Analysis Overview
SHA256
ff0456237f7fd6c04b25859f926ed69cc6a55c979794afe923cefe1a0def39ea
Threat Level: Known bad
The file JaffaCakes118_06afea8ebb1fd0ab752a2242b7e01c4b was found to be: Known bad.
Malicious Activity Summary
Renames multiple (912) files with added filename extension
Deletes shadow copies
Drops startup file
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Looks up external IP address via web service
Adds Run key to start application
Indicator Removal: File Deletion
Drops file in Program Files directory
Browser Information Discovery
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
System policy modification
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Uses Volume Shadow Copy service COM API
Suspicious use of WriteProcessMemory
Interacts with shadow copies
Modifies data under HKEY_USERS
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Modifies system certificate store
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-05-18 11:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-18 11:26
Reported
2025-05-18 11:29
Platform
win10v2004-20250502-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
Deletes shadow copies
Renames multiple (912) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06afea8ebb1fd0ab752a2242b7e01c4b.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_kikbf.html | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_kikbf.txt | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_kikbf.html | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_kikbf.txt | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vsadmin = "C:\\Users\\Admin\\AppData\\Roaming\\vcwwbb.exe" | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vsadmin = "C" | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
Indicator Removal: File Deletion
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\restore_files_kikbf.txt | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\SplashScreen.scale-125.png | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\10.png | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\restore_files_kikbf.html | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\restore_files_kikbf.txt | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SmallTile.scale-200_contrast-white.png | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping960_1327106174\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppValueProp.svg | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_contrast-black.png | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\restore_files_kikbf.txt | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-24_altform-lightunplated.png | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7cb.png | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_~_8wekyb3d8bbwe\restore_files_kikbf.html | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreLogo.scale-100_contrast-white.png | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SplashScreen.scale-200_contrast-white.png | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\accessibilitychecker\styles.css | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.scale-200.png | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\offlineUtilities.js | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\restore_files_kikbf.txt | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.contrast-white_scale-100.png | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.JPG | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\restore_files_kikbf.html | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\restore_files_kikbf.html | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_contrast-white.png | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\sr-cyrl-cs\restore_files_kikbf.txt | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\restore_files_kikbf.html | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-20.png | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\THMBNAIL.PNG | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\restore_files_kikbf.txt | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsStoreLogo.scale-100.png | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\restore_files_kikbf.txt | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-180.png | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\restore_files_kikbf.txt | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\63.png | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\restore_files_kikbf.html | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\office.png | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-150.HCBlack.png | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Speech\en-GB\restore_files_kikbf.txt | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalStoreLogo.scale-125_contrast-black.png | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\SmallTile.scale-125.png | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsWideTile.scale-100.png | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-20_altform-unplated.png | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GameBar_SplashScreen.scale-100.png | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\Windows Security\BrowserCore\en-US\restore_files_kikbf.txt | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-125_contrast-black.png | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-60_altform-unplated_contrast-black.png | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\3039_32x32x32.png | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-256.png | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-96.png | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\MedTile.scale-200.png | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-100.png | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\restore_files_kikbf.html | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\messaging\restore_files_kikbf.html | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-30_contrast-white.png | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageLargeTile.scale-125.png | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-IN\restore_files_kikbf.txt | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\lt\restore_files_kikbf.txt | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\restore_files_kikbf.html | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\FaceReco_Illustration_LRG.png | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-16_altform-unplated_contrast-black.png | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsLargeTile.scale-200.png | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\Scrubbing_icons.png | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\pt-br.txt | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-48_contrast-white.png | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\NOTEPAD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06afea8ebb1fd0ab752a2242b7e01c4b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\System32\vssadmin.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133920412446843749" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3674642747-2260306818-3009887879-1000\{3B6C83AD-E7CD-4B36-9C9E-C407E8DBD53A} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c000000010000000400000000080000040000000100000010000000410352dc0ff7501b16f0028eba6f45c5030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d1900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c5030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef4240f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c13040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06afea8ebb1fd0ab752a2242b7e01c4b.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" | C:\Users\Admin\AppData\Roaming\vcwwbb.exe | N/A |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06afea8ebb1fd0ab752a2242b7e01c4b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06afea8ebb1fd0ab752a2242b7e01c4b.exe"
