darkcomet | dd8650f0e484ba0ea4775ccce3a9644bba747ee92f1b534628525c7ceedc69f9

Resubmissions

14/04/2025, 04:20

250414-ex92msynx2 10

14/04/2025, 03:24

14/04/2025, 02:53

13/04/2025, 19:39

13/04/2025, 01:50

13/04/2025, 01:45

12/04/2025, 16:37

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2025, 22:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Size

658KB
MD5

3178fcad2d2c2f3c0f4f70aecfb18db7
SHA1

0ecad6522214f9bef4dd8f2f8eb927827bc4971c
SHA256

dd8650f0e484ba0ea4775ccce3a9644bba747ee92f1b534628525c7ceedc69f9
SHA512

57148c860850344b1086c8765c083862d57d99119914e218aca4c8e80dc9cbe48d206b6aefaea9ad5cda58a459ff5888f1bc82f6fabacd2aa81f52818cef4985
SSDEEP

12288:+9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hV:KZ1xuVVjfFoynPaVBUR8f+kN10EBP

Score

10^/10

darkcomet guest16 defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

127.0.0.1:1604

Mutex

DC_MUTEX-7X99PTF

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
DNgeskLTppzX
install
true
offline_keylogger
true
persistence
true
reg_key
System32.dll

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4520	attrib.exe
4556	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
1832	notepad.exe

