fa18f2a4a62def37df81c130c7f3211a017a411321a018f4983c4fe160ad9e747384eed10a66013b9044881ffbe71b8ab10

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
940KB

MD5
f1b4e72f53dc945e45a8fa9acd90fcb3

SHA1
6ce2fff780a3735abc9753852c7972bada1dd2bf

SHA256
eef1dffa251a637a87ed13385e343ab3acd1def6dad73cc65c985a763a715f1c

SHA512
ab794a550142bc9399e5e8028f32f87101e045e5d1c018cccf8631fd75060d28d52563ac5e589b2158038e9fb49ae156249f7e24080dee08521410b6da5395c0

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.3MB

MD5
dfbbf7e0f935f391739bc07e7be90892

SHA1
6ab377338561ae68d619d409589dea9f88a5b414

SHA256
f9aba700dd5ecc214cdb2f10ed86a6b2a8c463b986ec1168fc151922e4e87224

SHA512
039c441fd16c1e676afe63fb70fac506ff0243ccf52c6120289806acba83a6eec560acd37ba45d42923c275e07a45bbd19bdc23aa793d765d845de1ed17ed73f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
282544370fe9a1da8e2053db8d4b4f8f

SHA1
dcda98b6f11f992a0d34f2c46996f3de87d7f625

SHA256
76528c1ea85f7e8468f8d908105759d647fabe9af282fb4e6bd861defc775387

SHA512
cdf8aa24e16f1ad16e48f15fd90538c2be7976a4d283f7b162effa3d8599a084b1e3941e9c9651838ad34d2f901ccc3820e04de66fdf1b19076f1fde89305c1b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
410KB

MD5
d12033be3454cad56884a9960b87d100

SHA1
298bced4c1ddcaffc1fe1e72b042c397156e0370

SHA256
1498820be1bf8e70d1d865e3e4d4f939248ff0cb15841334b72028f8e5499f7c

SHA512
e6a33ba89e0b748b6d63b4dd67b43661501cbc8e8d8f7561d556f41cf26026c527620473f8087b8f8e0b5cefb9d21e1ea90f80863fc0ff69c1b5e9290274cc66

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
672KB

MD5
020147edf45333f73550c7eed256e7cb

SHA1
bbcbcb0aa1cfe3353b8ff529fa1a357272b1d2e2

SHA256
0279c008993507e19d28284e90ed1932395121f6d7bd6faf1f98e687ec185507

SHA512
63eb4fb1a457b87d625c38018256306c64bb89d2051d9e7d666b597c78582108338ca44ba2f9be2d19b3ce35bfdaab42b0047555356ff1b4978d587cbceeb79f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.5MB

MD5
0adf4b34e773e86f88039041b33f4e36

SHA1
e7b6f7c5c5e0fae76454302f7a5465444fd3a662

SHA256
1c13347f044461298f3fff787da2791e42107698003048a64425425c01726326

SHA512
4525f9d51dd9262633cca7d58ac8d62b115caacfbe5379c9101db30319c99740de85610b0d20b342be6e405309dfcc8f3bf71349c46be96c2dbd029947549bab

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
738KB

MD5
9ee35f4bfba95ee2c0a73217bec133b9

SHA1
fd409101f184f01bd7d3f75debc5b43a3ba6a219

SHA256
bd39caefc6d2c4701e2a44d0d6b6bf32176993b43dd6ba04cc2be1ef53ccf4b3

SHA512
e525fef873c84fab2e38085d1cb3e7d773920d8a3e86dfd1f41d6206dd5bbe2de6ad61b8d50bc8bbe806a24efb782cbb372dc3b4fbd909cc3a4afcb6e17f137d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
23.8MB

MD5
34311e87b3dfe4f2f8637e9c31070d1b

SHA1
250683955a44b3d5da7d34aaa5da032c275fc903

SHA256
c43a9c7363bcb71b161b41586c0a31a439ae6ab63734793a8464fa416d2838a6

SHA512
3292c6d7691b6dc349b60be0cafc3b5d21f7be6a506ea6b61304fc30b4d6b4feb5950a2a4ec43d7524b23457a7946feb110d1e68154e8c9bfaa9bc37cb516e78

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.5MB

MD5
cbf62bf1fd4bb667124b3c17ac6a0609

SHA1
e614238e81ffb95d64ad8234788398ecbec9aaf1

SHA256
a3d6f4a15dfe6daf6d4f7a8b4c0016c33b14174996f0985d1eab9cd872022b0f

SHA512
3e5900494a53d6f87393e1dd505e2f73a6118ee178876531bc47bf0f99489893ff8a0b653ef8b2839a43195ac4d7e10f8d1dc4f4fab4e0843788b0c23f942138

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\epaagbkf.tmp

Filesize
637KB

MD5
b014d99f99fcf4b51af4254d602d387d

SHA1
51164c46c2618c19037321d3d8ff37e8291bfa72

SHA256
ca50c20a7a21235de1aea7c4aa39d2f94fd877aeafcf9069009f9b684855978c

SHA512
2501a21f83e4d78acb54806f60e23a2b4727d3e048fd18a14c3b92d33d685352600f6fddf28cc1bf46676f5fe6f875b8a2642dd4c36037b8bc370212cdb7c664

