Analysis

  • max time kernel
    147s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-10-2024 02:12

General

  • Target

    5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe

  • Size

    326KB

  • MD5

    5fddd166f5b5931b2ab328cfd40e420a

  • SHA1

    fa92f4074a2ee7166b9dc9081707ba7a4e8956c4

  • SHA256

    4f151f64c97aa09c5c99f25b63c503b91b54a99910daadb97762ad4f5dbb4910

  • SHA512

    57aa9f96d83a906b910b1d63f3e9fa694c302696a7d237be47cfb1efdf0b5f0d2c152daa2be628fca2cd007a71dbc60def81867ddbfefed81b740b6240079c8c

  • SSDEEP

    6144:kt8UOo3u1PmgxfxNJpXSDV76nu9Ni/n5s5ojFHf9BW:kt8Po3utmgxf3JRSDJ6u6SWlo

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\restore_files_rqyjx.txt

Ransom Note
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) What does this mean ? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. How did this happen ? Especially for you, on our server was generated the secret key pair RSA-2048 - public and private. All your files were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed. If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://nasdki39dawk.oj998fh4txkjh.com/D8A66019E06A126 2. http://awoeinf832as.wo49i277rnw.com/D8A66019E06A126 3. https://zpr5huq4bgmutfnf.onion.to/D8A66019E06A126 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: zpr5huq4bgmutfnf.onion/D8A66019E06A126 4. Follow the instructions on the site. IMPORTANT INFORMATION: Your personal pages: http://nasdki39dawk.oj998fh4txkjh.com/D8A66019E06A126 http://awoeinf832as.wo49i277rnw.com/D8A66019E06A126 https://zpr5huq4bgmutfnf.onion.to/D8A66019E06A126 Your personal page (using TOR): zpr5huq4bgmutfnf.onion/D8A66019E06A126 Your personal identification number (if you open the site (or TOR 's) directly): D8A66019E06A126
URLs

http://nasdki39dawk.oj998fh4txkjh.com/D8A66019E06A126

http://awoeinf832as.wo49i277rnw.com/D8A66019E06A126

https://zpr5huq4bgmutfnf.onion.to/D8A66019E06A126

http://zpr5huq4bgmutfnf.onion/D8A66019E06A126

Extracted

Path

C:\Program Files\7-Zip\Lang\restore_files_rqyjx.html

Ransom Note
<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; } .ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center> <div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"> <b><font class="ttl">What happened <!------sfg2gdfstw5ey3345 --> to your files?</b></font><br> <font style="font-size:13px;">All of your files were<!------sfg2gdfstw5ey3345 --> protected by a strong<!------sfg2gdfstw5ey3345 --> encryption with<!------sfg2gdfstw5ey3345 --> RSA-2048 <br> More information about the <!------sfg2gdfstw5ey3345 -->encryption RSA-2048 can be<!------sfg2gdfstw5ey3345 --> found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font> <br><b><font class="ttl">What <!------sfg2gdfstw5ey3345 --> does this mean?</b></font><br><font style="font-size:13px;"> This<!------sfg2gdfstw5ey3345 --> means that the <!------sfg2gdfstw5ey3345 --> structure and data within your files have been irrevocably <!------sfg2gdfstw5ey3345 -->changed, you will not be able to work<br> with them, read<!------sfg2gdfstw5ey3345 --> them or see them, it is the same thing <!------sfg2gdfstw5ey3345 -->as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private. <br>All your <!------sdkfg3265436456hdfskjghfdg --> files were encrypted with the public key, <!------sdkfghd456334565436fskjghfdg --> which has been <!------sdkfghd45363456fskjghfdg --> transferred to <!------sdkfghdfskjghfdg -->your computer via <!------sdkfghd4356345643564356fskjghfdg -->the Internet.<br> <!------sdkfghd34563456fskjghfdg --> Decrypting of <!------sdkf45363456ghdfskjghfdg -->YOUR FILES is <!------sdkfghdfs4563456kjghfdg -->only possible <!------sdkfgh45364356dfskjghfdg -->with the help of the <!------sdkfghd4563456fskjghfdg -->private key and <!------sdkfghd43563456fskjghfdg -->decrypt program, <!------sdkfghdf43564356tyretyskjghfdg -->which is on our <!------sdkfgh34565346dfskjghfdg -->SECRET SERVER!!!. </font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br> <!------23452345dgtwertwre --><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr> <!------sadfs32452345gfdsgsdfgdfsafasdfasdfsadf --><b>1.<a href="http://nasdki39dawk.oj998fh4txkjh.com/D8A66019E06A126" target="_blank">http://nasdki39dawk.oj998fh4txkjh.com/D8A66019E06A126</a></b><br> <!------ds234523452345fgwert --><b>2.<a href="http://awoeinf832as.wo49i277rnw.com/D8A66019E06A126" target="_blank">http://awoeinf832as.wo49i277rnw.com/D8A66019E06A126</a></b><br> <!------wer234524353245terwtewrt --><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/D8A66019E06A126" target="_blank">https://zpr5huq4bgmutfnf.onion.to/D8A66019E06A126</a></b><br> <!------sfg2gdfstw5ey3345 --></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installation, run the browser and wait for initialization.<br>3. Type in the address bar: <font style="font-weight:bold; color:#009977;">zpr5huq4bgmutfnf.onion/D8A66019E06A126</font><br>4. Follow the instructions on the site.</div><br><br><b>IMPORTANT INFORMATION:</b><br><div class="tb" style="width:790px;"> Your Personal PAGES: <b><br> <a href="http://nasdki39dawk.oj998fh4txkjh.com/D8A66019E06A126" target="_blank">http://nasdki39dawk.oj998fh4txkjh.com/D8A66019E06A126</a> <br> <a href="http://awoeinf832as.wo49i277rnw.com/D8A66019E06A126" target="_blank">http://awoeinf832as.wo49i277rnw.com/D8A66019E06A126</a> <br> <a href="https://zpr5huq4bgmutfnf.onion.to/D8A66019E06A126" target="_blank"> https://zpr5huq4bgmutfnf.onion.to/D8A66019E06A126</a> </b> <br> Your Personal PAGE (using TOR): <font style="font-weight:bold; color:#009977;">zpr5huq4bgmutfnf.onion/D8A66019E06A126</font><br> Your personal code (if you open the site (or TOR 's) directly): <font style="font-weight:bold; color:#770000;">D8A66019E06A126</font><br> </div></div></center></body></html>
URLs

