Malware Analysis Report

2025-04-13 23:46

Sample ID 250103-nvsh9a1pht
Target JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60
SHA256 0a0dffb9263cc14e99591456be36003b52d5bf33fd5411070d36b492b495e705
Tags
expiro backdoor discovery evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0a0dffb9263cc14e99591456be36003b52d5bf33fd5411070d36b492b495e705

Threat Level: Known bad

The file JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60 was found to be: Known bad.

Malicious Activity Summary

expiro backdoor discovery evasion trojan

Expiro, m0yv

Expiro family

Expiro payload

Disables taskbar notifications via registry modification

Windows security modification

Executes dropped EXE

Enumerates connected drives

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

System policy modification

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-03 11:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-03 11:43

Reported

2025-01-03 11:46

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe"

Signatures

Expiro family

expiro

Expiro, m0yv

backdoor expiro

Expiro payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables taskbar notifications via registry modification

evasion

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4089630652-1596403869-279772308-1000 C:\Windows\System32\alg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4089630652-1596403869-279772308-1000\EnableNotifications = "0" C:\Windows\System32\alg.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\alg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\windows\SysWOW64\searchindexer.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File created \??\c:\windows\system32\nfcocnih.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\windows\SysWOW64\msdtc.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\windows\system32\sensordataservice.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\windows\SysWOW64\sgrmbroker.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\windows\system32\openssh\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File created \??\c:\windows\system32\ffacanoa.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File created \??\c:\windows\system32\egokaooa.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\windows\system32\vds.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\windows\system32\alg.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File created \??\c:\windows\SysWOW64\alehedha.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\windows\system32\msiexec.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\snmptrap.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File created \??\c:\windows\system32\wbem\ipjqdpmh.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\windows\SysWOW64\Agentservice.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\windows\system32\searchindexer.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\windows\system32\svchost.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\windows\system32\tieringengineservice.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File created \??\c:\windows\system32\nppgmoll.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pkjcpoed.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\windows\SysWOW64\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\windows\system32\sgrmbroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\vds.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\SysWOW64\msiexec.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\windows\system32\Agentservice.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File created \??\c:\windows\system32\njkinpmk.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\windows\SysWOW64\vssvc.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\windows\SysWOW64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\windows\SysWOW64\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\windows\SysWOW64\spectrum.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File created \??\c:\windows\system32\cnpgcpoj.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\windows\SysWOW64\tieringengineservice.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File created \??\c:\windows\system32\pbhnlggm.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File created \??\c:\windows\system32\WindowsPowerShell\v1.0\ipemjlhh.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File created \??\c:\windows\system32\openssh\mlgjebai.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\windows\system32\svchost.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\windows\system32\sensordataservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\openssh\ssh-agent.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\windows\system32\cmgfefkf.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\windows\system32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File created \??\c:\windows\SysWOW64\immimgic.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\windows\SysWOW64\vds.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\windows\SysWOW64\alg.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File created \??\c:\windows\system32\hbbdmocc.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\windows\system32\msdtc.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\syswow64\perfhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\tieringengineservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File created \??\c:\windows\SysWOW64\dbhinjpf.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File created \??\c:\windows\SysWOW64\khjlifmh.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File created \??\c:\windows\system32\diagsvcs\biiokgcf.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\windows\system32\lsass.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\windows\SysWOW64\sensordataservice.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File created \??\c:\windows\SysWOW64\nakbdhjf.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File created \??\c:\program files\common files\microsoft shared\source engine\epaagbkf.tmp C:\Windows\System32\alg.exe N/A
File created \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\cfclhhpg.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File created C:\Program Files\Internet Explorer\kjkookie.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\ekchdkjb.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\iilmmhmc.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File created \??\c:\program files\windows media player\oneaohhp.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files\7-Zip\jgpijieg.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\lgamkbac.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\program files\common files\microsoft shared\source engine\ose.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\lhbjhkab.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\njnngikm.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\obkakffi.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\cobmhpje.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\cedpmnkl.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File created C:\Program Files\Common Files\microsoft shared\OFFICE16\pgildlkb.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\kgacdccg.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\knkmmeba.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\hlepeenn.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\jfjkgccl.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\mngianin.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\lbhckibj.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File created C:\Program Files\Internet Explorer\dendjgfp.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files\Internet Explorer\hfoijjjp.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\ifpcoece.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\onbaidqf.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification \??\c:\windows\servicing\trustedinstaller.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\servicing\trustedinstaller.exe C:\Windows\System32\alg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000073fe3e06d55ddb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000032898304d55ddb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003c385906d55ddb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000016945005d55ddb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4b1c502d55ddb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac796d02d55ddb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000527f5c05d55ddb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000535ed904d55ddb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" C:\Windows\system32\SearchProtocolHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" C:\Windows\System32\alg.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\System32\alg.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c5f25d10330db5c8696a728d0a3ba60.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 788