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.0MB

MD5
a8d3cdce231c6b252e01b38530721acf

SHA1
681f88e273db89cf0be1c6c4e04769bc33a08b2e

SHA256
05f871ff92815d644350fdbb2a8ef73ff06f5af3148beb59f6ba26ca65ea231c

SHA512
22613940d12574133d647463e46b38f8b2b34a951b0031b869234a5efb82041c62375009d37f14403f461e57e7e62e8c59f52bb0b2dc68df7006fa0cbaab2f8b

Download Submit
C:\Users\Admin\AppData\Local\ldccaeio\jolcdbfe.tmp

Filesize
625KB

MD5
0a2ddb77e6d026f8715c90a91bbd98f4

SHA1
9f8a2bc913e2a8a3c1ec0376c07eb4e9e0e06419

SHA256
bef09502549a2e542370a48ea317811fa28c4bd3f9bdf21e88da8ec94bddb051

SHA512
cc2a3ffcb68153bcb8b1ca2b856118ee0fc3a12f06f08ed375442b022cb2969338c8d3aa4fe007c13f0c05f541f03797967ae1f1fa1a1c8189d97582b52b32df

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Filesize
818KB

MD5
b4e74b996907d17f0eb53a583f01a913

SHA1
c85c03f7eab495a88c8c7431978c293bc5f3323f

SHA256
014112e7d78d2f242f09f3dc58338ab7ce0271ae5a62146b3029d73c6e7ee03b

SHA512
cf24f82ee082f68d5f2ba036f9c1bb576fe79f914312de509b49b3d1bb677c967084a7414eb09ebf25709acdc40116cad1cad134d50e899ed1bee7fd372e7305

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
487KB

MD5
91f043500b669c78642d7ac65fe822d6

SHA1
9923fa90afc88ed91f6156e413cd8993cff77398

SHA256
10c24e2c13d976d0c61c8876e25d453becc2e55eb8a075f23d96379bcbd1c963

SHA512
b9f876c34dd3d2c70dbba6a9a2087ed7bf41a1db63ddc7a544d51402a2df1da1e2df70d077f5d29756182e8da5935590488c6dacafae4f438c917036fbb3da2c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.0MB

MD5
bb60dc9e251bb2ee8130a3b133257b45

SHA1
88c17b00c7d105bf42869ccde8d0ed599fa9ab5c

SHA256
a57d116db89de63ef982cfdacab92a9e71c6154bfa16231d18d7776a1bacb1fa

SHA512
8f5ac909b5c8e69952148c0f0a963b0cc56ee32b7351b365ba111b49c1b2d311785fcbdfadad786583255c9edcebe92dd672c15bca91cf1dcb59c4d2ed6e755d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.3MB

MD5
48aec5f70e989b2ec53e5b0a74d2c086

SHA1
eebb187c33101ad30ac04bf0d2e82977efdf0a60

SHA256
75aedf5230c6d30d3e0e24bc254dbd0e74c88a4c1710c6b15e2abe2d86618253

SHA512
ce01c0f238fca1376ba110fa72710c4f8629f5be3a8dcb5ad13189761b03237e090218e7ef35d2aad938fabe33e78b12838397b260eb943793d588d9989a184c

Download Submit
C:\Windows\System32\alg.exe

Filesize
489KB

MD5
97976d4e1a92a447ac961bb7c80d3247

SHA1
a20d534c11677f5c28285f034b07e5a81455544f

SHA256
ace6eb9000921a0f1d43a97dfe2115cb1dd469d387e9550f714d02030cfeff2f

SHA512
3971b6a05fcd958dff7aa1c241a3178fbea662b5a73cbd1340eb43d80bbfe317c3aec3f516bd42d38ebbefb75381d4ee6028ba34499c1a15e985b2b54931bf34

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
540KB

MD5
6bee526d1a1b2662065d32c58041ff29

SHA1
11a4d333b8915abbe9041af9224b137e46ec6112

SHA256
7553e41718a779fd48da08a01d77345e4a81a8baecd6030a2d461320962031e8

SHA512
943b80eeee0d600f9b3fb676d1213e049ed23bc464bc2a386fd8d263a65aebb2363f2e61acd595e065a58d4107a4f1aeb31e9692e8a3318eed4caf453f8e960e

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
463KB

MD5
1729398e603b2545e4e4cf0566d97312

SHA1
8717023a548a3ef0ca7cad02ce7b9555b92de46c

SHA256
335ceb58913030b6d89e3091726f9930b2e5ada1331bfff5251043d5b8222ca6

SHA512
9f9c01fb6228e1983ee5d917230f198ed5c0540a836a321e2d22c57f239441198b77e8fefa7de7b446f365cdaffcc707c6f932262e1320f29115b6d9e167979c