Executes dropped EXE 17 IoCs

pid	Process
3056	msdcsc.exe
4564	msdcsc.exe
4868	msdcsc.exe
3492	msdcsc.exe
4696	msdcsc.exe
2560	msdcsc.exe
3280	msdcsc.exe
312	msdcsc.exe
4432	msdcsc.exe
4524	msdcsc.exe
2560	msdcsc.exe
4972	msdcsc.exe
5104	msdcsc.exe
4772	msdcsc.exe
5428	msdcsc.exe
3532	msdcsc.exe
4444	msdcsc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System32.dll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System32.dll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5208_1938163124\safety_tips.pb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5208_1938163124\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5208_1090725429\LICENSE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5208_1090725429\sets.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5208_1090725429\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5208_1572939056\data.txt	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5208_1572939056\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5208_1090725429\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5208_1938163124\typosquatting_list.pb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5208_1938163124\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5208_1572939056\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5208_1090725429\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5208_974391711\deny_domains.list	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5208_974391711\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5208_974391711\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5208_1938163124\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5208_974391711\deny_etld1_domains.list	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5208_974391711\deny_full_domains.list	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133888832621318384"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3027557611-1484967174-339164627-1000\{A4AB9E69-BD0B-479F-8F00-513F44C07848}	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5208	msedge.exe
5208	msedge.exe
3412	msedge.exe
3412	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3056	msdcsc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
5208	msedge.exe
5208	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeSecurityPrivilege	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeSystemtimePrivilege	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeBackupPrivilege	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeRestorePrivilege	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeShutdownPrivilege	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeDebugPrivilege	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeUndockPrivilege	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeManageVolumePrivilege	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeImpersonatePrivilege	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: 33	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: 34	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: 35	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: 36	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	3056	msdcsc.exe
Token: SeSecurityPrivilege	3056	msdcsc.exe
Token: SeTakeOwnershipPrivilege	3056	msdcsc.exe
Token: SeLoadDriverPrivilege	3056	msdcsc.exe
Token: SeSystemProfilePrivilege	3056	msdcsc.exe
Token: SeSystemtimePrivilege	3056	msdcsc.exe
Token: SeProfSingleProcessPrivilege	3056	msdcsc.exe
Token: SeIncBasePriorityPrivilege	3056	msdcsc.exe
Token: SeCreatePagefilePrivilege	3056	msdcsc.exe
Token: SeBackupPrivilege	3056	msdcsc.exe
Token: SeRestorePrivilege	3056	msdcsc.exe
Token: SeShutdownPrivilege	3056	msdcsc.exe
Token: SeDebugPrivilege	3056	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	3056	msdcsc.exe
Token: SeChangeNotifyPrivilege	3056	msdcsc.exe
Token: SeRemoteShutdownPrivilege	3056	msdcsc.exe
Token: SeUndockPrivilege	3056	msdcsc.exe
Token: SeManageVolumePrivilege	3056	msdcsc.exe
Token: SeImpersonatePrivilege	3056	msdcsc.exe
Token: SeCreateGlobalPrivilege	3056	msdcsc.exe
Token: 33	3056	msdcsc.exe
Token: 34	3056	msdcsc.exe
Token: 35	3056	msdcsc.exe
Token: 36	3056	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	4564	msdcsc.exe
Token: SeSecurityPrivilege	4564	msdcsc.exe
Token: SeTakeOwnershipPrivilege	4564	msdcsc.exe
Token: SeLoadDriverPrivilege	4564	msdcsc.exe
Token: SeSystemProfilePrivilege	4564	msdcsc.exe
Token: SeSystemtimePrivilege	4564	msdcsc.exe
Token: SeProfSingleProcessPrivilege	4564	msdcsc.exe
Token: SeIncBasePriorityPrivilege	4564	msdcsc.exe
Token: SeCreatePagefilePrivilege	4564	msdcsc.exe
Token: SeBackupPrivilege	4564	msdcsc.exe
Token: SeRestorePrivilege	4564	msdcsc.exe
Token: SeShutdownPrivilege	4564	msdcsc.exe
Token: SeDebugPrivilege	4564	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	4564	msdcsc.exe
Token: SeChangeNotifyPrivilege	4564	msdcsc.exe
Token: SeRemoteShutdownPrivilege	4564	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3056	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 808 wrote to memory of 3056	808	cmd.exe	89
PID 808 wrote to memory of 3056	808	cmd.exe	89
PID 808 wrote to memory of 3056	808	cmd.exe	89
PID 4660 wrote to memory of 4076	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	90
PID 4660 wrote to memory of 4076	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	90
PID 4660 wrote to memory of 4076	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	90
PID 4660 wrote to memory of 3136	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	91
PID 4660 wrote to memory of 3136	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	91
PID 4660 wrote to memory of 3136	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	91
PID 3056 wrote to memory of 2740	3056	msdcsc.exe	92
PID 3056 wrote to memory of 2740	3056	msdcsc.exe	92
PID 3056 wrote to memory of 2740	3056	msdcsc.exe	92
PID 3056 wrote to memory of 2740	3056	msdcsc.exe	92
PID 3056 wrote to memory of 2740	3056	msdcsc.exe	92
PID 4660 wrote to memory of 1832	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	93
PID 3056 wrote to memory of 2740	3056	msdcsc.exe	92
PID 3056 wrote to memory of 2740	3056	msdcsc.exe	92
PID 4660 wrote to memory of 1832	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	93
PID 4660 wrote to memory of 1832	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	93
PID 3056 wrote to memory of 2740	3056	msdcsc.exe	92
PID 3056 wrote to memory of 2740	3056	msdcsc.exe	92
PID 3056 wrote to memory of 2740	3056	msdcsc.exe	92
PID 3056 wrote to memory of 2740	3056	msdcsc.exe	92
PID 3056 wrote to memory of 2740	3056	msdcsc.exe	92
PID 4660 wrote to memory of 1832	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	93
PID 3056 wrote to memory of 2740	3056	msdcsc.exe	92
PID 4660 wrote to memory of 1832	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	93
PID 3056 wrote to memory of 2740	3056	msdcsc.exe	92
PID 4660 wrote to memory of 1832	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	93
PID 3056 wrote to memory of 2740	3056	msdcsc.exe	92
PID 3056 wrote to memory of 2740	3056	msdcsc.exe	92
PID 4660 wrote to memory of 1832	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	93
PID 3056 wrote to memory of 2740	3056	msdcsc.exe	92
PID 4660 wrote to memory of 1832	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	93
PID 3056 wrote to memory of 2740	3056	msdcsc.exe	92
PID 3056 wrote to memory of 2740	3056	msdcsc.exe	92
PID 4660 wrote to memory of 1832	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	93
PID 3056 wrote to memory of 2740	3056	msdcsc.exe	92
PID 4660 wrote to memory of 1832	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	93
PID 4660 wrote to memory of 1832	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	93
PID 3056 wrote to memory of 2740	3056	msdcsc.exe	92
PID 4660 wrote to memory of 1832	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	93
PID 4660 wrote to memory of 1832	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	93
PID 3056 wrote to memory of 2740	3056	msdcsc.exe	92
PID 4660 wrote to memory of 1832	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	93
PID 4660 wrote to memory of 1832	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	93
PID 4660 wrote to memory of 1832	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	93
PID 4660 wrote to memory of 1832	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	93
PID 3136 wrote to memory of 4520	3136	cmd.exe	98
PID 3136 wrote to memory of 4520	3136	cmd.exe	98
PID 3136 wrote to memory of 4520	3136	cmd.exe	98
PID 4076 wrote to memory of 4556	4076	cmd.exe	99
PID 4076 wrote to memory of 4556	4076	cmd.exe	99
PID 4076 wrote to memory of 4556	4076	cmd.exe	99
PID 3560 wrote to memory of 4564	3560	cmd.exe	100
PID 3560 wrote to memory of 4564	3560	cmd.exe	100
PID 3560 wrote to memory of 4564	3560	cmd.exe	100
PID 4660 wrote to memory of 4868	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	102
PID 4660 wrote to memory of 4868	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	102
PID 4660 wrote to memory of 4868	4660	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	102
PID 3948 wrote to memory of 3492	3948	cmd.exe	106
PID 3948 wrote to memory of 3492	3948	cmd.exe	106
PID 3948 wrote to memory of 3492	3948	cmd.exe	106
PID 5372 wrote to memory of 4696	5372	cmd.exe	111

