Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2025, 11:26
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_06afea8ebb1fd0ab752a2242b7e01c4b.exe
Resource
win10v2004-20250502-en
General
-
Target
JaffaCakes118_06afea8ebb1fd0ab752a2242b7e01c4b.exe
-
Size
337KB
-
MD5
06afea8ebb1fd0ab752a2242b7e01c4b
-
SHA1
7a854db1ad7a94f356cf091ae2db4c0d4cb6b8a7
-
SHA256
ff0456237f7fd6c04b25859f926ed69cc6a55c979794afe923cefe1a0def39ea
-
SHA512
35efc508e78737c8079ecff981aeedae5928f4efe30c9d8b535029d8e8616aabeec10d843842367cdeb179d8de104fa37cba6cca57d36bb5796f22ea552a9f4b
-
SSDEEP
6144:A/Prf/oeN7CIwgfIcs/edG5tbHXeHhrL4fDYbiyZfqhtYOuZW5OZdlH:MHoeN7/w6tPA5F3eHhAf8myt4YZsgb5
Malware Config
Extracted
C:\Users\restore_files_kikbf.txt
http://lk2gaflsgh.jgy658snfyfnvh.com/A05950C285DC5F5A
http://dg62wor94m.sdsfg834mfuuw.com/A05950C285DC5F5A
https://djdkduep62kz4nzx.onion.to/A05950C285DC5F5A
http://djdkduep62kz4nzx.onion/A05950C285DC5F5A
Extracted
C:\Users\restore_files_kikbf.html
https://djdkduep62kz4nzx.onion.to/A05950C285DC5F5A</a>
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (912) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\International\Geo\Nation JaffaCakes118_06afea8ebb1fd0ab752a2242b7e01c4b.exe Key value queried \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\International\Geo\Nation vcwwbb.exe -
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_kikbf.html vcwwbb.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_kikbf.txt vcwwbb.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_kikbf.html vcwwbb.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_kikbf.txt vcwwbb.exe -
Executes dropped EXE 2 IoCs
pid Process 4188 vcwwbb.exe 1412 vcwwbb.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vsadmin = "C:\\Users\\Admin\\AppData\\Roaming\\vcwwbb.exe" vcwwbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vsadmin = "C" vcwwbb.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ipinfo.io -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\restore_files_kikbf.txt vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\SplashScreen.scale-125.png vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\10.png vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\restore_files_kikbf.html vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\restore_files_kikbf.txt vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SmallTile.scale-200_contrast-white.png vcwwbb.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping960_1327106174\manifest.json msedge.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppValueProp.svg vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_contrast-black.png vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\restore_files_kikbf.txt vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-24_altform-lightunplated.png vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7cb.png vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_~_8wekyb3d8bbwe\restore_files_kikbf.html vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreLogo.scale-100_contrast-white.png vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SplashScreen.scale-200_contrast-white.png vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\accessibilitychecker\styles.css vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.scale-200.png vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\offlineUtilities.js vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\restore_files_kikbf.txt vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.contrast-white_scale-100.png vcwwbb.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.JPG vcwwbb.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\restore_files_kikbf.html vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\restore_files_kikbf.html vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_contrast-white.png vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\sr-cyrl-cs\restore_files_kikbf.txt vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\restore_files_kikbf.html vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-20.png vcwwbb.