Download Submit
C:\Windows\system32\windowspowershell\v1.0\powershell.exe

Filesize
839KB

MD5
a03409e36f231a6121a73d68e5c5f7f8

SHA1
f0faaf582b76354ffff7520e753db656a29dbd77

SHA256
c29b4aa68ce7d44a95921701f4be13c618a23916c27696d846be2b2d0672204b

SHA512
779ba30b2abb10c8c7a0fceb56a22d710302f66e512343c3e4289e57b937e458d64a58cbe59f53fe674ddc00a2b36af8eb2af18dce508544c255ffb42b3ed370

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.1MB

MD5
db59c8c22445d78943fe343485ee781d

SHA1
4c6e55c4dec86d694645ff9abc99c45d4ef65bca

SHA256
9d9594f8532e8ae589cbc3a9c13f472c0ec6cb58f1bb8152280bc4786a120f58

SHA512
0a78a9679ed3c9e6da5de39d7ab4582ebbd06b5325e46509bd962107c9cb425585c89085b188368cf5166aac08fd437d692a98cbc9e76f518eb63cc4edaed199

Download Submit
memory/640-3-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/640-1-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/640-0-0x00000000004BC000-0x000000000054F000-memory.dmp

Filesize
588KB

Download
memory/640-49-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/640-47-0x00000000004BC000-0x000000000054F000-memory.dmp

Filesize
588KB

Download
memory/1140-381-0x000000000A0B0000-0x000000000A0B8000-memory.dmp

Filesize
32KB

Download
memory/1140-367-0x0000000006DF0000-0x0000000006DF8000-memory.dmp

Filesize
32KB

Download
memory/1140-335-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/1140-351-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/2196-50-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2196-48-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3724-23-0x000000014000D000-0x000000014001C000-memory.dmp

Filesize
60KB

Download
memory/3724-57-0x000000014000D000-0x000000014001C000-memory.dmp

Filesize
60KB

Download
memory/3724-63-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4052-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4052-80-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4540-390-0x000001A126190000-0x000001A1261A0000-memory.dmp

Filesize
64KB

Download
memory/4540-397-0x000001A126190000-0x000001A1261A0000-memory.dmp

Filesize
64KB

Download
memory/4540-386-0x000001A126190000-0x000001A1261A0000-memory.dmp

Filesize
64KB

Download
memory/4540-387-0x000001A126190000-0x000001A1261A0000-memory.dmp

Filesize
64KB

Download
memory/4540-388-0x000001A126190000-0x000001A1261A0000-memory.dmp

Filesize
64KB

Download
memory/4540-389-0x000001A126190000-0x000001A1261A0000-memory.dmp

Filesize
64KB

Download
memory/4540-384-0x000001A126190000-0x000001A1261A0000-memory.dmp

Filesize
64KB

Download
memory/4540-391-0x000001A126190000-0x000001A1261A0000-memory.dmp

Filesize
64KB

Download
memory/4540-392-0x000001A126190000-0x000001A1261A0000-memory.dmp

Filesize
64KB

Download
memory/4540-393-0x000001A126190000-0x000001A1261A0000-memory.dmp

Filesize
64KB

Download
memory/4540-394-0x000001A126190000-0x000001A1261A0000-memory.dmp

Filesize
64KB

Download
memory/4540-395-0x000001A126190000-0x000001A1261A0000-memory.dmp

Filesize
64KB

Download
memory/4540-396-0x000001A126190000-0x000001A1261A0000-memory.dmp

Filesize
64KB

Download
memory/4540-385-0x000001A126190000-0x000001A1261A0000-memory.dmp

Filesize
64KB

Download
memory/4540-398-0x000001A126190000-0x000001A1261A0000-memory.dmp

Filesize
64KB

Download
memory/4540-399-0x000001A126190000-0x000001A1261A0000-memory.dmp

Filesize
64KB

Download
memory/4540-400-0x000001A126190000-0x000001A1261A0000-memory.dmp

Filesize
64KB

Download
memory/4540-401-0x000001A126190000-0x000001A1261A0000-memory.dmp

Filesize
64KB

Download
memory/4540-402-0x000001A126190000-0x000001A1261A0000-memory.dmp

Filesize
64KB

Download
memory/4540-404-0x000001A126190000-0x000001A1261A0000-memory.dmp

Filesize
64KB

Download
memory/4540-403-0x000001A126190000-0x000001A1261A0000-memory.dmp

Filesize
64KB

Download
memory/4540-405-0x000001A126190000-0x000001A1261A0000-memory.dmp

Filesize
64KB

Download
memory/4540-406-0x000001A126190000-0x000001A1261A0000-memory.dmp

Filesize
64KB

Download
memory/4540-409-0x000001A126190000-0x000001A1261A0000-memory.dmp

Filesize
64KB

Download
memory/4540-408-0x000001A126190000-0x000001A1261A0000-memory.dmp

Filesize
64KB

Download
memory/4540-410-0x000001A126190000-0x000001A1261A0000-memory.dmp

Filesize
64KB

Download
memory/4540-407-0x000001A126190000-0x000001A1261A0000-memory.dmp

Filesize
64KB

Download
memory/4540-383-0x000001A126190000-0x000001A1261A0000-memory.dmp

Filesize
64KB

Download