darkcomet | dd8650f0e484ba0ea4775ccce3a9644bba747ee92f1b534628525c7ceedc69f9

Resubmissions

14/04/2025, 04:20

250414-ex92msynx2 10

14/04/2025, 03:24

14/04/2025, 02:53

13/04/2025, 19:39

13/04/2025, 01:50

13/04/2025, 01:45

12/04/2025, 16:37

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2025, 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Size

658KB
MD5

3178fcad2d2c2f3c0f4f70aecfb18db7
SHA1

0ecad6522214f9bef4dd8f2f8eb927827bc4971c
SHA256

dd8650f0e484ba0ea4775ccce3a9644bba747ee92f1b534628525c7ceedc69f9
SHA512

57148c860850344b1086c8765c083862d57d99119914e218aca4c8e80dc9cbe48d206b6aefaea9ad5cda58a459ff5888f1bc82f6fabacd2aa81f52818cef4985
SSDEEP

12288:+9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hV:KZ1xuVVjfFoynPaVBUR8f+kN10EBP

Score

10^/10

darkcomet guest16 defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

127.0.0.1:1604

Mutex

DC_MUTEX-7X99PTF

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
DNgeskLTppzX
install
true
offline_keylogger
true
persistence
true
reg_key
System32.dll

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4668	attrib.exe
4688	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2124	notepad.exe

Executes dropped EXE 19 IoCs

pid	Process
4592	msdcsc.exe
6060	msdcsc.exe
4860	msdcsc.exe
4572	msdcsc.exe
552	msdcsc.exe
1892	msdcsc.exe
556	msdcsc.exe
1744	msdcsc.exe
3824	msdcsc.exe
3764	msdcsc.exe
5536	msdcsc.exe
3824	msdcsc.exe
5216	msdcsc.exe
4584	msdcsc.exe
1992	msdcsc.exe
3228	msdcsc.exe
6096	msdcsc.exe
5640	msdcsc.exe
5936	msdcsc.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System32.dll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System32.dll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System32.dll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System32.dll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4592	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeSecurityPrivilege	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeSystemtimePrivilege	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeBackupPrivilege	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeRestorePrivilege	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeShutdownPrivilege	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeDebugPrivilege	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeUndockPrivilege	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeManageVolumePrivilege	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeImpersonatePrivilege	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: 33	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: 34	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: 35	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: 36	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	4592	msdcsc.exe
Token: SeSecurityPrivilege	4592	msdcsc.exe
Token: SeTakeOwnershipPrivilege	4592	msdcsc.exe
Token: SeLoadDriverPrivilege	4592	msdcsc.exe
Token: SeSystemProfilePrivilege	4592	msdcsc.exe
Token: SeSystemtimePrivilege	4592	msdcsc.exe
Token: SeProfSingleProcessPrivilege	4592	msdcsc.exe
Token: SeIncBasePriorityPrivilege	4592	msdcsc.exe
Token: SeCreatePagefilePrivilege	4592	msdcsc.exe
Token: SeBackupPrivilege	4592	msdcsc.exe
Token: SeRestorePrivilege	4592	msdcsc.exe
Token: SeShutdownPrivilege	4592	msdcsc.exe
Token: SeDebugPrivilege	4592	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	4592	msdcsc.exe
Token: SeChangeNotifyPrivilege	4592	msdcsc.exe
Token: SeRemoteShutdownPrivilege	4592	msdcsc.exe
Token: SeUndockPrivilege	4592	msdcsc.exe
Token: SeManageVolumePrivilege	4592	msdcsc.exe
Token: SeImpersonatePrivilege	4592	msdcsc.exe
Token: SeCreateGlobalPrivilege	4592	msdcsc.exe
Token: 33	4592	msdcsc.exe
Token: 34	4592	msdcsc.exe
Token: 35	4592	msdcsc.exe
Token: 36	4592	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	6060	msdcsc.exe
Token: SeSecurityPrivilege	6060	msdcsc.exe
Token: SeTakeOwnershipPrivilege	6060	msdcsc.exe
Token: SeLoadDriverPrivilege	6060	msdcsc.exe
Token: SeSystemProfilePrivilege	6060	msdcsc.exe
Token: SeSystemtimePrivilege	6060	msdcsc.exe
Token: SeProfSingleProcessPrivilege	6060	msdcsc.exe
Token: SeIncBasePriorityPrivilege	6060	msdcsc.exe
Token: SeCreatePagefilePrivilege	6060	msdcsc.exe
Token: SeBackupPrivilege	6060	msdcsc.exe
Token: SeRestorePrivilege	6060	msdcsc.exe
Token: SeShutdownPrivilege	6060	msdcsc.exe
Token: SeDebugPrivilege	6060	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	6060	msdcsc.exe
Token: SeChangeNotifyPrivilege	6060	msdcsc.exe
Token: SeRemoteShutdownPrivilege	6060	msdcsc.exe