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\THMBNAIL.PNG vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\restore_files_kikbf.txt vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsStoreLogo.scale-100.png vcwwbb.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\restore_files_kikbf.txt vcwwbb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-180.png vcwwbb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\restore_files_kikbf.txt vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\63.png vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\restore_files_kikbf.html vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\office.png vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-150.HCBlack.png vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Speech\en-GB\restore_files_kikbf.txt vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalStoreLogo.scale-125_contrast-black.png vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\SmallTile.scale-125.png vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsWideTile.scale-100.png vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-20_altform-unplated.png vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GameBar_SplashScreen.scale-100.png vcwwbb.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\restore_files_kikbf.txt vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-125_contrast-black.png vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-60_altform-unplated_contrast-black.png vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\3039_32x32x32.png vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-256.png vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-96.png vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\MedTile.scale-200.png vcwwbb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-100.png vcwwbb.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\restore_files_kikbf.html vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\messaging\restore_files_kikbf.html vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-30_contrast-white.png vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageLargeTile.scale-125.png vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-IN\restore_files_kikbf.txt vcwwbb.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lt\restore_files_kikbf.txt vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\restore_files_kikbf.html vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\FaceReco_Illustration_LRG.png vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-16_altform-unplated_contrast-black.png vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsLargeTile.scale-200.png vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\Scrubbing_icons.png vcwwbb.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt vcwwbb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-48_contrast-white.png vcwwbb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vcwwbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_06afea8ebb1fd0ab752a2242b7e01c4b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vcwwbb.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msedge.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3960 vssadmin.exe 2404 vssadmin.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133920412446843749" msedge.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000_Classes\Local Settings vcwwbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3674642747-2260306818-3009887879-1000\{3B6C83AD-E7CD-4B36-9C9E-C407E8DBD53A} msedge.exe -