C:\Users\Admin\AppData\Roaming\vcwwbb.exe
C:\Users\Admin\AppData\Roaming\vcwwbb.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE >> NUL
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\vcwwbb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C
C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
C:\Users\Admin\AppData\Roaming\vcwwbb.exe
C:\Users\Admin\AppData\Roaming\vcwwbb.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RESTORE_FILES.TXT
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RESTORE_FILES.HTML
C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x360,0x7fffadd1f208,0x7fffadd1f214,0x7fffadd1f220
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1760,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=2496 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2120,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=2504 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2252,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=2248 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3512,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=3548 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3536,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=3640 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4176,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=4184 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4200,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=4240 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3716,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=3700 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4568,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=5288 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5100,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=5384 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3504,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=5344 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5872,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=5892 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5872,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=5892 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6064,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=6076 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6228,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=6360 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6324,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=6388 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6372,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=6444 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6576,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=6572 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6744,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=6728 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6740,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=6916 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6908,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=6940 /prefetch:8
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\vcwwbb.exe >> NUL
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=704,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=4512 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4424,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=3736 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4540,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=4520 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5348,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=5420 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6288,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=7072 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5340,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=3676 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=1812,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=5244 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6912,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=5272 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5272,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=5988 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | asecproteccion.com | udp |
| US | 8.8.8.8:53 | almaco.es | udp |
| ES | 217.76.128.47:80 | almaco.es | tcp |
| US | 8.8.8.8:53 | light-tech.pl | udp |
| PL | 185.208.164.61:80 | light-tech.pl | tcp |
| PL | 185.208.164.61:443 | light-tech.pl | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | mustdecor.com.br | udp |
| US | 8.8.8.8:53 | ghostwriter-24.de | udp |
| DE | 91.90.146.100:80 | ghostwriter-24.de | tcp |
| DE | 91.90.146.100:443 | ghostwriter-24.de | tcp |
| US | 8.8.8.8:53 | alexsinden.co.uk | udp |
| GB | 68.183.44.1:80 | alexsinden.co.uk | tcp |
| US | 8.8.8.8:53 | djdkduep62kz4nzx.onion.to | udp |
| US | 8.8.8.8:53 | djdkduep62kz4nzx.tor2web.org | udp |
| AU | 103.198.0.111:443 | djdkduep62kz4nzx.tor2web.org | tcp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 150.171.28.11:80 | edge.microsoft.com | tcp |
| US | 150.171.28.11:80 | edge.microsoft.com | tcp |
| GB | 142.250.200.46:443 | clients2.google.com | tcp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | copilot.microsoft.com | udp |
| US | 8.8.8.8:53 | copilot.microsoft.com | udp |
| GB | 142.250.200.46:443 | clients2.google.com | tcp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| GB | 2.18.27.92:443 | copilot.microsoft.com | tcp |
| GB | 142.250.200.46:443 | clients2.google.com | tcp |
| GB | 2.18.27.92:443 | copilot.microsoft.com | tcp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| GB | 142.250.187.193:443 | clients2.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 8.8.8.8:53 | msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 8.8.8.8:53 | asecproteccion.com | udp |
| ES | 217.76.128.47:80 | almaco.es | tcp |
| GB | 2.18.190.174:443 | msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com | tcp |
| PL | 185.208.164.61:80 | light-tech.pl | tcp |
| PL | 185.208.164.61:443 | light-tech.pl | tcp |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | mustdecor.com.br | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| DE | 91.90.146.100:443 | ghostwriter-24.de | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 68.183.44.1:80 | alexsinden.co.uk | tcp |
| US | 8.8.8.8:53 | djdkduep62kz4nzx.onion.to | udp |
| AU | 103.198.0.111:443 | djdkduep62kz4nzx.tor2web.org | tcp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| GB | 2.18.27.76:443 | www.bing.com | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | edge-consumer-static.azureedge.net | udp |
| US | 8.8.8.8:53 | edge-consumer-static.azureedge.net | udp |
| US | 13.107.246.64:443 | edge-consumer-static.azureedge.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | static.edge.microsoftapp.net | udp |
| US | 8.8.8.8:53 | static.edge.microsoftapp.net | udp |
| US | 13.107.246.64:443 | static.edge.microsoftapp.net | tcp |
| US | 8.8.8.8:53 | edge-mobile-static.azureedge.net | udp |
| US | 8.8.8.8:53 | edge-mobile-static.azureedge.net | udp |
| US | 8.8.8.8:53 | edge-cloud-resource-static.azureedge.net | udp |
| US | 8.8.8.8:53 | edge-cloud-resource-static.azureedge.net | udp |
| US | 13.107.246.64:443 | edge-cloud-resource-static.azureedge.net | tcp |
| US | 13.107.246.64:443 | edge-cloud-resource-static.azureedge.net | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 199.232.214.172:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| GB | 2.18.27.76:443 | www.bing.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