https://zpr5huq4bgmutfnf.onion.to/D8A66019E06A126</a>

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (887) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Users\Admin\AppData\Roaming\vcwghv.exe
      C:\Users\Admin\AppData\Roaming\vcwghv.exe
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:5008
      • C:\Windows\System32\vssadmin.exe
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
        3⤵
        • Interacts with shadow copies
        PID:1532
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RESTORE_FILES.TXT
        3⤵
        • System Location Discovery: System Language Discovery
        • Opens file in notepad (likely ransom note)
        PID:3904
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RESTORE_FILES.HTML
        3⤵
        • Enumerates system info in registry
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:844
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0xd8,0x7ffde01046f8,0x7ffde0104708,0x7ffde0104718
          4⤵
            PID:3940
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,8295757106809847046,3046329219257777449,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
            4⤵
              PID:1624
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,8295757106809847046,3046329219257777449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
              4⤵
                PID:3840
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,8295757106809847046,3046329219257777449,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
                4⤵
                  PID:3676
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8295757106809847046,3046329219257777449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
                  4⤵
                    PID:4744
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8295757106809847046,3046329219257777449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
                    4⤵
                      PID:4472
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,8295757106809847046,3046329219257777449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
                      4⤵
                        PID:1660
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,8295757106809847046,3046329219257777449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
                        4⤵
                          PID:4396
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8295757106809847046,3046329219257777449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
                          4⤵
                            PID:4768
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8295757106809847046,3046329219257777449,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
                            4⤵
                              PID:2172
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8295757106809847046,3046329219257777449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
                              4⤵
                                PID:5236
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8295757106809847046,3046329219257777449,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1
                                4⤵
                                  PID:5244
                              • C:\Windows\System32\vssadmin.exe
                                "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
                                3⤵
                                • Interacts with shadow copies
                                PID:4844
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\vcwghv.exe >> NUL
                                3⤵
                                • System Location Discovery: System Language Discovery
                                PID:6092
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\5FDDD1~1.EXE >> NUL
                              2⤵
                              • System Location Discovery: System Language Discovery
                              PID:3712
                          • C:\Windows\system32\vssvc.exe
                            C:\Windows\system32\vssvc.exe
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3544
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:2720
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:2988

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Program Files\7-Zip\Lang\restore_files_rqyjx.html

                                Filesize

                                4KB

                                MD5

                                6f409fbb014d4e028a1e0096991f2543

                                SHA1

                                9b8739eeb29299df52535337cec1b72b6617c28b

                                SHA256

                                c62641e645380412f3f8bbdb98547a52dc5c38983097a6cb0211f21c77d1d4e9

                                SHA512

                                354fd64e2e14b6f9af2761003e1355310d8a208e89c1051f0c1c5f544cd1914a1530957286aaf6b878dc3680c83c39d58572ad48b9da4e14955e5dae5da3e182

                              • C:\Program Files\7-Zip\Lang\restore_files_rqyjx.txt

                                Filesize

                                2KB

                                MD5

                                df3f6c33e4c3d89d6878378095ee5aba

                                SHA1

                                bd3b0afa9593c8743e015e2c875db0a77c3a65c0

                                SHA256

                                7354b6c41d7519887de321615fdd3574733e850768fe7d5f51943c33717352b1

                                SHA512

                                ef987d8820a79e367b170a44f7ed7f7bdea2a9974ead3264861425ca096a34593818071d7f9572acbfcee938fb8e1db5c4e7e05b48246b1abd75d2a5ce5a9d99