Modifies system certificate store 2 TTPs 5 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c000000010000000400000000080000040000000100000010000000410352dc0ff7501b16f0028eba6f45c5030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d1900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 vcwwbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 vcwwbb.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 vcwwbb.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c5030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 vcwwbb.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef4240f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c13040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 vcwwbb.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 3080 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe 4188 vcwwbb.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4464 JaffaCakes118_06afea8ebb1fd0ab752a2242b7e01c4b.exe Token: SeDebugPrivilege 4188 vcwwbb.exe Token: SeBackupPrivilege 2140 vssvc.exe Token: SeRestorePrivilege 2140 vssvc.exe Token: SeAuditPrivilege 2140 vssvc.exe Token: SeDebugPrivilege 1412 vcwwbb.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 960 msedge.exe 960 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4464 wrote to memory of 4188 4464 JaffaCakes118_06afea8ebb1fd0ab752a2242b7e01c4b.exe 87 PID 4464 wrote to memory of 4188 4464 JaffaCakes118_06afea8ebb1fd0ab752a2242b7e01c4b.exe 87 PID 4464 wrote to memory of 4188 4464 JaffaCakes118_06afea8ebb1fd0ab752a2242b7e01c4b.exe 87 PID 4464 wrote to memory of 2304 4464 JaffaCakes118_06afea8ebb1fd0ab752a2242b7e01c4b.exe 89 PID 4464 wrote to memory of 2304 4464 JaffaCakes118_06afea8ebb1fd0ab752a2242b7e01c4b.exe 89 PID 4464 wrote to memory of 2304 4464 JaffaCakes118_06afea8ebb1fd0ab752a2242b7e01c4b.exe 89 PID 4188 wrote to memory of 3960 4188 vcwwbb.exe 95 PID 4188 wrote to memory of 3960 4188 vcwwbb.exe 95 PID 4328 wrote to memory of 1412 4328 cmd.exe 96 PID 4328 wrote to memory of 1412 4328 cmd.exe 96 PID 4328 wrote to memory of 1412 4328 cmd.exe 96 PID 4188 wrote to memory of 3080 4188 vcwwbb.exe 109 PID 4188 wrote to memory of 3080 4188 vcwwbb.exe 109 PID 4188 wrote to memory of 3080 4188 vcwwbb.exe 109 PID 4188 wrote to memory of 960 4188 vcwwbb.exe 110 PID 4188 wrote to memory of 960 4188 vcwwbb.exe 110 PID 4188 wrote to memory of 2404 4188 vcwwbb.exe 111 PID 4188 wrote to memory of 2404 4188 vcwwbb.exe 111 PID 960 wrote to memory of 2112 960 msedge.exe 113 PID 960 wrote to memory of 2112 960 msedge.exe 113 PID 960 wrote to memory of 4064 960 msedge.exe 114 PID 960 wrote to memory of 4064 960 msedge.exe 114 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3912 960 msedge.exe 116 PID 960 wrote to memory of 3912 960 msedge.exe 116 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3532 960 msedge.exe 115 PID 960 wrote to memory of 3532 960 msedge.exe 115 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcwwbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" vcwwbb.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06afea8ebb1fd0ab752a2242b7e01c4b.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06afea8ebb1fd0ab752a2242b7e01c4b.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Users\Admin\AppData\Roaming\vcwwbb.exeC:\Users\Admin\AppData\Roaming\vcwwbb.exe2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4188 -
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet3⤵
- Interacts with shadow copies
PID:3960
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RESTORE_FILES.TXT3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:3080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RESTORE_FILES.HTML3⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x360,0x7fffadd1f208,0x7fffadd1f214,0x7fffadd1f2204⤵PID:2112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1760,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=2496 /prefetch:34⤵PID:4064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2120,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=2504 /prefetch:84⤵PID:3532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2252,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=2248 /prefetch:24⤵PID:3912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3512,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=3548 /prefetch:14⤵PID:772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3536,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=3640 /prefetch:14⤵PID:3384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4176,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=4184 /prefetch:14⤵PID:4844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4200,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=4240 /prefetch:24⤵PID:4932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3716,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=3700 /prefetch:84⤵PID:2348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4568,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=5288 /prefetch:84⤵PID:1396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5100,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=5384 /prefetch:84⤵PID:1464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3504,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=5344 /prefetch:84⤵PID:296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5872,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=5892 /prefetch:84⤵PID:5276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5872,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=5892 /prefetch:84⤵PID:5348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6064,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=6076 /prefetch:84⤵PID:5612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6228,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=6360 /prefetch:84⤵PID:5720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6324,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=6388 /prefetch:84⤵PID:5864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6372,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=6444 /prefetch:84⤵PID:5872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6576,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=6572 /prefetch:84⤵PID:5944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6744,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=6728 /prefetch:84⤵PID:5956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6740,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=6916 /prefetch:84⤵PID:5312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6908,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=6940 /prefetch:84⤵PID:5520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=704,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=4512 /prefetch:84⤵PID:696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4424,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=3736 /prefetch:84⤵PID:260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4540,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=4520 /prefetch:84⤵PID:1524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5348,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=5420 /prefetch:84⤵PID:6032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6288,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=7072 /prefetch:84⤵PID:1888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5340,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=3676 /prefetch:84⤵PID:4112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=1812,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=5244 /prefetch:84⤵PID:2416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6912,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=5272 /prefetch:84⤵PID:940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5272,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=5988 /prefetch:84⤵PID:5852
-
-
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet3⤵
- Interacts with shadow copies
PID:2404
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\vcwwbb.exe >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:2080
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE >> NUL2⤵
- System Location Discovery: System Language Discovery
PID:2304
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\vcwwbb.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Users\Admin\AppData\Roaming\vcwwbb.exeC:\Users\Admin\AppData\Roaming\vcwwbb.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C1⤵PID:3404
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:1552
Network
MITRE ATT&CK Enterprise v16
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43B
MD5af3a9104ca46f35bb5f6123d89c25966
SHA11ffb1b0aa9f44bdbc57bdf4b98d26d3be0207ee8