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 181.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

memory/640-0-0x00000000004BC000-0x000000000054F000-memory.dmp

memory/640-1-0x0000000000400000-0x000000000054F000-memory.dmp

memory/640-3-0x0000000000400000-0x000000000054F000-memory.dmp

C:\Users\Admin\AppData\Local\ldccaeio\jolcdbfe.tmp

MD5 0a2ddb77e6d026f8715c90a91bbd98f4
SHA1 9f8a2bc913e2a8a3c1ec0376c07eb4e9e0e06419
SHA256 bef09502549a2e542370a48ea317811fa28c4bd3f9bdf21e88da8ec94bddb051
SHA512 cc2a3ffcb68153bcb8b1ca2b856118ee0fc3a12f06f08ed375442b022cb2969338c8d3aa4fe007c13f0c05f541f03797967ae1f1fa1a1c8189d97582b52b32df

C:\Windows\System32\alg.exe

MD5 97976d4e1a92a447ac961bb7c80d3247
SHA1 a20d534c11677f5c28285f034b07e5a81455544f
SHA256 ace6eb9000921a0f1d43a97dfe2115cb1dd469d387e9550f714d02030cfeff2f
SHA512 3971b6a05fcd958dff7aa1c241a3178fbea662b5a73cbd1340eb43d80bbfe317c3aec3f516bd42d38ebbefb75381d4ee6028ba34499c1a15e985b2b54931bf34

memory/3724-23-0x000000014000D000-0x000000014001C000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 91f043500b669c78642d7ac65fe822d6
SHA1 9923fa90afc88ed91f6156e413cd8993cff77398
SHA256 10c24e2c13d976d0c61c8876e25d453becc2e55eb8a075f23d96379bcbd1c963
SHA512 b9f876c34dd3d2c70dbba6a9a2087ed7bf41a1db63ddc7a544d51402a2df1da1e2df70d077f5d29756182e8da5935590488c6dacafae4f438c917036fbb3da2c

memory/4052-40-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 bb60dc9e251bb2ee8130a3b133257b45
SHA1 88c17b00c7d105bf42869ccde8d0ed599fa9ab5c
SHA256 a57d116db89de63ef982cfdacab92a9e71c6154bfa16231d18d7776a1bacb1fa
SHA512 8f5ac909b5c8e69952148c0f0a963b0cc56ee32b7351b365ba111b49c1b2d311785fcbdfadad786583255c9edcebe92dd672c15bca91cf1dcb59c4d2ed6e755d

memory/640-47-0x00000000004BC000-0x000000000054F000-memory.dmp

memory/2196-48-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/640-49-0x0000000000400000-0x000000000054F000-memory.dmp

memory/2196-50-0x0000000140000000-0x00000001401C2000-memory.dmp

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

MD5 a8d3cdce231c6b252e01b38530721acf
SHA1 681f88e273db89cf0be1c6c4e04769bc33a08b2e
SHA256 05f871ff92815d644350fdbb2a8ef73ff06f5af3148beb59f6ba26ca65ea231c
SHA512 22613940d12574133d647463e46b38f8b2b34a951b0031b869234a5efb82041c62375009d37f14403f461e57e7e62e8c59f52bb0b2dc68df7006fa0cbaab2f8b