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4520	attrib.exe
4556	attrib.exe

C:\Users\Admin\AppData\Local\Temp\3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe" +s +h
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe" +s +h
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:4556
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3136
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:4520
- C:\Windows\SysWOW64\notepad.exe
  notepad
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1832
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:808
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3560
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5372
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault15d88cfdhb7a1h43d4ha239h5cdc8e50eaaa
1⤵
PID:716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault15d88cfdhb7a1h43d4ha239h5cdc8e50eaaa --edge-skip-compat-layer-relaunch
  2⤵
  - Enumerates system info in registry
  PID:3460
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x20c,0x7ffeef64f208,0x7ffeef64f214,0x7ffeef64f220
    3⤵
    PID:5384
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2340,i,10207491699626647748,14597278003530093498,262144 --variations-seed-version --mojo-platform-channel-handle=2336 /prefetch:2
    3⤵
    PID:380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1932,i,10207491699626647748,14597278003530093498,262144 --variations-seed-version --mojo-platform-channel-handle=2392 /prefetch:3
    3⤵
    PID:2608
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1812,i,10207491699626647748,14597278003530093498,262144 --variations-seed-version --mojo-platform-channel-handle=2724 /prefetch:8
    3⤵
    PID:5812

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:5208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x260,0x7ffeef64f208,0x7ffeef64f214,0x7ffeef64f220
    3⤵
    PID:4768
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1808,i,6683155471324921668,4004054740278312544,262144 --variations-seed-version --mojo-platform-channel-handle=2296 /prefetch:3
    3⤵
    PID:5472
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2264,i,6683155471324921668,4004054740278312544,262144 --variations-seed-version --mojo-platform-channel-handle=2240 /prefetch:2
    3⤵
    PID:3948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2576,i,6683155471324921668,4004054740278312544,262144 --variations-seed-version --mojo-platform-channel-handle=2716 /prefetch:8
    3⤵
    PID:5684
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4120,i,6683155471324921668,4004054740278312544,262144 --variations-seed-version --mojo-platform-channel-handle=4536 /prefetch:8
    3⤵
    PID:2660
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4120,i,6683155471324921668,4004054740278312544,262144 --variations-seed-version --mojo-platform-channel-handle=4536 /prefetch:8
    3⤵
    PID:2900
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4604,i,6683155471324921668,4004054740278312544,262144 --variations-seed-version --mojo-platform-channel-handle=4600 /prefetch:8
    3⤵
    PID:5644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4588,i,6683155471324921668,4004054740278312544,262144 --variations-seed-version --mojo-platform-channel-handle=4880 /prefetch:8
    3⤵
    PID:2916
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4596,i,6683155471324921668,4004054740278312544,262144 --variations-seed-version --mojo-platform-channel-handle=4568 /prefetch:8
    3⤵
    PID:1008
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4640,i,6683155471324921668,4004054740278312544,262144 --variations-seed-version --mojo-platform-channel-handle=4580 /prefetch:8
    3⤵
    PID:648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --always-read-main-dll --field-trial-handle=3764,i,6683155471324921668,4004054740278312544,262144 --variations-seed-version --mojo-platform-channel-handle=4728 /prefetch:1
    3⤵
    PID:3856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4880,i,6683155471324921668,4004054740278312544,262144 --variations-seed-version --mojo-platform-channel-handle=5204 /prefetch:8
    3⤵
    PID:5504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3756,i,6683155471324921668,4004054740278312544,262144 --variations-seed-version --mojo-platform-channel-handle=5224 /prefetch:8
    3⤵
    PID:3524
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --always-read-main-dll --field-trial-handle=4184,i,6683155471324921668,4004054740278312544,262144 --variations-seed-version --mojo-platform-channel-handle=5516 /prefetch:1
    3⤵
    PID:1584
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5200,i,6683155471324921668,4004054740278312544,262144 --variations-seed-version --mojo-platform-channel-handle=5232 /prefetch:8
    3⤵
    PID:5280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5216,i,6683155471324921668,4004054740278312544,262144 --variations-seed-version --mojo-platform-channel-handle=4708 /prefetch:8
    3⤵
    PID:2292
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5336,i,6683155471324921668,4004054740278312544,262144 --variations-seed-version --mojo-platform-channel-handle=5304 /prefetch:8
    3⤵
    PID:4360
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5208,i,6683155471324921668,4004054740278312544,262144 --variations-seed-version --mojo-platform-channel-handle=5728 /prefetch:8
    3⤵
    PID:3792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5880,i,6683155471324921668,4004054740278312544,262144 --variations-seed-version --mojo-platform-channel-handle=5320 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3412