SHA25681bd82ac27612a58be30a72dd8956b13f883e32ffb54a58076bd6a42b8afaeea
SHA5126a7a543fa2d1ead3574b4897d2fc714bb218c60a04a70a7e92ecfd2ea59d67028f91b6a2094313f606560087336c619093f1d38d66a3c63a1d1d235ca03d36d1
-
Filesize
134B
MD5049c307f30407da557545d34db8ced16
SHA1f10b86ebfe8d30d0dc36210939ca7fa7a819d494
SHA256c36944790c4a1fa2f2acec5f7809a4d6689ecb7fb3b2f19c831c9adb4e17fc54
SHA51214f04e768956bdd9634f6a172104f2b630e2eeada2f73b9a249be2ec707f4a47ff60f2f700005ca95addd838db9438ad560e5136a10ed32df1d304d65f445780
-
Filesize
160B
MD5c3911ceb35539db42e5654bdd60ac956
SHA171be0751e5fc583b119730dbceb2c723f2389f6c
SHA25631952875f8bb2e71f49231c95349945ffc0c1dd975f06309a0d138f002cfd23d
SHA512d8b2c7c5b7105a6f0c4bc9c79c05b1202bc8deb90e60a037fec59429c04fc688a745ee1a0d06a8311466b4d14e2921dfb4476104432178c01df1e99deb48b331
-
Filesize
160B
MD5a24a1941bbb8d90784f5ef76712002f5
SHA15c2b6323c7ed8913b5d0d65a4d21062c96df24eb
SHA2562a7fe18a087d8e8be847d9569420b6e8907917ff6ca0fa42be15d4e3653c8747
SHA512fd7dfec3d46b2af0bddb5aaeae79467507e0c29bab814007a39ea61231e76123659f18a453ed3feb25f16652a0c63c33545e2a0d419fafea89f563fca6a07ce2
-
Filesize
105KB
MD5d11d7533c72bb4f2e791d05650a45e2e
SHA1eb1383e1d99a1c78ce2721fee15043eb7d498f63
SHA2563d7124bd67434b44501704e52f34ba05d545541b01335cf5fbbcefde11703ba5
SHA51252188a97e95b96b4ae1c219baead33cd56b84ebc82131fbb7312c379d4d847944491f42e17def5a22351796c1f4eadcbe66455162207c888eb93e7fdb1b46d71
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.9\protocols.json
Filesize3KB
MD5f9fd82b572ef4ce41a3d1075acc52d22
SHA1fdded5eef95391be440cc15f84ded0480c0141e3
SHA2565f21978e992a53ebd9c138cb5391c481def7769e3525c586a8a94f276b3cd8d6
SHA51217084cc74462310a608355fbeafa8b51f295fb5fd067dfc641e752e69b1ee4ffba0e9eafa263aab67daab780b9b6be370dd3b54dd4ba8426ab499e50ff5c7339
-
Filesize
280B
MD586d82964f0f1af65f5670160f2760633
SHA17e2814924a303a2681bd348359032cb5241c536c
SHA2568d3ffdbd57fae7374a0dbba31ebb5384e92f5ccd0e6cf8a472774e2f3558c1c3
SHA5129f7d3f4136bbbbd23ada4aaab910ae773ee7452fd03298ee4a2ea7b3d0477487b7640500de62d31d53f9684e835414e1c2b6447e268325db07d92134272e1e62
-
Filesize
280B
MD53e2d3f54d45c5239d94ff524828e2a3f
SHA17e4be8132f34e8d1c8be73eaf7e0f47942fbbdd4
SHA2569a9a4dc3eca105b08d2a13e7399cd73db214eadad2bc8893d87eee5e93227ea9
SHA5123a747f1d79e8e89ed3ac4645f1f223aa9b27271dae733c94d4d06c13b512bbd10206897ac7b0a7f25679085f44659a947f9455139329df9b43476cbabdd6381b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\55519206-4218-40eb-8284-b344cf19145c.tmp
Filesize13KB
MD5b8d2574b7ef64966e8c70c441f2a9344
SHA19dae6666703b3e2add1a1ca93e192ad75dcc84f3
SHA2568659359a8b9b43b5b40d4813c21fdce16210f72150c2779aff54410752e3a364
SHA512d398845aa47c84f8030ec59716fb408f08ce8c55421d01493ab94bfeda0bd86de2473942944578e9021eb7514c28ed53f08c5bb59f28681edbc5e9f1adba5582
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD54535da9fec37c78d4362e48bed3c08ec
SHA1cdcc1202085a99d9fe42681554629d051571b49f
SHA25673682c60cce390abf0193406d87430f9fe7b2cc8256762458dd994dbb160edda
SHA5120185c36c65e532cbc1b0b5c81250f5a0669f81ed2905420ef913ba758285f2d806711debdd1a50e89b0a5188a8ff5070437259b8b3b1c75d98e7f3b296777281
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5863d6.TMP
Filesize2KB
MD57dad78f506b682ae9f41e7a226bc4cd5
SHA17244546106261bf981c7c6282f609ca3902c2c57
SHA256bcbf1f33cdc34e05f1e5391d161ba2e632629530e0ac71ae2cc60ec55f05d854
SHA51291f5d6df7d3b3edb41cb471bd0e07c6f7954613391a8efe6f71b082736028f1a7c3020be876ba3b943a5c9b0afa806d4d5461b2dc1b7f996c417c13651cf82ce
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
69KB
MD5164a788f50529fc93a6077e50675c617
SHA1c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48
SHA256b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17
SHA512ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.91.1_0\128.png.abc
Filesize5KB
MD57d4c49af771a86e60da26a52ef9f8311
SHA14a2238f583a04a3856e9f42218c44bfce50711d7
SHA256064f1242cf1c9c317b39ea63924f6fc44eb4cdbeb585aebad40ad5009fdf269e
SHA5121d81d0afcce1fda3b11f9f3d5b13d7d077ae6a8355a65068b2230935866744e237cf6760f07a463d7550f5bba2ee854ece3e51f3a69836f4527a0e3f6cbc1159