Suspicious use of FindShellTrayWindow 20 IoCs

pid	Process
5632	firefox.exe
5632	firefox.exe
5632	firefox.exe
5632	firefox.exe
5632	firefox.exe
5632	firefox.exe
5632	firefox.exe
5632	firefox.exe
5632	firefox.exe
5632	firefox.exe
5632	firefox.exe
5632	firefox.exe
5632	firefox.exe
5632	firefox.exe
5632	firefox.exe
5632	firefox.exe
5632	firefox.exe
5632	firefox.exe
5632	firefox.exe
5632	firefox.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5632	firefox.exe
5632	firefox.exe
5632	firefox.exe
5632	firefox.exe
5632	firefox.exe
5632	firefox.exe
5632	firefox.exe
5632	firefox.exe
5632	firefox.exe
5632	firefox.exe
5632	firefox.exe
5632	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4592	msdcsc.exe
5632	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5776 wrote to memory of 4592	5776	cmd.exe	88
PID 5776 wrote to memory of 4592	5776	cmd.exe	88
PID 5776 wrote to memory of 4592	5776	cmd.exe	88
PID 4592 wrote to memory of 4500	4592	msdcsc.exe	91
PID 4592 wrote to memory of 4500	4592	msdcsc.exe	91
PID 4592 wrote to memory of 4500	4592	msdcsc.exe	91
PID 4592 wrote to memory of 4500	4592	msdcsc.exe	91
PID 4592 wrote to memory of 4500	4592	msdcsc.exe	91
PID 4592 wrote to memory of 4500	4592	msdcsc.exe	91
PID 4592 wrote to memory of 4500	4592	msdcsc.exe	91
PID 4592 wrote to memory of 4500	4592	msdcsc.exe	91
PID 4592 wrote to memory of 4500	4592	msdcsc.exe	91
PID 4592 wrote to memory of 4500	4592	msdcsc.exe	91
PID 4592 wrote to memory of 4500	4592	msdcsc.exe	91
PID 4592 wrote to memory of 4500	4592	msdcsc.exe	91
PID 4592 wrote to memory of 4500	4592	msdcsc.exe	91
PID 4592 wrote to memory of 4500	4592	msdcsc.exe	91
PID 4592 wrote to memory of 4500	4592	msdcsc.exe	91
PID 4592 wrote to memory of 4500	4592	msdcsc.exe	91
PID 4592 wrote to memory of 4500	4592	msdcsc.exe	91
PID 4592 wrote to memory of 4500	4592	msdcsc.exe	91
PID 4592 wrote to memory of 4500	4592	msdcsc.exe	91
PID 4592 wrote to memory of 4500	4592	msdcsc.exe	91
PID 4592 wrote to memory of 4500	4592	msdcsc.exe	91
PID 4592 wrote to memory of 4500	4592	msdcsc.exe	91
PID 3120 wrote to memory of 6060	3120	cmd.exe	92
PID 3120 wrote to memory of 6060	3120	cmd.exe	92
PID 3120 wrote to memory of 6060	3120	cmd.exe	92
PID 4004 wrote to memory of 2268	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	93
PID 4004 wrote to memory of 2268	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	93
PID 4004 wrote to memory of 2268	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	93
PID 4004 wrote to memory of 3660	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	95
PID 4004 wrote to memory of 3660	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	95
PID 4004 wrote to memory of 3660	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	95
PID 4004 wrote to memory of 2124	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	96
PID 4004 wrote to memory of 2124	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	96
PID 4004 wrote to memory of 2124	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	96
PID 4004 wrote to memory of 2124	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	96
PID 4004 wrote to memory of 2124	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	96
PID 4004 wrote to memory of 2124	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	96
PID 4004 wrote to memory of 2124	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	96
PID 4004 wrote to memory of 2124	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	96
PID 4004 wrote to memory of 2124	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	96
PID 4004 wrote to memory of 2124	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	96
PID 4004 wrote to memory of 2124	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	96
PID 4004 wrote to memory of 2124	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	96
PID 4004 wrote to memory of 2124	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	96
PID 4004 wrote to memory of 2124	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	96
PID 4004 wrote to memory of 2124	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	96
PID 4004 wrote to memory of 2124	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	96
PID 4004 wrote to memory of 2124	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	96
PID 2268 wrote to memory of 4688	2268	cmd.exe	98
PID 2268 wrote to memory of 4688	2268	cmd.exe	98
PID 2268 wrote to memory of 4688	2268	cmd.exe	98
PID 3660 wrote to memory of 4668	3660	cmd.exe	99
PID 3660 wrote to memory of 4668	3660	cmd.exe	99
PID 3660 wrote to memory of 4668	3660	cmd.exe	99
PID 4004 wrote to memory of 4860	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	100
PID 4004 wrote to memory of 4860	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	100
PID 4004 wrote to memory of 4860	4004	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	100
PID 5500 wrote to memory of 4572	5500	cmd.exe	116
PID 5500 wrote to memory of 4572	5500	cmd.exe	116
PID 5500 wrote to memory of 4572	5500	cmd.exe	116
PID 4452 wrote to memory of 552	4452	cmd.exe	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4688	attrib.exe
4668	attrib.exe