memory/3724-57-0x000000014000D000-0x000000014001C000-memory.dmp

\??\c:\windows\system32\Appvclient.exe

MD5 db59c8c22445d78943fe343485ee781d
SHA1 4c6e55c4dec86d694645ff9abc99c45d4ef65bca
SHA256 9d9594f8532e8ae589cbc3a9c13f472c0ec6cb58f1bb8152280bc4786a120f58
SHA512 0a78a9679ed3c9e6da5de39d7ab4582ebbd06b5325e46509bd962107c9cb425585c89085b188368cf5166aac08fd437d692a98cbc9e76f518eb63cc4edaed199

memory/3724-63-0x0000000140000000-0x0000000140136000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 8f383360f56b0f200796297f20ae9820
SHA1 ce8d6928ff05f87aacaf900f1d4260a10a1a498a
SHA256 b3e95984dc162615a791b26d108b8460ff1e22427909c3a817eee4dd336cffb8
SHA512 0a0352a4c7e3288dff6a204dc7e10e8822d2ebad1c6dcec4dab81e022ae1b085d47ee3adec1c126cf6a5b1fa94be2a8d1bf30b3fc26279f7cb422f5c356d7845

C:\Program Files\Common Files\microsoft shared\Source Engine\epaagbkf.tmp

MD5 b014d99f99fcf4b51af4254d602d387d
SHA1 51164c46c2618c19037321d3d8ff37e8291bfa72
SHA256 ca50c20a7a21235de1aea7c4aa39d2f94fd877aeafcf9069009f9b684855978c
SHA512 2501a21f83e4d78acb54806f60e23a2b4727d3e048fd18a14c3b92d33d685352600f6fddf28cc1bf46676f5fe6f875b8a2642dd4c36037b8bc370212cdb7c664

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 eaaae2f5b18b899b2381478d2cdc818d
SHA1 0159959dcfa957b2aaba4669ba85baa1202405c4
SHA256 a22638aaed047d83bb9a949a79d07a53f0f95283bced642591b5b5184ab91e8b
SHA512 7bf42a7770c2341ea0c89faeb9f52fa18f2a4a62def37df81c130c7f3211a017a411321a018f4983c4fe160ad9e747384eed10a66013b9044881ffbe71b8ab10

memory/4052-80-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 6bee526d1a1b2662065d32c58041ff29
SHA1 11a4d333b8915abbe9041af9224b137e46ec6112
SHA256 7553e41718a779fd48da08a01d77345e4a81a8baecd6030a2d461320962031e8
SHA512 943b80eeee0d600f9b3fb676d1213e049ed23bc464bc2a386fd8d263a65aebb2363f2e61acd595e065a58d4107a4f1aeb31e9692e8a3318eed4caf453f8e960e

C:\Windows\System32\msiexec.exe

MD5 1729398e603b2545e4e4cf0566d97312
SHA1 8717023a548a3ef0ca7cad02ce7b9555b92de46c
SHA256 335ceb58913030b6d89e3091726f9930b2e5ada1331bfff5251043d5b8222ca6
SHA512 9f9c01fb6228e1983ee5d917230f198ed5c0540a836a321e2d22c57f239441198b77e8fefa7de7b446f365cdaffcc707c6f932262e1320f29115b6d9e167979c

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

MD5 b4e74b996907d17f0eb53a583f01a913
SHA1 c85c03f7eab495a88c8c7431978c293bc5f3323f
SHA256 014112e7d78d2f242f09f3dc58338ab7ce0271ae5a62146b3029d73c6e7ee03b
SHA512 cf24f82ee082f68d5f2ba036f9c1bb576fe79f914312de509b49b3d1bb677c967084a7414eb09ebf25709acdc40116cad1cad134d50e899ed1bee7fd372e7305

C:\Program Files\7-Zip\7z.exe

MD5 f1b4e72f53dc945e45a8fa9acd90fcb3
SHA1 6ce2fff780a3735abc9753852c7972bada1dd2bf
SHA256 eef1dffa251a637a87ed13385e343ab3acd1def6dad73cc65c985a763a715f1c
SHA512 ab794a550142bc9399e5e8028f32f87101e045e5d1c018cccf8631fd75060d28d52563ac5e589b2158038e9fb49ae156249f7e24080dee08521410b6da5395c0