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:648
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulta2c9d61fh6fb6h48dahb18bhc33ec59127bf
1⤵
PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:4328
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:4524
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:2712
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:3108
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:5452
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:5184
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:676
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:4748
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:3652
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:1560
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:2652
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4444

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chrome_Unpacker_BeginUnzipping5208_1090725429\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5208_1090725429\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5208_1572939056\manifest.json

Filesize
53B

MD5
22b68a088a69906d96dc6d47246880d2

SHA1
06491f3fd9c4903ac64980f8d655b79082545f82

SHA256
94be212fe6bcf42d4b13fabd22da97d6a7ef8fdf28739989aba90a7cf181ac88

SHA512
8c755fdc617fa3a196e048e222a2562622f43362b8ef60c047e540e997153a446a448e55e062b14ed4d0adce7230df643a1bd0b06a702dc1e6f78e2553aadfff

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5208_1938163124\manifest.json

Filesize
72B

MD5
a30b19bb414d78fff00fc7855d6ed5fd

SHA1
2a6408f2829e964c578751bf29ec4f702412c11e

SHA256
9811cd3e1fbf80feb6a52ad2141fc1096165a100c2d5846dd48f9ed612c6fc9f

SHA512
66b6db60e9e6f3059d1a47db14f05d35587aa2019bc06e6cf352dfbb237d9dfe6dce7cb21c9127320a7fdca5b9d3eb21e799abe6a926ae51b5f62cf646c30490

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5208_974391711\manifest.json

Filesize
176B

MD5
6607494855f7b5c0348eecd49ef7ce46

SHA1
2c844dd9ea648efec08776757bc376b5a6f9eb71

SHA256
37c30639ea04878b9407aecbcea4848b033e4548d5023ce5105ea79cab2c68dd

SHA512
8cb60725d958291b9a78c293992768cb03ff53ab942637e62eb6f17d80e0864c56a9c8ccafbc28246e9ce1fdb248e8d071d76764bcaf0243397d0f0a62b4d09a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
991dd8fbe9a0cd6dc3637646bc73b6fe

SHA1
cd33a4c3c2cea06b41e5388826af365691769de4

SHA256
7e873150a039c5eda07ab3768e2b49127c3f824319d28909fe07f31d6f3119a4

SHA512
b8c1dbb54394674bb88fd7cf368214885e0c328e51651ee8f412aa1ab85151582c70189a292e24d551a8144de29f82e8e9b51ca5a695d33dc0e3326a78d05263

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
193a5097e13c2282cb88ffd1a9fb97b0

SHA1
00bf7b51dcac592b7e7eba5e7fd3377aa1bf604f

SHA256
f9798176efe85ea1d0a99216aa81fc8e28a0bdc9f3a59427732d5beae744dacd

SHA512
183ca1741439c10bc90794d65c953c18322d5509036e27faa3381fe3f21588fa98fa3033d42f23ca273427445c06b511c11a04d950028547875305a1e17f40e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
3b87c4ba034c7b7d3999d69d088a5b1e

SHA1
ed69e69ee326ce965512015f6359d286322a17c7

SHA256
67bb3aacd8372370183ea67e32e3041fd593804e327d652878e0d63c0a71169b

SHA512
263f22c3722ae308246c5557359a72b2df4059edd09a001e61d7a1deaf990839dae0abc99d7a37ad4a031b39269d00951487edcfe6f79731dbb540a788de949a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG

Filesize
343B

MD5
def6b85962e68fbe0def05de375eaecc

SHA1
ad5e638c30166495290a7e3c7c9a3721f9c78d33

SHA256
6cb2ccaa93971ed7105898d755dd9b8c6a5259648bfe172f165fa61da82f3bda

SHA512
b7d8184bdc33fe502f8e3c2defa3f90fe7c36a9f49766a0af0d8720d4e0ccb5a04ec45a5f2d9022e625711bcdd14864cb07654c5c9ab8aab30e7a31507476cee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
322B