Files
memory/4464-0-0x0000000000710000-0x0000000000714000-memory.dmp
memory/4464-1-0x0000000000400000-0x000000000057F000-memory.dmp
memory/4464-5-0x0000000000830000-0x0000000000833000-memory.dmp
memory/4464-6-0x0000000074240000-0x0000000074279000-memory.dmp
C:\Users\Admin\AppData\Roaming\vcwwbb.exe
| MD5 | 06afea8ebb1fd0ab752a2242b7e01c4b |
| SHA1 | 7a854db1ad7a94f356cf091ae2db4c0d4cb6b8a7 |
| SHA256 | ff0456237f7fd6c04b25859f926ed69cc6a55c979794afe923cefe1a0def39ea |
| SHA512 | 35efc508e78737c8079ecff981aeedae5928f4efe30c9d8b535029d8e8616aabeec10d843842367cdeb179d8de104fa37cba6cca57d36bb5796f22ea552a9f4b |
memory/4188-11-0x0000000000400000-0x000000000057F000-memory.dmp
memory/4188-15-0x00000000006A0000-0x00000000006A3000-memory.dmp
memory/4464-17-0x0000000074240000-0x0000000074279000-memory.dmp
memory/4188-18-0x0000000074240000-0x0000000074279000-memory.dmp
memory/4464-16-0x0000000000400000-0x000000000057F000-memory.dmp
memory/1412-21-0x0000000000400000-0x000000000057F000-memory.dmp
C:\Users\restore_files_kikbf.txt
| MD5 | 50f8b5ff1a695bb879671f3aa50f2316 |
| SHA1 | 6db81b8895532fd820e4b215869535205994d837 |
| SHA256 | 0d06b89054bda61d7f4ce8050b786ed5f6ccee3e45299e5dc58c87bdf95b651d |
| SHA512 | 8cd804a80378425fc6f1810525ceee944070d03d0440fa870a6e4377882ca9897021f709ff301ff2f1a1c0bdcd096c4a0d5585ba5341aead339d23245c53d842 |
C:\Users\restore_files_kikbf.html
| MD5 | 0ed9e61d9eb0258408ddf2a3ac6788b8 |
| SHA1 | 36d3d9b9e2596a53caeca5876d5f534b42af1ee0 |
| SHA256 | bf89680947ca1fc4530fe1b1e27d823a3cd64b1acf900a4c74bd57f9932cb117 |
| SHA512 | 1cc82aa8fdad2ca27962a7bb14b56dda38f908986bb84d07e207c782af719391632ea566e2cdce0a2dba94537a36cdbfe92cc35c96ad35e97f65b629ae1c3488 |
memory/1412-43-0x0000000074240000-0x0000000074279000-memory.dmp
memory/1412-65-0x0000000000400000-0x000000000057F000-memory.dmp
memory/1412-66-0x0000000074240000-0x0000000074279000-memory.dmp
memory/4188-4742-0x0000000000400000-0x000000000057F000-memory.dmp
memory/4188-8861-0x0000000000400000-0x000000000057F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 86d82964f0f1af65f5670160f2760633 |
| SHA1 | 7e2814924a303a2681bd348359032cb5241c536c |
| SHA256 | 8d3ffdbd57fae7374a0dbba31ebb5384e92f5ccd0e6cf8a472774e2f3558c1c3 |
| SHA512 | 9f7d3f4136bbbbd23ada4aaab910ae773ee7452fd03298ee4a2ea7b3d0477487b7640500de62d31d53f9684e835414e1c2b6447e268325db07d92134272e1e62 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 41c6a05b2522c6a4ebdc7fd09a392ba2 |
| SHA1 | b03d79dbfad3b3e5a7f9c1943b1f5974b630650d |
| SHA256 | 863722e4be0e6e7df651251c3aed0de4ec8ef10ed750542c81f8e93280d776d0 |
| SHA512 | 98031164190580c2a88b88142447145dc6ed7061ce0fc071cabfbf2b07f6791ad6aeea29338dd5ed2345baccb33233784ab12ab7dc1e121c80c9e19f1f980868 |
\??\pipe\crashpad_960_POSDOOUYHIJAUUAF
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 47589ace426d16ddc3dd8528247a8673 |
| SHA1 | 2fbe33fe36e043407b0116b54b4e87b43ec020f6 |
| SHA256 | a69e6d97c80a37d33fa4f2a3007e583153bd27b83bcb30c99228d2d12ac2d8fa |
| SHA512 | 8ad251fcec1eeac9580ad4aefdaea7f15e8faf7ffb3d3b22a6c1ec9daba7eed7231193ff53efcd460a2185ae93cdaf0a287d8c1e36390b537daddc30cd878f2a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 3e2d3f54d45c5239d94ff524828e2a3f |
| SHA1 | 7e4be8132f34e8d1c8be73eaf7e0f47942fbbdd4 |
| SHA256 | 9a9a4dc3eca105b08d2a13e7399cd73db214eadad2bc8893d87eee5e93227ea9 |
| SHA512 | 3a747f1d79e8e89ed3ac4645f1f223aa9b27271dae733c94d4d06c13b512bbd10206897ac7b0a7f25679085f44659a947f9455139329df9b43476cbabdd6381b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
| MD5 | 164a788f50529fc93a6077e50675c617 |
| SHA1 | c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48 |
| SHA256 | b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17 |
| SHA512 | ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
| MD5 | a2a21130616df9e2c2e88a37e421112e |
| SHA1 | 495f59ca4555f3387d32da114311e2ddc83f8130 |
| SHA256 | 7cb9403aa5ce6499aaa9112bc89c35ca8f925dbdc1f48e3e024d20bac4c2bfbd |
| SHA512 | 98fc2c16ae01e71e33620dd9a968efa1cf97a9f34a958ff73c1db0340cde4c8dbea460b7c92ead10c00f876702924acf314ec3944c3c97c68d7f41e04594cb25 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps
| MD5 | 06d55006c2dec078a94558b85ae01aef |
| SHA1 | 6a9b33e794b38153f67d433b30ac2a7cf66761e6 |
| SHA256 | 088bb586f79dd99c5311d14e1560bbe0bb56225a1b4432727d2183341c762bcd |
| SHA512 | ec190652af9c213ccbb823e69c21d769c64e3b9bae27bea97503c352163bf70f93c67cebbf327bfc73bfd632c9a3ae57283b6e4019af04750fe18a2410a68e60 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log
| MD5 | 76f49a2c146c7e8faf216c4e362d2faa |
| SHA1 | a1f7bd5892da21171a6a1da24c3f788aac709dcc |
| SHA256 | 2075e51d1401d72a96f8272d0095303d474b48089d2193b4e0ed7378c85303fc |
| SHA512 | c415e6f2f19b480d742c58e08ea4df370cf518bd38d6945f0cd9b6d5d1947f66719b30ee46e2e8d8935e294921d069587c1a858cbabf6d745602a2ea1fc4b62f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Temp\b401ed58-47c6-49a0-a202-b6edeffb79f9.tmp
| MD5 | cc05ed3e66468e692745ba6563c69740 |
| SHA1 | eae9dbd4d36aa91fd43f7d452ac3d252b103759d |
| SHA256 | fb1311fb7142825abacb3c7aedddf948f5c9b258e447c953ce0f7f4b19c6dfff |
| SHA512 | 4b527db02d6ea36b914558a3e44fd3d15772bf2be4ba0a640bf70427af07dcde5ed6967930cc3624a244cfc82290f125eea2754812586216b3d5a37757ce8db4 |
C:\Users\Admin\AppData\Local\Temp\32dbcd0f-8607-4746-aa7e-17bccdc00ece.tmp
| MD5 | 5058f1af8388633f609cadb75a75dc9d |
| SHA1 | 3a52ce780950d4d969792a2559cd519d7ee8c727 |
| SHA256 | cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8 |
| SHA512 | 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21 |
C:\Users\Admin\AppData\Local\Temp\f72a8ea6-ca1f-4e5c-b388-0d0d75e6986e.tmp
| MD5 | 78e47dda17341bed7be45dccfd89ac87 |
| SHA1 | 1afde30e46997452d11e4a2adbbf35cce7a1404f |
| SHA256 | 67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550 |
| SHA512 | 9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Ad Blocking\blocklist
| MD5 | d11d7533c72bb4f2e791d05650a45e2e |
| SHA1 | eb1383e1d99a1c78ce2721fee15043eb7d498f63 |
| SHA256 | 3d7124bd67434b44501704e52f34ba05d545541b01335cf5fbbcefde11703ba5 |
| SHA512 | 52188a97e95b96b4ae1c219baead33cd56b84ebc82131fbb7312c379d4d847944491f42e17def5a22351796c1f4eadcbe66455162207c888eb93e7fdb1b46d71 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_1\content.js
| MD5 | 3d20584f7f6c8eac79e17cca4207fb79 |
| SHA1 | 3c16dcc27ae52431c8cdd92fbaab0341524d3092 |
| SHA256 | 0d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643 |
| SHA512 | 315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59 |
memory/4188-9329-0x0000000000400000-0x000000000057F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\55519206-4218-40eb-8284-b344cf19145c.tmp
| MD5 | b8d2574b7ef64966e8c70c441f2a9344 |
| SHA1 | 9dae6666703b3e2add1a1ca93e192ad75dcc84f3 |
| SHA256 | 8659359a8b9b43b5b40d4813c21fdce16210f72150c2779aff54410752e3a364 |
| SHA512 | d398845aa47c84f8030ec59716fb408f08ce8c55421d01493ab94bfeda0bd86de2473942944578e9021eb7514c28ed53f08c5bb59f28681edbc5e9f1adba5582 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | e3adad4f62f050c2bbf1b180d4299ba3 |
| SHA1 | ef512b67c22744643419ccf8fceb19d60fd7a2da |
| SHA256 | 589544aa7923c5ad82c5ae893d9fb175e79bb3cd528d16d4cfd1290c1156a542 |
| SHA512 | 8973cf9d38c94233e478e94d764517a69f7c09e88892c1fd407124576ff294e67afd725ed365c9e911735aacb11754d1ca582c1e3ea1a3469ee3816a1c78b94f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 171cae284fb26e53a423530e825106c8 |
| SHA1 | 0cb7ea9cda1b2bc0ed15bb55eacf1d4c340559f1 |
| SHA256 | 32fb966682bbf657e95d6b7ebcf6bc31e5af14c3e287efee6385a38f8c81be0a |
| SHA512 | ac9f01ff8350d901ae22e9a0e3a9ead3ead74115c31557ac2f3e3f98bc68ae73f4b62a19f02f2c4f9bed67c726be8e8f6e70f768ce27796765328a2518781869 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5863d6.TMP
| MD5 | 7dad78f506b682ae9f41e7a226bc4cd5 |
| SHA1 | 7244546106261bf981c7c6282f609ca3902c2c57 |
| SHA256 | bcbf1f33cdc34e05f1e5391d161ba2e632629530e0ac71ae2cc60ec55f05d854 |
| SHA512 | 91f5d6df7d3b3edb41cb471bd0e07c6f7954613391a8efe6f71b082736028f1a7c3020be876ba3b943a5c9b0afa806d4d5461b2dc1b7f996c417c13651cf82ce |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 4535da9fec37c78d4362e48bed3c08ec |
| SHA1 | cdcc1202085a99d9fe42681554629d051571b49f |
| SHA256 | 73682c60cce390abf0193406d87430f9fe7b2cc8256762458dd994dbb160edda |
| SHA512 | 0185c36c65e532cbc1b0b5c81250f5a0669f81ed2905420ef913ba758285f2d806711debdd1a50e89b0a5188a8ff5070437259b8b3b1c75d98e7f3b296777281 |
memory/4188-9448-0x0000000074240000-0x0000000074279000-memory.dmp
memory/4188-9447-0x0000000000400000-0x000000000057F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.91.1_0\service_worker_bin_prod.js.abc
| MD5 | d72bca2e9b290865b824cd77afb7059f |
| SHA1 | e7df6aeb9d1de5d5dda56d3b9c439e83f63d244e |
| SHA256 | 9bf3a1021484cfb16c1fa07d2755738421b93b1b8969465f81efbe20f37e18dd |
| SHA512 | c581d5286c3f09fa4c89a04779c5aa45eb561b4fab998fc0db68252d05b10225ae7a2133ba630a0698066a590443fe8e45f105def8e308c0a527e3e877cb9f15 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.91.1_0\page_embed_script.js.abc
| MD5 | e12834ab6547583522c71ea4e50b575b |
| SHA1 | a9cf50f48570d61e55c852b80a785aa2f101c9b2 |
| SHA256 | c8fb368cf131a8b656ba2dc1b52e83575fd979752b56250a4159161b9650a4a3 |
| SHA512 | d43992b5ff995916d4dd5902446269aaf3ea7a08f9100532d086743793b37a317999c2a43d6c72d9cba19925f992393797a0f33309e8c14662471fa7a36d1ec3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.91.1_0\offscreendocument_main.js.abc
| MD5 | ec93b184f306d8160b7d39399ba8ca1a |
| SHA1 | 631f39298227a9e156c8fae0a70e54d5814765e6 |
| SHA256 | d2d2c9e2908c1a2dc44605b0077cd394754b168610006b2fe8adacbae1e897d1 |
| SHA512 | c9363851341f9854296c67254b3b51eb754c56c6a8d1f05fb0b62381003e2c5330bdc83bba05dae3f9f6f6f55299dcf7f5d174c4ff3be9199736b9a0083d5892 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.91.1_0\128.png.abc
| MD5 | 7d4c49af771a86e60da26a52ef9f8311 |
| SHA1 | 4a2238f583a04a3856e9f42218c44bfce50711d7 |
| SHA256 | 064f1242cf1c9c317b39ea63924f6fc44eb4cdbeb585aebad40ad5009fdf269e |
| SHA512 | 1d81d0afcce1fda3b11f9f3d5b13d7d077ae6a8355a65068b2230935866744e237cf6760f07a463d7550f5bba2ee854ece3e51f3a69836f4527a0e3f6cbc1159 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog
| MD5 | ea043dd177f4cdd50880f10c150c3d50 |
| SHA1 | 8103600713aa3c7cc9b52d6598973961685dc29d |
| SHA256 | 363803ea8192fb55ea7da9f152b013c084140b89a7fea071c89596bff31cca7a |
| SHA512 | 26abc54bfb30bd0bcd90a3c390325e205ca53a28c0eefe578f5065cd72833ca491c869e3df9196924ed51346d623cefeceff9b381709df5b49bbf8cecec3c281 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog~RFe58fdf3.TMP
| MD5 | 51e9fa45536dcb71d262ba67c1569cfb |
| SHA1 | 9ab8d33c89806d08da5432e62a2550369064edc6 |
| SHA256 | 917169468a6754abf8e2fdcbe50d789517e9f85edf8edc8300699ba463347199 |
| SHA512 | d18e9d4fe69083b689d153296a416f6795bf32db5ba550b2d34aa93efb8a6a42526dd8dc6518c8b8755196cb850e65f7ade29c029847ebbc9aa80c14a85e2b40 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig
| MD5 | 3bca8411b45106afaa963d562c371631 |
| SHA1 | 78857d33a65e7061ca18a3540c304f01e7e85325 |
| SHA256 | 4503345ee70aa9ca0f90012b665743d7c13ec7052e7a943222287973b752b9c7 |
| SHA512 | a6a7e9af6613a30730a0b87be76f87144a3483afb756445d462de7b22543027e5e8f5822e0337ba2d7b65e413e526da962783d05d226c0d13d113d57d28b56ff |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig~RFe590006.TMP
| MD5 | 22ed3cc04fcc2e66b81335c4395971fd |
| SHA1 | 12ef48d70ec6f360644d2573dde99756f6ac05fb |
| SHA256 | 27bffcff6642dfcb87ac33eea61059552bc35ccd3c0d9f4da550398351836df9 |
| SHA512 | 9219928d246a8aa761ee289b0baacc7214b028976b1b890c7f1df38ecac61cb3a90e8af1b3861929155d07af304d58ae8f7304466769669a7cd40c55ae61cf40 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog
| MD5 | 479c0f1985bc69e9ec0457a27a43952e |
| SHA1 | e8934a643be4583f6f19dc3e8e9d3575b517e072 |
| SHA256 | b30fa8fac5316e6472eea4457afa1454f03261e4c88982ad8f20e92fdff30da5 |
| SHA512 | e73b416146e2f0d0b38aaa6a1818fbd982f8b94394d981d35e1ca9f592b2eebd34473cc1baa2a03f3a3252be96b135e8592ed9e8f01c53e8533bc3f8ccdeddd1 |
C:\Program Files\chrome_Unpacker_BeginUnzipping960_1186905608\manifest.json
| MD5 | af3a9104ca46f35bb5f6123d89c25966 |
| SHA1 | 1ffb1b0aa9f44bdbc57bdf4b98d26d3be0207ee8 |
| SHA256 | 81bd82ac27612a58be30a72dd8956b13f883e32ffb54a58076bd6a42b8afaeea |
| SHA512 | 6a7a543fa2d1ead3574b4897d2fc714bb218c60a04a70a7e92ecfd2ea59d67028f91b6a2094313f606560087336c619093f1d38d66a3c63a1d1d235ca03d36d1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b1419219d2331706259e7275d779d7d8 |
| SHA1 | 7fa1178af7f6df6621b5c9d0952f069565a38fb8 |
| SHA256 | 7c8d29f1c6bec73b58450cc30aa768286b1163fa9985a9ce4180aaa48e39a45b |
| SHA512 | 3d01309b50084a5450b8cf4d7cdfaa51562ffed7bf2f27d41aacc37f87ab1cd996137b20fc1945a3dbbe96c6e58c44ce7610db0df6abd15ccc5c54e929f8d0a2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | 28ab0a82cd032a44a253fff6000faba8 |
| SHA1 | 5be6f9510047ff976021fc5f731c87fe921f2fbb |
| SHA256 | 8f9ccbb8806157a6823d2f5c90541de52ce8504aaa4c330ae48dc89e75027fc0 |
| SHA512 | 7ee5138dc70b2461d2f2dbf039518f16b3b699105d113bb51065f1fcc98b2cfcb5bbd95d7b6e0b18ad17277e5d2ca1ec29e5f5e25c97d5de0612c3551ff4690a |
C:\Program Files\chrome_Unpacker_BeginUnzipping960_1327106174\manifest.json
| MD5 | 049c307f30407da557545d34db8ced16 |
| SHA1 | f10b86ebfe8d30d0dc36210939ca7fa7a819d494 |
| SHA256 | c36944790c4a1fa2f2acec5f7809a4d6689ecb7fb3b2f19c831c9adb4e17fc54 |
| SHA512 | 14f04e768956bdd9634f6a172104f2b630e2eeada2f73b9a249be2ec707f4a47ff60f2f700005ca95addd838db9438ad560e5136a10ed32df1d304d65f445780 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.9\protocols.json
| MD5 | f9fd82b572ef4ce41a3d1075acc52d22 |
| SHA1 | fdded5eef95391be440cc15f84ded0480c0141e3 |
| SHA256 | 5f21978e992a53ebd9c138cb5391c481def7769e3525c586a8a94f276b3cd8d6 |
| SHA512 | 17084cc74462310a608355fbeafa8b51f295fb5fd067dfc641e752e69b1ee4ffba0e9eafa263aab67daab780b9b6be370dd3b54dd4ba8426ab499e50ff5c7339 |
C:\Program Files\chrome_Unpacker_BeginUnzipping960_1788052671\manifest.json
| MD5 | c3911ceb35539db42e5654bdd60ac956 |
| SHA1 | 71be0751e5fc583b119730dbceb2c723f2389f6c |
| SHA256 | 31952875f8bb2e71f49231c95349945ffc0c1dd975f06309a0d138f002cfd23d |
| SHA512 | d8b2c7c5b7105a6f0c4bc9c79c05b1202bc8deb90e60a037fec59429c04fc688a745ee1a0d06a8311466b4d14e2921dfb4476104432178c01df1e99deb48b331 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\WorkspacesNavigationComponent\1.0.0.5\nav_config.json
| MD5 | 499d9e568b96e759959dc69635470211 |
| SHA1 | 2462a315342e0c09fd6c5fbd7f1e7ff6914c17e6 |
| SHA256 | 98252dc9f9e81167e893f2c32f08ee60e9a6c43fadb454400ed3bff3a68fbf0d |
| SHA512 | 3a5922697b5356fd29ccf8dcc2e5e0e8c1fd955046a5bacf11b8ac5b7c147625d31ade6ff17be86e79c2c613104b2d2aebb11557399084d422e304f287d8b905 |
C:\Program Files\chrome_Unpacker_BeginUnzipping960_714335852\manifest.json
| MD5 | a24a1941bbb8d90784f5ef76712002f5 |
| SHA1 | 5c2b6323c7ed8913b5d0d65a4d21062c96df24eb |
| SHA256 | 2a7fe18a087d8e8be847d9569420b6e8907917ff6ca0fa42be15d4e3653c8747 |
| SHA512 | fd7dfec3d46b2af0bddb5aaeae79467507e0c29bab814007a39ea61231e76123659f18a453ed3feb25f16652a0c63c33545e2a0d419fafea89f563fca6a07ce2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Data Protection Lists\2.0.0.0\office_endpoints_list.json
| MD5 | 94406cdd51b55c0f006cfea05745effb |
| SHA1 | a15dc50ca0fd54d6f54fbc6e0788f6dcfc876cc9 |
| SHA256 | 8480f3d58faa017896ba8239f3395e3551325d7a6466497a9a69bf182647b25e |
| SHA512 | d4e621f57454fea7049cffc9cc3adfb0d8016360912e6a580f6fe16677e7dd7aa2ee0671cb3c5092a9435708a817f497c3b2cc7aba237d32dbdaae82f10591c3 |