C:\Program Files\7-Zip\7zFM.exe

MD5 dfbbf7e0f935f391739bc07e7be90892
SHA1 6ab377338561ae68d619d409589dea9f88a5b414
SHA256 f9aba700dd5ecc214cdb2f10ed86a6b2a8c463b986ec1168fc151922e4e87224
SHA512 039c441fd16c1e676afe63fb70fac506ff0243ccf52c6120289806acba83a6eec560acd37ba45d42923c275e07a45bbd19bdc23aa793d765d845de1ed17ed73f

C:\Program Files\7-Zip\7zG.exe

MD5 282544370fe9a1da8e2053db8d4b4f8f
SHA1 dcda98b6f11f992a0d34f2c46996f3de87d7f625
SHA256 76528c1ea85f7e8468f8d908105759d647fabe9af282fb4e6bd861defc775387
SHA512 cdf8aa24e16f1ad16e48f15fd90538c2be7976a4d283f7b162effa3d8599a084b1e3941e9c9651838ad34d2f901ccc3820e04de66fdf1b19076f1fde89305c1b

C:\Program Files\7-Zip\Uninstall.exe

MD5 d12033be3454cad56884a9960b87d100
SHA1 298bced4c1ddcaffc1fe1e72b042c397156e0370
SHA256 1498820be1bf8e70d1d865e3e4d4f939248ff0cb15841334b72028f8e5499f7c
SHA512 e6a33ba89e0b748b6d63b4dd67b43661501cbc8e8d8f7561d556f41cf26026c527620473f8087b8f8e0b5cefb9d21e1ea90f80863fc0ff69c1b5e9290274cc66

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 cbf62bf1fd4bb667124b3c17ac6a0609
SHA1 e614238e81ffb95d64ad8234788398ecbec9aaf1
SHA256 a3d6f4a15dfe6daf6d4f7a8b4c0016c33b14174996f0985d1eab9cd872022b0f
SHA512 3e5900494a53d6f87393e1dd505e2f73a6118ee178876531bc47bf0f99489893ff8a0b653ef8b2839a43195ac4d7e10f8d1dc4f4fab4e0843788b0c23f942138

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 020147edf45333f73550c7eed256e7cb
SHA1 bbcbcb0aa1cfe3353b8ff529fa1a357272b1d2e2
SHA256 0279c008993507e19d28284e90ed1932395121f6d7bd6faf1f98e687ec185507
SHA512 63eb4fb1a457b87d625c38018256306c64bb89d2051d9e7d666b597c78582108338ca44ba2f9be2d19b3ce35bfdaab42b0047555356ff1b4978d587cbceeb79f

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 0adf4b34e773e86f88039041b33f4e36
SHA1 e7b6f7c5c5e0fae76454302f7a5465444fd3a662
SHA256 1c13347f044461298f3fff787da2791e42107698003048a64425425c01726326
SHA512 4525f9d51dd9262633cca7d58ac8d62b115caacfbe5379c9101db30319c99740de85610b0d20b342be6e405309dfcc8f3bf71349c46be96c2dbd029947549bab

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 9ee35f4bfba95ee2c0a73217bec133b9
SHA1 fd409101f184f01bd7d3f75debc5b43a3ba6a219
SHA256 bd39caefc6d2c4701e2a44d0d6b6bf32176993b43dd6ba04cc2be1ef53ccf4b3
SHA512 e525fef873c84fab2e38085d1cb3e7d773920d8a3e86dfd1f41d6206dd5bbe2de6ad61b8d50bc8bbe806a24efb782cbb372dc3b4fbd909cc3a4afcb6e17f137d

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 34311e87b3dfe4f2f8637e9c31070d1b
SHA1 250683955a44b3d5da7d34aaa5da032c275fc903
SHA256 c43a9c7363bcb71b161b41586c0a31a439ae6ab63734793a8464fa416d2838a6
SHA512 3292c6d7691b6dc349b60be0cafc3b5d21f7be6a506ea6b61304fc30b4d6b4feb5950a2a4ec43d7524b23457a7946feb110d1e68154e8c9bfaa9bc37cb516e78