C:\Users\Admin\AppData\Local\Temp\3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe" +s +h
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe" +s +h
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:4688
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3660
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:4668
- C:\Windows\SysWOW64\notepad.exe
  notepad
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2124
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5776
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5500
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:5212
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:5960
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:6060
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:4804
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3824

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3dc 0x2fc
1⤵
PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:4052
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3764

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4620
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5632
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2000 -prefsLen 27099 -prefMapHandle 2004 -prefMapSize 270279 -ipcHandle 2080 -initialChannelId {be34954b-3438-47d0-91ed-0bb93f08b478} -parentPid 5632 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5632" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
    3⤵
    PID:3404
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2460 -prefsLen 27135 -prefMapHandle 2464 -prefMapSize 270279 -ipcHandle 2472 -initialChannelId {1069c92b-d98c-40ad-a8d5-53732d0c0c9a} -parentPid 5632 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5632" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
    3⤵
    PID:3184
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3848 -prefsLen 27276 -prefMapHandle 3852 -prefMapSize 270279 -jsInitHandle 3856 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3860 -initialChannelId {12a82782-7926-4466-9028-6ec75623d873} -parentPid 5632 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5632" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
    3⤵
    - Checks processor information in registry
    PID:1064
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4040 -prefsLen 27276 -prefMapHandle 4044 -prefMapSize 270279 -ipcHandle 4108 -initialChannelId {e18110e9-8b10-4289-ab18-7a2273bc91f2} -parentPid 5632 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5632" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
    3⤵
    PID:2036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2936 -prefsLen 34775 -prefMapHandle 2696 -prefMapSize 270279 -jsInitHandle 2920 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3260 -initialChannelId {cad3c7d4-23c4-4e52-b1ff-889424a5c3e8} -parentPid 5632 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5632" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
    3⤵
    - Checks processor information in registry
    PID:4960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 4624 -prefsLen 34931 -prefMapHandle 4628 -prefMapSize 270279 -ipcHandle 4656 -initialChannelId {fd025c65-1bba-48f1-9cfa-d441db43dd04} -parentPid 5632 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5632" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
    3⤵
    - Checks processor information in registry
    PID:3516
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5280 -prefsLen 32952 -prefMapHandle 5284 -prefMapSize 270279 -jsInitHandle 5288 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5296 -initialChannelId {880a0e3e-0b3f-4ec9-9932-15e74c09301f} -parentPid 5632 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5632" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
    3⤵
    - Checks processor information in registry
    PID:1936
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5304 -prefsLen 32952 -prefMapHandle 5480 -prefMapSize 270279 -jsInitHandle 3160 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 1368 -initialChannelId {852a5c4d-454a-4399-8fb0-3804b63f1473} -parentPid 5632 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5632" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
    3⤵
    - Checks processor information in registry
    PID:5288
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5692 -prefsLen 32952 -prefMapHandle 5696 -prefMapSize 270279 -jsInitHandle 5700 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5708 -initialChannelId {2a892730-ccac-44ab-9a60-893879b2c569} -parentPid 5632 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5632" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
    3⤵
    - Checks processor information in registry
    PID:2032
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6120 -prefsLen 36503 -prefMapHandle 6292 -prefMapSize 270279 -jsInitHandle 6296 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6576 -initialChannelId {68b3eeee-8b71-4d10-8ca0-b070de97c4e5} -parentPid 5632 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5632" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 tab
    3⤵
    - Checks processor information in registry
    PID:3004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5476 -prefsLen 36503 -prefMapHandle 6344 -prefMapSize 270279 -jsInitHandle 3024 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6736 -initialChannelId {e4ff3d3e-af22-4bba-999f-0963244816d6} -parentPid 5632 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5632" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 11 tab
    3⤵
    - Checks processor information in registry
    PID:1816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:3104
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:4312
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:4052
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:6116
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:5784
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:2596
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:5308
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:4236
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:4560
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5936