MD5
e66232cbda06f9f72eb977ba50ab25ab

SHA1
97722292f61715ca9afde874c0578570116e40ec

SHA256
86ee39b5a4fa0fe416ecff4e10c738d068ebbadf21dbd06b33ce3cda64c371d1

SHA512
d63611f7e5b7bfe5b60886f88d571b55d58e41a0e1822f3e4894c9596a0c41ed3eb4e818c773cd4b9b9edfeae5a6daf0762e7f16dce2049144aa308647cb1fc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
c79be65dff6d6ecef657629029c55083

SHA1
6988572793c93e2ed2a1ca967dd4028db8c8d43d

SHA256
9aa9b8be95ae6be22adaf2676abb076640a4262efe671f00e827452e63d4fbe0

SHA512
73b9bc0402c1c7c29db965593ba937c82a3314f9695a93615c4e97c3a5c5ab619c2dcca890e5eadb5fe579cab7f7560245a244d982535782aa56293ea081a4aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
ea2e56eb70c55210935dc3eae251dd64

SHA1
f78225c8b02289a54df2bc76daacc971ab77587d

SHA256
2cae2781ff060f70cd5ca507a235d128154ce85eb6ae30e31f55b0a5db71a513

SHA512
e108a099b1683048cb1427790896d4d45e4901385e131795351465dfb0012f881a88ecd0ddc6e4c3e8c4144f2f695ae774f4fdd76157087fbd277f2faf859483

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
8f04a36913274c2e434a13e63bec472b

SHA1
59d4cb197bb97cc24a4fad61a1980d84e32f1c5d

SHA256
6ad0775cc0fc3bc544e45afb6aeaa58e513fba1dac36f4751aae0d8ea087b93c

SHA512
5be3a2ab74d8cc0de2874a04a44957b3bfcf7b970da43ff95e3cc230b11ca018f6f0c0834f90bdfbdf237e0adda996aa03329a20263a959dd51e9c52b62fd323

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
1d798329815b0d0492fc9341811125e3

SHA1
c0cb290152602438602365c454ec365abf42b858

SHA256
e45891b7b04e4e2ddcd9c7e8958a7ecc8ee9acae17a06b8513f7a7e965cad40a

SHA512
d2c2c83927d91959a05ff4b31d25a943aed9aa213a9fb489f4244f82433122130630b60a80dcb10d004cf44919ec27a6aa05e0001dd9c89b488fd83e1e5ee3b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
32KB

MD5
cc39f75441b9a0cf3b1cb5db83e61ef4

SHA1
c8b12a5396a5078c343d8eb874072f4b5e1afc8c

SHA256
a6efc63440f1a34c55a70a4b690a5688301571dea3500f333dcfe331503e75ac

SHA512
f10adab8922f229987ecb0012ef37a542c10ab557d1be0baf449c009fa42d79f61648d4443ca64884c9eb3be7f1ea28915111e2409a46435487f65844c0d4ca7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\74e0740b-0acd-48f2-8d01-f0bdfaa839e1\index-dir\the-real-index

Filesize
1KB

MD5
a938a40381bd8dd9e97d355da1718a8a

SHA1
ad45b4ffb30615572238c42994d99951cb2eaa25

SHA256
0e99675ee2766b6adb6a4d6aa7c53c0ea239ccb5e7f304b72247552024b96b37

SHA512
e645448940483d6f8f3fbf13d0a0a231a9a00a375f2561ff724099cceae84debc89bfe19363d6a62107ac572849c7945fec582fa9d749572ecd7015c31497f2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\74e0740b-0acd-48f2-8d01-f0bdfaa839e1\index-dir\the-real-index

Filesize
2KB

MD5
1f7cbc6e573f895b67aa29d34066ee3a

SHA1
d6e73a8214d173802f762ab85015aada4e8eac16

SHA256
194dce604f85d33c9bac69e2fb5dd3f38dc8bf877d74c053f144f2de1f077eda

SHA512
c4d5dd12d570124f384bd6c5c251f7cb2aed19ac90a508999ad0600b753600084b98287235fd70ab00cb9a7207d268a7005d22f708de579e0b7df218da0b7f5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\74e0740b-0acd-48f2-8d01-f0bdfaa839e1\index-dir\the-real-index~RFe583582.TMP

Filesize
1KB

MD5
a675b4de166472d69d8be3a08ed9ee2a

SHA1
b92a5b7e8205176cae2c4a70b188a33c829addc9

SHA256
8c7a74677fcd57ca2b36eaaa4a84b8931596ee9df0a686bd4c7256330341bdca

SHA512
4c1be69fb8aecebf172f017dd7ac98e7862b72f27e633b470ea38d1baaad56de166d17e06dc6eea5f87574f0376ad5fd35e9e22a180ba62467847a8159e24ee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
253B

MD5
370bcf19449af460809239370a8cfbc7

SHA1
c18b9cf72738880e953634b643ff3ba03b0bfad9

SHA256
d87a4191098a46416a1fb64fc39e00b38ce1e8f8a0b2820f413d68a5c08136ba

SHA512
3e199f22c1bfbad42b16e6ad161ce0f1be8cf80c5c084ad007aa0da4890f39edfa064dda3eda82107ba46e6647cf41bcf0e002a774a53f5ae85ee5e9a9624426

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\LOG

Filesize
335B

MD5
04be7104188c5c82bc7cccc2e4b9c2e0

SHA1
b494d7f9189abeb626db60ff978ffd3cb3c8c3e0

SHA256
33ae006b269cee7b7091bb145799e0c3b28fa015031e1937e2241f59cb6a8296

SHA512
28d65cda953f7560fc4b529ebffd9ff7677f396ba8bee8b035219e190f86650cb129ecb83ed6b05f7b2041f377ece62b289bec438dfa1ab986ed7e487e7d524c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
03805e3f8e58195e152aa2adb1cb964a

SHA1
ba0d1315089208eaafde5d3c5a638393df67172d

SHA256
880bc50e91209f7832d8e5a3d926dce1d233a7a0b885bf7b48da2980c3b106cf

SHA512
09d6d11c2979c6c48696dec800cb354e229e679f71b9be4589ca9345d886e886deb042ce1d159b117d237133b56ba25ced88a91a01a3db49d4ae2553ae797dab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe588cca.TMP

Filesize
48B

MD5
f037963967f9779b2de63952db33278d

SHA1
9950cc30fa4c8c6c595e78da4c4596a113ac36c2

SHA256
df77f82ffb85738cc167d610d508a8712b223fa1ceadf766543e99b3b900f9be

SHA512
dd92412d32e76f18eeddf20a7474878bcb901f27c7e0483269440c1ae7a39b45887a3ba3ebbaa41f6a670333c79f3f5c8f447acca559f4142e6a009417adce46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
7478fb3afe93ca886c83bbc1cb58357b

SHA1
e961c4f02a98596d5a6d16b23e38d24a6837d47b

SHA256
20852408f4a06c962e21b375da52ddc3b092e1495790398b94ead8747af91afc

SHA512
965679afb3fbd3e38b77f068a36865c77d7c0c9290df33a4abe3ee4ea5eb4133a5ce5e2fe68c26b96c4a788047c6ae2ced517c8304d56c83475f0ae79c9710e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
a04288dd01b0ef123f81a73ecb7ed3f4

SHA1
76c84c9707c577de789653889516c7470a579b71

SHA256
bcd42a942e914afcc4f2d33f6ed52cc917517438df219a0ce62430d40342412f

SHA512
8b319aa7550ad94007d0260e9284ec12537dfc12d5e795118161b04dc5f15631d62377ef61304f9be73422f7428def0a9baa3294e6a9dca7067a9a20749457ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
8e28c4c735c9cc5db413534917eaab40

SHA1
4affdc2e99a607a0f5c3e75ddc4be72075ee5285

SHA256
e2799064a84bc2e9489e4cc753f8cd59801c972345c82ea298f756367c1711c3

SHA512
b04b7f6689636c234211d3768f0c997d91063fa2459238c08f06022ac4fe573ac1583e7c7280dd019cbca243d362bdac90fef5524bb48be46ad6de9798b2633b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\default_cloud_config.json

Filesize
13KB

MD5
cf9a0cd1d5f9c8cdeb87ef3f7d30d15c

SHA1
c543e62aab24c205db6014414161c13375e9a71c

SHA256
b24f36278e4c85a8fcd66021d48c69d6b07be605673e02f0fe185bf3319f47f4

SHA512
39ad5c5753e5398906b94ab039d2eae7fe420fe35a53f190bda84d4f9262f3b14841cdf4ec76cdbff6a4578a26ab1e6c4b11ba326ec8cc38a2e2904a6f2c0d8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
322B

MD5
52eeef490d60b72e2a023a6127bf4408

SHA1
10a641dd5ec55e46bd8d7dff5b940ec03dd695f6

SHA256
c1c3bbd167d423c59ede9a53248465a639085ea1fafcf829916b33bbe48bc554

SHA512
8852d63324e29bb93a56bfea298dceaeb8fafc7342feef6b179f5030936027e9988b655c08ea009856fc085ad39096fd66fef3b9d7c9c0a51669e8937d57f212

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
1KB

MD5
9cd1c8e8b0ad21857f191e4df5507df4

SHA1
19f139943a3271118efa87832c648246f7b1349f

SHA256
468baebbc76720970af5da78821d86def900a37aa97386f9a0648a86734ace49

SHA512
dd4910a8e2968e2022b324f1eef64fba2c72511c2100e052c97474fae37ecf7b5302e3db94e88d2820f0d09a25702ac6446517512c89657039f25982747ffa22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
340B

MD5
54c264405d016d01c49773502364724f

SHA1
d02f8de84190df3d62590bc3d27ede9ac0d886cc

SHA256
aea983ce5f48dc67010169b34a2ed16414689a4e6e81a38da209dee28a1ee9ef

SHA512
ce2ac7be2853b452d4fea2c0b203d8d387bee98d68ebd434a8727bb6372666bf4a43863fd4a44062050596dea5b765bf33a358a70337a5da6d3dba99206e8866

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\EADPData Component\4.0.3.10\data.txt

Filesize
113KB

MD5
60beb7140ed66301648ef420cbaad02d

SHA1
7fac669b6758bb7b8e96e92a53569cf4360ab1aa

SHA256
95276c09f44b28100c0a21c161766eda784a983f019fc471290b1381e7ed9985

SHA512
6dfa4eca42aea86fba18bc4a3ab0eed87948ea1831e33d43426b3aca1816070ecb7fd024856ad571ca2734214a98cc55e413502b3deef2c4a101228a7377e9d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
20KB

MD5
1b8a553b9ad1379ac3848c05ab80a0e7

SHA1
7f4982c468e896fe24c9b0949c6564a404fddfc1

SHA256
aac4616d348f5a85e467bb19bfe672ad95c31f8e93b8afde1019a99beb444a74

SHA512
5930cda4a33cdbbeca3ff8dceb26bdf16bfe11470f9633012293a0698fddf0340d6babac177cfbc16193cfee2db0d162132a8c8960f0668790efea4d319cea75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
904B

MD5
32c3d12abfef5178c06c7b058f800bff

SHA1
15b7761e38100506dcc0580a0424da9c6d8c4b30

SHA256
f616cc29a07ebd412119631bae7e78d62c6121826a85d6e52dbf9d88a5155713

SHA512
6fd6203e3b2d9f89e539c97ee7b269b6a8eec22305897e57af1de58700030dfc0d367a544020b2e8b393516ed99d9b2cca3c01306258efae6040af4d93d33ae4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
469B

MD5
d9eb0ed4fe1676cc924dd6304eaf277d

SHA1
214dab128c941ad359385a68a6dff4ba64bc8563

SHA256
bd3cc3651e9b6253120e2f9e2889a503dfe177e1f5ba3f30afcec0cda758b1ef

SHA512
f3310f79e038187db590f3807b78efc32d0b9e52e07d03d39a4f2f70b9dec1df72ba173c6f47c81d1b92a37bf4bfc8720651e727346ef952b07e06637f0bf6fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
22KB

MD5
3f8927c365639daa9b2c270898e3cf9d

SHA1
c8da31c97c56671c910d28010f754319f1d90fa6

SHA256
fc80d48a732def35ab6168d8fd957a6f13f3c912d7f9baf960c17249e4a9a1f2

SHA512
d75b93f30989428883cb5e76f6125b09f565414cf45d59053527db48c6cf2ac7f54ed9e8f6a713c855cd5d89531145592ef27048cf1c0f63d7434cfb669dbd72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
13B

MD5
3e45022839c8def44fd96e24f29a9f4b

SHA1
c798352b5a0860f8edfd5c1589cf6e5842c5c226

SHA256
01a3e5d854762d8fdd01b235ce536fde31bf9a6be0596c295e3cea9aaf40f3dd

SHA512
2888982860091421f89f3d7444cacccb1938ef70fc084d3028d8a29021e6e1d83eaef62108eace2f0d590ed41ece0e443d8b564e9c9a860fc48d766edb1dc3d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
3be5b3951c15717eff041b9b66044bfc

SHA1
b5a9452bc132625108cd0081da8e4e5af1866e49

SHA256
584c49fc44654573d939734737d47e7d3e383a8978e2ca024c01ea8ee1bcfaf2

SHA512
80b9fb3e5cbcbc0859f9375513b337964945af7056cdcdb45901aa90a124a40676b57e72ed727860ebe593fdd425cd976a01360d816c8c17b172c57c2dab9615

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
3d2984dc3c176868dcb915da725f5db4