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.91.1_0\offscreendocument_main.js.abc
Filesize123KB
MD5ec93b184f306d8160b7d39399ba8ca1a
SHA1631f39298227a9e156c8fae0a70e54d5814765e6
SHA256d2d2c9e2908c1a2dc44605b0077cd394754b168610006b2fe8adacbae1e897d1
SHA512c9363851341f9854296c67254b3b51eb754c56c6a8d1f05fb0b62381003e2c5330bdc83bba05dae3f9f6f6f55299dcf7f5d174c4ff3be9199736b9a0083d5892
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.91.1_0\page_embed_script.js.abc
Filesize766B
MD5e12834ab6547583522c71ea4e50b575b
SHA1a9cf50f48570d61e55c852b80a785aa2f101c9b2
SHA256c8fb368cf131a8b656ba2dc1b52e83575fd979752b56250a4159161b9650a4a3
SHA512d43992b5ff995916d4dd5902446269aaf3ea7a08f9100532d086743793b37a317999c2a43d6c72d9cba19925f992393797a0f33309e8c14662471fa7a36d1ec3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.91.1_0\service_worker_bin_prod.js.abc
Filesize131KB
MD5d72bca2e9b290865b824cd77afb7059f
SHA1e7df6aeb9d1de5d5dda56d3b9c439e83f63d244e
SHA2569bf3a1021484cfb16c1fa07d2755738421b93b1b8969465f81efbe20f37e18dd
SHA512c581d5286c3f09fa4c89a04779c5aa45eb561b4fab998fc0db68252d05b10225ae7a2133ba630a0698066a590443fe8e45f105def8e308c0a527e3e877cb9f15
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_1\content.js
Filesize9KB
MD53d20584f7f6c8eac79e17cca4207fb79
SHA13c16dcc27ae52431c8cdd92fbaab0341524d3092
SHA2560d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643
SHA512315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59
-
Filesize
108KB
MD506d55006c2dec078a94558b85ae01aef
SHA16a9b33e794b38153f67d433b30ac2a7cf66761e6
SHA256088bb586f79dd99c5311d14e1560bbe0bb56225a1b4432727d2183341c762bcd
SHA512ec190652af9c213ccbb823e69c21d769c64e3b9bae27bea97503c352163bf70f93c67cebbf327bfc73bfd632c9a3ae57283b6e4019af04750fe18a2410a68e60
-
Filesize
1KB
MD528ab0a82cd032a44a253fff6000faba8
SHA15be6f9510047ff976021fc5f731c87fe921f2fbb
SHA2568f9ccbb8806157a6823d2f5c90541de52ce8504aaa4c330ae48dc89e75027fc0
SHA5127ee5138dc70b2461d2f2dbf039518f16b3b699105d113bb51065f1fcc98b2cfcb5bbd95d7b6e0b18ad17277e5d2ca1ec29e5f5e25c97d5de0612c3551ff4690a
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
36KB
MD5e3adad4f62f050c2bbf1b180d4299ba3
SHA1ef512b67c22744643419ccf8fceb19d60fd7a2da
SHA256589544aa7923c5ad82c5ae893d9fb175e79bb3cd528d16d4cfd1290c1156a542
SHA5128973cf9d38c94233e478e94d764517a69f7c09e88892c1fd407124576ff294e67afd725ed365c9e911735aacb11754d1ca582c1e3ea1a3469ee3816a1c78b94f
-
Filesize
4KB
MD576f49a2c146c7e8faf216c4e362d2faa
SHA1a1f7bd5892da21171a6a1da24c3f788aac709dcc
SHA2562075e51d1401d72a96f8272d0095303d474b48089d2193b4e0ed7378c85303fc
SHA512c415e6f2f19b480d742c58e08ea4df370cf518bd38d6945f0cd9b6d5d1947f66719b30ee46e2e8d8935e294921d069587c1a858cbabf6d745602a2ea1fc4b62f
-
Filesize
880B
MD5ea043dd177f4cdd50880f10c150c3d50
SHA18103600713aa3c7cc9b52d6598973961685dc29d
SHA256363803ea8192fb55ea7da9f152b013c084140b89a7fea071c89596bff31cca7a
SHA51226abc54bfb30bd0bcd90a3c390325e205ca53a28c0eefe578f5065cd72833ca491c869e3df9196924ed51346d623cefeceff9b381709df5b49bbf8cecec3c281
-
Filesize
23KB
MD5479c0f1985bc69e9ec0457a27a43952e
SHA1e8934a643be4583f6f19dc3e8e9d3575b517e072
SHA256b30fa8fac5316e6472eea4457afa1454f03261e4c88982ad8f20e92fdff30da5
SHA512e73b416146e2f0d0b38aaa6a1818fbd982f8b94394d981d35e1ca9f592b2eebd34473cc1baa2a03f3a3252be96b135e8592ed9e8f01c53e8533bc3f8ccdeddd1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog~RFe58fdf3.TMP
Filesize469B
MD551e9fa45536dcb71d262ba67c1569cfb
SHA19ab8d33c89806d08da5432e62a2550369064edc6
SHA256917169468a6754abf8e2fdcbe50d789517e9f85edf8edc8300699ba463347199
SHA512d18e9d4fe69083b689d153296a416f6795bf32db5ba550b2d34aa93efb8a6a42526dd8dc6518c8b8755196cb850e65f7ade29c029847ebbc9aa80c14a85e2b40
-
Filesize
22KB
MD53bca8411b45106afaa963d562c371631
SHA178857d33a65e7061ca18a3540c304f01e7e85325
SHA2564503345ee70aa9ca0f90012b665743d7c13ec7052e7a943222287973b752b9c7
SHA512a6a7e9af6613a30730a0b87be76f87144a3483afb756445d462de7b22543027e5e8f5822e0337ba2d7b65e413e526da962783d05d226c0d13d113d57d28b56ff
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig~RFe590006.TMP
Filesize3KB
MD522ed3cc04fcc2e66b81335c4395971fd