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ahkgvp67.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9

Filesize
13KB

MD5
db118a18f145948a82a8d7060faf0060

SHA1
269e6bff6fc979db4190e6fb0212a1c3ef2b9500

SHA256
2e34125fce8a04e67fcc7efad311ab666faf184525ee5a47cf713e958e6d42f1

SHA512
12a78baeead172a7c3a792219886fcc8325180eac524d47ebc057fa3d9b416313e1efb92390bc04b25891c031e7b3da026f42c505af95523d827a53f28503dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe

Filesize
658KB

MD5
3178fcad2d2c2f3c0f4f70aecfb18db7

SHA1
0ecad6522214f9bef4dd8f2f8eb927827bc4971c

SHA256
dd8650f0e484ba0ea4775ccce3a9644bba747ee92f1b534628525c7ceedc69f9

SHA512
57148c860850344b1086c8765c083862d57d99119914e218aca4c8e80dc9cbe48d206b6aefaea9ad5cda58a459ff5888f1bc82f6fabacd2aa81f52818cef4985

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
11KB

MD5
25e8156b7f7ca8dad999ee2b93a32b71

SHA1
db587e9e9559b433cee57435cb97a83963659430

SHA256
ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986

SHA512
1211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
14.0MB

MD5
bcceccab13375513a6e8ab48e7b63496

SHA1
63d8a68cf562424d3fc3be1297d83f8247e24142

SHA256
a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9

SHA512
d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
502KB

MD5
e690f995973164fe425f76589b1be2d9

SHA1
e947c4dad203aab37a003194dddc7980c74fa712

SHA256
87862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171

SHA512
77991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\AlternateServices.bin

Filesize
8KB

MD5
da0e25b985f1e56ec3f2cb19c765a348

SHA1
032f0c5172a893fdfacd4c9b955af19250714083

SHA256
480c78bfb7ea4041cf050dd6bc0c1dac5bc2e72a648dc7640f72325bf9853915

SHA512
2b239710b284d06fd795c53f4ffb49760ddbf25dfc8c39ef9da61d2b4cf70f57d71cf7a9ed59e696557dc6a6beba0357bbdc2037e1e8981b0ebda1da7d65fe1d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\datareporting\glean\db\data.safe.tmp

Filesize
58KB

MD5
9baa8ff5b28338cf885a100056c7b246

SHA1
2abaca400da10b0ed49970932ac4e04cddb07200

SHA256
a31f08d6d786f04f1d1bb9ed1cd4a8a49c7253e8981db624040ef02dcf7fa72f

SHA512
32632dba60d50192aebe2c943389e516cda3d761b8f8b75e047bcfd21a3e6020e89b04c39ac749c4a9d53b17cf4e93e06ea8aa12f6f232bb0de5e33b3222920b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
b87340119622397ab87241c57646f434

SHA1
c301ec94ca4612a3ef26632ffd01b6910e900ca0

SHA256
6d06ca6bdb640e150d44206fb373729ab2cb4c6d1e4e3b0e88b138ffce7df340

SHA512
45927621cc0dc0bd52aec9316546efaa0c938139ab154f797360bed46121f5756b103f246939635dfd76f4a12eef731a8a0d8bed553d65b14ff9b1c7415b31ef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
f0a3e760bb2ff0024b6b55de209606e8