SHA1
78d5bf622c8977e18181593834a8a4569518c3af

SHA256
5cc4f2b885895857eae43dd63b861440fc97373b92778f0fe64415f29cb83972

SHA512
00095d9db9f4bda122af988f57e7413c38574684972cb2c93a62a4bc3b2b00d87e8deec0a84b5fb9b3a362f8be0f5ab35f47b8769a11de35b885148f4266341d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
06cfd4ba7eb4bc4a3acd31692fd7cb4f

SHA1
143a4a328b0f1bf8fcea032e19cce37ee57a5d96

SHA256
0494b95975c56750cc7ee0af62de50e461e100b9594dc5b7fefd88c4d84b0c5a

SHA512
f7607f43460cfb47712e9410a1e46c20b1e4de28d3583c384231e75fc05cd0d3a2c8e70f5fd4393dcc9663704072f4bc199262670749a1344a03a4a887b199a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
a39fcc2f934aa16780f4304a0a4c0f75

SHA1
7633111532b31de22a64e467819ca83ee86ee780

SHA256
2ab163eba6cc4b3fcd90d0390a449aa13a6194ab23dcdeb54fd5d73659fd0d1e

SHA512
62fcd3cad5c417d047fc9d6bcf0e0b3e3aba40bf0bb33dab7ee4964fb66d1130bba82437ec2bff3ac0ec5eb80780ce342620ac9006cac546cf5ba12920a701af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
7890d54452b99d18a494a3e3623494f2

SHA1
75420060a17f7295ea56e54d2c3f8910f43ccdfc

SHA256
ffd42f9fbbee6b84c8049410a43892a29d0c72193ec50534f4081a46cff5dca4

SHA512
f577949f7fc9209a626af11a12e06fab61f3441be249cd3c9b5a907c9f6369f24e28005ac039e657302e6c2b282be4761e48e5b69403fffbbd842b87fc36a03c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SafetyTips\3057\safety_tips.pb

Filesize
163KB

MD5
bd6846ffa7f4cf897b5323e4a5dcd551

SHA1
a6596cdc8de199492791faa39ce6096cf39295cd

SHA256
854b7eb22303ec3c920966732bc29f58140a82e1101dffe2702252af0f185666

SHA512
aa19b278f7211ffaf16b14b59d509ce6b80708e2bb5af87d98848747de4cba13b6626135dd3ec7aabd51b4c2cfb46ed96800a520d2dae8af8105054b6cd40e0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SafetyTips\3057\typosquatting_list.pb

Filesize
3KB

MD5
17c10dbe88d84b9309e6d151923ce116

SHA1
9ad2553c061ddcc07e6f66ce4f9e30290c056bdf

SHA256
3ad368c74c9bb5da4d4750866f16d361b0675a6b6dc4e06e2edd72488663450e

SHA512
ad8ed3797941c9cad21ae2af03b77ce06a23931d9c059fe880935e2b07c08f85fc628e39873fb352c07714b4e44328799b264f4adb3513975add4e6b67e4a63c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\data_1

Filesize
264KB

MD5
97852865f4102a4acde0b5eb9cf6b90b

SHA1
7653e081e8832e4a5bed5b5f322a66ab3caaa4ed

SHA256
3136d854f431b51b8e0af2ebd91f0b9455223a09c41d031e910867bbe4347581

SHA512
1e6e19283ea27b28614c18103cee2708dc37be43d9889901fa3f047e9e8bb62d28b161f6590f74e16361e3df86c6eece5ddac1ad42ebce7ee2ac7614195db049

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Variations

Filesize
86B

MD5
f732dbed9289177d15e236d0f8f2ddd3

SHA1
53f822af51b014bc3d4b575865d9c3ef0e4debde

SHA256
2741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93

SHA512
b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe

Filesize
658KB

MD5
3178fcad2d2c2f3c0f4f70aecfb18db7

SHA1
0ecad6522214f9bef4dd8f2f8eb927827bc4971c

SHA256
dd8650f0e484ba0ea4775ccce3a9644bba747ee92f1b534628525c7ceedc69f9

SHA512
57148c860850344b1086c8765c083862d57d99119914e218aca4c8e80dc9cbe48d206b6aefaea9ad5cda58a459ff5888f1bc82f6fabacd2aa81f52818cef4985

Download Submit
memory/312-254-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1832-8-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/2560-656-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2560-214-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2740-7-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/3056-6-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/3056-16-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3280-242-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3492-17-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3532-894-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4432-260-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4444-906-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4524-651-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4564-10-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4660-13-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4660-0-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/4696-19-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4772-818-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4868-12-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4972-727-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5104-785-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5428-864-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download