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                d22073dea53e79d9b824f27ac5e9813e

                                SHA1

                                6d8a7281241248431a1571e6ddc55798b01fa961

                                SHA256

                                86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

                                SHA512

                                97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                bffcefacce25cd03f3d5c9446ddb903d

                                SHA1

                                8923f84aa86db316d2f5c122fe3874bbe26f3bab

                                SHA256

                                23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

                                SHA512

                                761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                5KB

                                MD5

                                631c92d673985addc86c22ec56ffc913

                                SHA1

                                6699dd791688dbfda1368dcfa52221f0048b7072

                                SHA256

                                a3ad901785522074e84b461e058ea2baf1d747d224d857f4bd898c63247a6d4c

                                SHA512

                                dacaf76b8adb0ceed79587fd5f9739f55e7d98dcb867bedafe4cf4b9d652686dbc742280e6f4ec3d53ec91b421cfa0e9fffa1600d8bf5ea14621039650548492

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                6KB

                                MD5

                                d84ffe31534d73280bb1b7e616073470

                                SHA1

                                a533200c42dbcda819e167f2df8808c678eb9ad3

                                SHA256

                                91395eacefaf65ae7b623ed502836dcbb16ce153a8b8bb061e904f1bfe724050

                                SHA512

                                149305759994a678560edfc27794dd9d215683bf7f7021f8e5b1f55f5a1a88938486cad7346d682f2e1e8d8d5aa4e105b1434f2a5639518be85fbef3ed40a13c

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                Filesize

                                16B

                                MD5

                                6752a1d65b201c13b62ea44016eb221f

                                SHA1

                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                SHA256

                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                SHA512

                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                Filesize

                                11KB

                                MD5

                                8e879b483ab784beaf8f1e7538181b36

                                SHA1

                                4f89938f0ea379934f41caa7564df522f161a82c

                                SHA256

                                402b9c5d0cfbd85d59de78eb872a69ce3b200af11caf9a2dca005c947570113b

                                SHA512

                                4980422652c9627976faba298a7e6f8be82c6c1a2c30a92b16cd02b8b5d159c40dd987ccf146910ccd350c069098d537397782fbba01003e180a59c9512bf9e5

                              • C:\Users\Admin\AppData\Roaming\vcwghv.exe

                                Filesize

                                326KB

                                MD5

                                5fddd166f5b5931b2ab328cfd40e420a

                                SHA1

                                fa92f4074a2ee7166b9dc9081707ba7a4e8956c4

                                SHA256

                                4f151f64c97aa09c5c99f25b63c503b91b54a99910daadb97762ad4f5dbb4910

                                SHA512

                                57aa9f96d83a906b910b1d63f3e9fa694c302696a7d237be47cfb1efdf0b5f0d2c152daa2be628fca2cd007a71dbc60def81867ddbfefed81b740b6240079c8c

                              • memory/2108-16-0x0000000000400000-0x0000000000714000-memory.dmp

                                Filesize

                                3.1MB

                              • memory/2108-17-0x00000000741E0000-0x0000000074219000-memory.dmp

                                Filesize

                                228KB

                              • memory/2108-0-0x0000000000800000-0x0000000000803000-memory.dmp

                                Filesize

                                12KB

                              • memory/2108-6-0x00000000741E0000-0x0000000074219000-memory.dmp

                                Filesize

                                228KB

                              • memory/2108-5-0x0000000000810000-0x0000000000814000-memory.dmp

                                Filesize

                                16KB

                              • memory/2108-1-0x0000000000400000-0x0000000000714000-memory.dmp

                                Filesize

                                3.1MB

                              • memory/5008-15-0x0000000000C80000-0x0000000000C84000-memory.dmp

                                Filesize

                                16KB

                              • memory/5008-7845-0x0000000000400000-0x0000000000714000-memory.dmp

                                Filesize

                                3.1MB

                              • memory/5008-6998-0x0000000000400000-0x0000000000714000-memory.dmp

                                Filesize

                                3.1MB

                              • memory/5008-2498-0x0000000000400000-0x0000000000714000-memory.dmp

                                Filesize

                                3.1MB

                              • memory/5008-7901-0x0000000000400000-0x0000000000714000-memory.dmp

                                Filesize

                                3.1MB

                              • memory/5008-18-0x00000000741E0000-0x0000000074219000-memory.dmp

                                Filesize

                                228KB

                              • memory/5008-11-0x0000000000400000-0x0000000000714000-memory.dmp

                                Filesize

                                3.1MB

                              • memory/5008-7921-0x0000000000400000-0x0000000000714000-memory.dmp

                                Filesize

                                3.1MB

                              • memory/5008-7946-0x00000000741E0000-0x0000000074219000-memory.dmp

                                Filesize

                                228KB

                              • memory/5008-7945-0x0000000000400000-0x0000000000714000-memory.dmp

                                Filesize

                                3.1MB