SHA1
dbb463dea91639c26009d771b3d86de94a646085

SHA256
2631adb646dce695517e1ac7244e92cfee306705e7b3314f137c974321f26e59

SHA512
d978fd8adc6b69cce2411af4a4450d851c79048aad5c5e5df90dbc5e2cd023f5f78baf004c8d3c13be97ed56879f8ccfc088d7b78008ce1b4575db77b8b62e36

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\datareporting\glean\pending_pings\1fc857c2-e561-4d19-a372-3bbf973d54cb

Filesize
2KB

MD5
57888f4710800a316dda49ced837d3e2

SHA1
fd2e85fc2a223cae6735e36d360d191c7a442315

SHA256
ceb96b39886d1cd099baaa77d1ffada38ecfd0e1a2dcc3b7c1e8732d2b04e45e

SHA512
6d48118ff4b82d4f24b3465def603a0447b9673515c874bb500c70994ed8f28cc5cb6d2cdb3de4e4322c9c8ce9fa4abec3ca340c98abec8e200a972a57ad1a14

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\datareporting\glean\pending_pings\3ed747a9-83df-4214-a402-bb9617aa3552

Filesize
883B

MD5
711e1f9d5662cef1dc28e00407b03e3d

SHA1
c247780e6a41c4777b549cf19ba18f2e0419b8e7

SHA256
ff874431f928047dccddad23b5390b820b86090a4f48ccd7a344b2c7243a7dc7

SHA512
effef091ac42feb634b5ec1f43f643b253c64d8426ab66945001247580bcd1db3c9f3095be42b53b4163e071526672f104cbdb56646bf5b6a19a2901814a86e0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\datareporting\glean\pending_pings\51b13c96-7806-464f-83f4-ebac338ef335

Filesize
235B

MD5
25709a966a81c48bcfaa531f126f37cd

SHA1
004f44b1df0a36905a647fdb2271bae65b37797a

SHA256
ed9ba7b7a04ba59158dd346a8bbc5636820dfdab06e06bab5d44cc18b3a9e08d

SHA512
469fa81988f3df113df706b771aa5837afee5fea0b7bf8448da36b48e922abc60076a3c3165a614dc9c69ea26cd2e9c45f139a694ae2526121151123138dd992

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\datareporting\glean\pending_pings\560873da-bcd8-4554-bcfe-b1e0ba0bd8f0

Filesize
16KB

MD5
e3969c41a990035871be925deaf3ba44

SHA1
e680b45a8f3af9b6eb4ff60889aef13de5e1c4ab

SHA256
db3826788147b4017870e509d7e1d05cb1282e762fb8e6d9a5e1dc062b8865dd

SHA512
3dcf89abdc07d22870b4ab8de31f5d6bcd6b66bd39ff841958b372b2d9e75b40407502d6adc9a788417adf8ef441a4677e457fbb427e90136d906dbe3141963e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\datareporting\glean\pending_pings\80b34f37-b5f9-4f4f-8791-9f266b7d04b0

Filesize
886B

MD5
a394f1f591ce25ebf6b43f666c0355c0

SHA1
396b5e6afd92d95e682dbee8cdbcdd70f6dfc01f

SHA256
cf414e7e69484227599915245033fe5a6ccb1b59726b5cebcd6e6ccefd69b110

SHA512
f85abc5998859275f6c3b504f810bd07e1b93e51ccadbf3f9eb1057c741b8a0d4153cc106e8efd5b1861759f4656e08d4a14e0a7338d89332d1f82fc43d52646

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\datareporting\glean\pending_pings\ff6b9d6f-bf8e-4138-9929-90386cdabea3

Filesize
235B

MD5
e3aa36f896e6ca4f06c116cd8f2bb6a2

SHA1
341dbf02e5d3eee5a4d61471b3ed7330b3ecba4e

SHA256
9ec41640898817d1e6a2ad1eab0e32e495b1ddb788dab293d0357cf6afa56296

SHA512
d27fab58a3691396bf6f18e2fbb49ec1520056e981e281fc0fcce52cf148cc2472b9788df4ce1719c90339246f9ac2e8fe17949d7e2166d75030379aba2dab5a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\extensions.json