C:\Windows\System32\SearchIndexer.exe

MD5 48aec5f70e989b2ec53e5b0a74d2c086
SHA1 eebb187c33101ad30ac04bf0d2e82977efdf0a60
SHA256 75aedf5230c6d30d3e0e24bc254dbd0e74c88a4c1710c6b15e2abe2d86618253
SHA512 ce01c0f238fca1376ba110fa72710c4f8629f5be3a8dcb5ad13189761b03237e090218e7ef35d2aad938fabe33e78b12838397b260eb943793d588d9989a184c

memory/1140-351-0x0000000002780000-0x0000000002790000-memory.dmp

memory/1140-335-0x0000000002500000-0x0000000002510000-memory.dmp

memory/1140-367-0x0000000006DF0000-0x0000000006DF8000-memory.dmp

memory/1140-381-0x000000000A0B0000-0x000000000A0B8000-memory.dmp

memory/4540-383-0x000001A126190000-0x000001A1261A0000-memory.dmp

memory/4540-384-0x000001A126190000-0x000001A1261A0000-memory.dmp

memory/4540-385-0x000001A126190000-0x000001A1261A0000-memory.dmp

memory/4540-386-0x000001A126190000-0x000001A1261A0000-memory.dmp

memory/4540-387-0x000001A126190000-0x000001A1261A0000-memory.dmp

memory/4540-388-0x000001A126190000-0x000001A1261A0000-memory.dmp

memory/4540-389-0x000001A126190000-0x000001A1261A0000-memory.dmp

memory/4540-390-0x000001A126190000-0x000001A1261A0000-memory.dmp

memory/4540-391-0x000001A126190000-0x000001A1261A0000-memory.dmp

memory/4540-392-0x000001A126190000-0x000001A1261A0000-memory.dmp

memory/4540-393-0x000001A126190000-0x000001A1261A0000-memory.dmp

memory/4540-394-0x000001A126190000-0x000001A1261A0000-memory.dmp

memory/4540-395-0x000001A126190000-0x000001A1261A0000-memory.dmp

memory/4540-396-0x000001A126190000-0x000001A1261A0000-memory.dmp

memory/4540-397-0x000001A126190000-0x000001A1261A0000-memory.dmp

memory/4540-398-0x000001A126190000-0x000001A1261A0000-memory.dmp

memory/4540-399-0x000001A126190000-0x000001A1261A0000-memory.dmp

memory/4540-400-0x000001A126190000-0x000001A1261A0000-memory.dmp

memory/4540-401-0x000001A126190000-0x000001A1261A0000-memory.dmp

memory/4540-402-0x000001A126190000-0x000001A1261A0000-memory.dmp

memory/4540-404-0x000001A126190000-0x000001A1261A0000-memory.dmp

memory/4540-403-0x000001A126190000-0x000001A1261A0000-memory.dmp

memory/4540-405-0x000001A126190000-0x000001A1261A0000-memory.dmp

memory/4540-406-0x000001A126190000-0x000001A1261A0000-memory.dmp

memory/4540-409-0x000001A126190000-0x000001A1261A0000-memory.dmp

memory/4540-408-0x000001A126190000-0x000001A1261A0000-memory.dmp

memory/4540-410-0x000001A126190000-0x000001A1261A0000-memory.dmp

memory/4540-407-0x000001A126190000-0x000001A1261A0000-memory.dmp

C:\Windows\system32\windowspowershell\v1.0\powershell.exe

MD5 a03409e36f231a6121a73d68e5c5f7f8
SHA1 f0faaf582b76354ffff7520e753db656a29dbd77
SHA256 c29b4aa68ce7d44a95921701f4be13c618a23916c27696d846be2b2d0672204b
SHA512 779ba30b2abb10c8c7a0fceb56a22d710302f66e512343c3e4289e57b937e458d64a58cbe59f53fe674ddc00a2b36af8eb2af18dce508544c255ffb42b3ed370