SHA112ef48d70ec6f360644d2573dde99756f6ac05fb
SHA25627bffcff6642dfcb87ac33eea61059552bc35ccd3c0d9f4da550398351836df9
SHA5129219928d246a8aa761ee289b0baacc7214b028976b1b890c7f1df38ecac61cb3a90e8af1b3861929155d07af304d58ae8f7304466769669a7cd40c55ae61cf40
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Data Protection Lists\2.0.0.0\office_endpoints_list.json
Filesize3KB
MD594406cdd51b55c0f006cfea05745effb
SHA1a15dc50ca0fd54d6f54fbc6e0788f6dcfc876cc9
SHA2568480f3d58faa017896ba8239f3395e3551325d7a6466497a9a69bf182647b25e
SHA512d4e621f57454fea7049cffc9cc3adfb0d8016360912e6a580f6fe16677e7dd7aa2ee0671cb3c5092a9435708a817f497c3b2cc7aba237d32dbdaae82f10591c3
-
Filesize
29KB
MD5171cae284fb26e53a423530e825106c8
SHA10cb7ea9cda1b2bc0ed15bb55eacf1d4c340559f1
SHA25632fb966682bbf657e95d6b7ebcf6bc31e5af14c3e287efee6385a38f8c81be0a
SHA512ac9f01ff8350d901ae22e9a0e3a9ead3ead74115c31557ac2f3e3f98bc68ae73f4b62a19f02f2c4f9bed67c726be8e8f6e70f768ce27796765328a2518781869
-
Filesize
7KB
MD541c6a05b2522c6a4ebdc7fd09a392ba2
SHA1b03d79dbfad3b3e5a7f9c1943b1f5974b630650d
SHA256863722e4be0e6e7df651251c3aed0de4ec8ef10ed750542c81f8e93280d776d0
SHA51298031164190580c2a88b88142447145dc6ed7061ce0fc071cabfbf2b07f6791ad6aeea29338dd5ed2345baccb33233784ab12ab7dc1e121c80c9e19f1f980868
-
Filesize
33KB
MD5b1419219d2331706259e7275d779d7d8
SHA17fa1178af7f6df6621b5c9d0952f069565a38fb8
SHA2567c8d29f1c6bec73b58450cc30aa768286b1163fa9985a9ce4180aaa48e39a45b
SHA5123d01309b50084a5450b8cf4d7cdfaa51562ffed7bf2f27d41aacc37f87ab1cd996137b20fc1945a3dbbe96c6e58c44ce7610db0df6abd15ccc5c54e929f8d0a2
-
Filesize
6KB
MD547589ace426d16ddc3dd8528247a8673
SHA12fbe33fe36e043407b0116b54b4e87b43ec020f6
SHA256a69e6d97c80a37d33fa4f2a3007e583153bd27b83bcb30c99228d2d12ac2d8fa
SHA5128ad251fcec1eeac9580ad4aefdaea7f15e8faf7ffb3d3b22a6c1ec9daba7eed7231193ff53efcd460a2185ae93cdaf0a287d8c1e36390b537daddc30cd878f2a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\WorkspacesNavigationComponent\1.0.0.5\nav_config.json
Filesize2KB
MD5499d9e568b96e759959dc69635470211
SHA12462a315342e0c09fd6c5fbd7f1e7ff6914c17e6
SHA25698252dc9f9e81167e893f2c32f08ee60e9a6c43fadb454400ed3bff3a68fbf0d
SHA5123a5922697b5356fd29ccf8dcc2e5e0e8c1fd955046a5bacf11b8ac5b7c147625d31ade6ff17be86e79c2c613104b2d2aebb11557399084d422e304f287d8b905
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
Filesize2KB
MD5a2a21130616df9e2c2e88a37e421112e
SHA1495f59ca4555f3387d32da114311e2ddc83f8130
SHA2567cb9403aa5ce6499aaa9112bc89c35ca8f925dbdc1f48e3e024d20bac4c2bfbd
SHA51298fc2c16ae01e71e33620dd9a968efa1cf97a9f34a958ff73c1db0340cde4c8dbea460b7c92ead10c00f876702924acf314ec3944c3c97c68d7f41e04594cb25
-
Filesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
153KB
MD5cc05ed3e66468e692745ba6563c69740
SHA1eae9dbd4d36aa91fd43f7d452ac3d252b103759d
SHA256fb1311fb7142825abacb3c7aedddf948f5c9b258e447c953ce0f7f4b19c6dfff
SHA5124b527db02d6ea36b914558a3e44fd3d15772bf2be4ba0a640bf70427af07dcde5ed6967930cc3624a244cfc82290f125eea2754812586216b3d5a37757ce8db4
-
Filesize
10KB
MD578e47dda17341bed7be45dccfd89ac87
SHA11afde30e46997452d11e4a2adbbf35cce7a1404f
SHA25667d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550
SHA5129574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5
-
Filesize
337KB
MD506afea8ebb1fd0ab752a2242b7e01c4b
SHA17a854db1ad7a94f356cf091ae2db4c0d4cb6b8a7
SHA256ff0456237f7fd6c04b25859f926ed69cc6a55c979794afe923cefe1a0def39ea
SHA51235efc508e78737c8079ecff981aeedae5928f4efe30c9d8b535029d8e8616aabeec10d843842367cdeb179d8de104fa37cba6cca57d36bb5796f22ea552a9f4b
-
Filesize
4KB
MD50ed9e61d9eb0258408ddf2a3ac6788b8
SHA136d3d9b9e2596a53caeca5876d5f534b42af1ee0
SHA256bf89680947ca1fc4530fe1b1e27d823a3cd64b1acf900a4c74bd57f9932cb117
SHA5121cc82aa8fdad2ca27962a7bb14b56dda38f908986bb84d07e207c782af719391632ea566e2cdce0a2dba94537a36cdbfe92cc35c96ad35e97f65b629ae1c3488
-
Filesize
2KB
MD550f8b5ff1a695bb879671f3aa50f2316
SHA16db81b8895532fd820e4b215869535205994d837
SHA2560d06b89054bda61d7f4ce8050b786ed5f6ccee3e45299e5dc58c87bdf95b651d
SHA5128cd804a80378425fc6f1810525ceee944070d03d0440fa870a6e4377882ca9897021f709ff301ff2f1a1c0bdcd096c4a0d5585ba5341aead339d23245c53d842