Filesize
16KB

MD5
889db56709e08ef6c8ca1ed2e98d3645

SHA1
7a16059dd5dbac9aa5d29060d17dcf4393eb4597

SHA256
c83b318e0415226668903cf64fb6f7e58afbdab23663ad60b875dcd1eb9f25d4

SHA512
dfba5db1645fd4fa7af8ad83275a01b2ed845a37f2cb1749dc99831277e5e016be20daf2c8453c76e43f21a5a9045cbb83b49638264e527a549e183877e0955c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll

Filesize
1.1MB

MD5
626073e8dcf656ac4130e3283c51cbba

SHA1
7e3197e5792e34a67bfef9727ce1dd7dc151284c

SHA256
37c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651

SHA512
eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info

Filesize
116B

MD5
ae29912407dfadf0d683982d4fb57293

SHA1
0542053f5a6ce07dc206f69230109be4a5e25775

SHA256
fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6

SHA512
6f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json

Filesize
1001B

MD5
32aeacedce82bafbcba8d1ade9e88d5a

SHA1
a9b4858d2ae0b6595705634fd024f7e076426a24

SHA256
4ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce

SHA512
67dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll

Filesize
18.5MB

MD5
1b32d1ec35a7ead1671efc0782b7edf0

SHA1
8e3274b9f2938ff2252ed74779dd6322c601a0c8

SHA256
3ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648

SHA512
ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\prefs.js

Filesize
6KB

MD5
c8948b520db63951813fc613540743bc

SHA1
a0d12b54ddc3f78e6696115189990727f9750470

SHA256
18ef414aa8eef74b78e38f649b5d84a6dd00e2d60f650ad5797b9b6adf2fb428

SHA512
1c382d1661970cdd00d22cd112224b06475184cee975f95edd0a8d6a2bcb2b462561121547165941ecfc7d0883e04cbee2556f08a6f4ce22f55f8f097df6e1ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\prefs.js

Filesize
7KB

MD5
88620c0a5f1def622c1c737994dd3d90

SHA1
fd741cab8e69c0336be29544fc8842180b7ac453

SHA256
98ead6e23f159e9d60148d1292cf3d809d66a3ec25b315c80f9bfcc6c8fd525d

SHA512
74199a7715649eeb0e4843fb67a7d0916ff309eb430f8d82c5e3cd4f6c76b1205f12c207119e41ca0d012ffc0331d960909d6d9978df047068a15f226e274d11

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\prefs.js

Filesize
7KB

MD5
7cd638bee71c4ab87cd5ed279e480dae

SHA1
7b4c419147d9786f52c577232819615f0d942f96

SHA256
5aac895ccabedafa5e041b0366b60e009287dbdb24677a50f24918491a3a047c

SHA512
7fedbbf0740667595191243fc3fc3495c04ede2f9bb8b856b711931593b145ef16047659d31e51512661a13b735984bb0605748b33b5f16105a329ba08637aa6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\prefs.js

Filesize
6KB

MD5
b55cc92fafc880332f4c0803786a1355

SHA1
3d96e3f0f17678c56687b4456554b5cc11d72049

SHA256
2fd2e596587063d3b4e3672a1d2b42ace102aa0ef9610457586627dcd1a8fd12

SHA512
20180b192ae825abf3d5f0f2924ed3d87b7e7c78d01345f5f8cfd5e18eccfbbb02b3b4a1fab533dbc086258e3f4661d065960fb941cbed0f235835becf179b63

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\sessionstore-backups\recovery.baklz4

Filesize
925B

MD5
74a1e1e27561880a100a536da7aff723

SHA1
fea81d0f284ad2ab115f9189e2969f7118e9dac3

SHA256
4af52eaa3479754f64b78a3d3f5462bf83b49e606722b758470420202ae42346

SHA512
f27ea527de108064e62b0b06bfc6a6f4384e3c119546fb94b22fd960cf367468659c38856569b1400eb5515002ba9b990555efb662cb8b79a3a916f3ec234dfa

Download Submit
memory/552-20-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/556-25-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1744-28-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1892-22-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1992-450-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2124-9-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/3228-791-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3764-36-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3824-31-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3824-406-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4004-0-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/4004-13-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4500-7-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/4572-17-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4584-437-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4592-37-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4592-18-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4592-786-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4592-32-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4592-15-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/4592-6-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/4860-12-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5216-426-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5536-49-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5640-827-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5936-832-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/6060-10-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/6096-813-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads