Malware Analysis Report

2025-08-10 20:09

Sample ID 250518-nka68acm7z
Target JaffaCakes118_06afea8ebb1fd0ab752a2242b7e01c4b
SHA256 ff0456237f7fd6c04b25859f926ed69cc6a55c979794afe923cefe1a0def39ea
Tags
defense_evasion discovery execution impact persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ff0456237f7fd6c04b25859f926ed69cc6a55c979794afe923cefe1a0def39ea

Threat Level: Known bad

The file JaffaCakes118_06afea8ebb1fd0ab752a2242b7e01c4b was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery execution impact persistence ransomware spyware stealer

Renames multiple (912) files with added filename extension

Deletes shadow copies

Drops startup file

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Looks up external IP address via web service

Adds Run key to start application

Indicator Removal: File Deletion

Drops file in Program Files directory

Browser Information Discovery

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

System policy modification

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Interacts with shadow copies

Modifies data under HKEY_USERS

Modifies registry class

Opens file in notepad (likely ransom note)

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-18 11:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-18 11:26

Reported

2025-05-18 11:29

Platform

win10v2004-20250502-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06afea8ebb1fd0ab752a2242b7e01c4b.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (912) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06afea8ebb1fd0ab752a2242b7e01c4b.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_kikbf.html C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_kikbf.txt C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_kikbf.html C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_kikbf.txt C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vsadmin = "C:\\Users\\Admin\\AppData\\Roaming\\vcwwbb.exe" C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vsadmin = "C" C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A

Indicator Removal: File Deletion

defense_evasion

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\restore_files_kikbf.txt C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\SplashScreen.scale-125.png C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\10.png C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\restore_files_kikbf.html C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\restore_files_kikbf.txt C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SmallTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping960_1327106174\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppValueProp.svg C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_contrast-black.png C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\restore_files_kikbf.txt C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-24_altform-lightunplated.png C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7cb.png C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_~_8wekyb3d8bbwe\restore_files_kikbf.html C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreLogo.scale-100_contrast-white.png C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SplashScreen.scale-200_contrast-white.png C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\accessibilitychecker\styles.css C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.scale-200.png C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\offlineUtilities.js C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\restore_files_kikbf.txt C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.contrast-white_scale-100.png C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.JPG C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\restore_files_kikbf.html C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\restore_files_kikbf.html C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_contrast-white.png C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\sr-cyrl-cs\restore_files_kikbf.txt C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\restore_files_kikbf.html C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-20.png C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\THMBNAIL.PNG C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\restore_files_kikbf.txt C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsStoreLogo.scale-100.png C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\restore_files_kikbf.txt C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-180.png C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\restore_files_kikbf.txt C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\63.png C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\restore_files_kikbf.html C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\office.png C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-150.HCBlack.png C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Speech\en-GB\restore_files_kikbf.txt C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalStoreLogo.scale-125_contrast-black.png C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\SmallTile.scale-125.png C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsWideTile.scale-100.png C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-20_altform-unplated.png C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GameBar_SplashScreen.scale-100.png C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\restore_files_kikbf.txt C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-125_contrast-black.png C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-60_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\3039_32x32x32.png C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-256.png C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-96.png C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\MedTile.scale-200.png C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-100.png C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\restore_files_kikbf.html C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\messaging\restore_files_kikbf.html C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-30_contrast-white.png C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageLargeTile.scale-125.png C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-IN\restore_files_kikbf.txt C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lt\restore_files_kikbf.txt C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\restore_files_kikbf.html C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\FaceReco_Illustration_LRG.png C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-16_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsLargeTile.scale-200.png C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\Scrubbing_icons.png C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-48_contrast-white.png C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06afea8ebb1fd0ab752a2242b7e01c4b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\vssadmin.exe N/A
N/A N/A C:\Windows\System32\vssadmin.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133920412446843749" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3674642747-2260306818-3009887879-1000\{3B6C83AD-E7CD-4B36-9C9E-C407E8DBD53A} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies system certificate store

defense_evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c000000010000000400000000080000040000000100000010000000410352dc0ff7501b16f0028eba6f45c5030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d1900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c5030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef4240f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c13040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06afea8ebb1fd0ab752a2242b7e01c4b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4464 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06afea8ebb1fd0ab752a2242b7e01c4b.exe C:\Users\Admin\AppData\Roaming\vcwwbb.exe
PID 4464 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06afea8ebb1fd0ab752a2242b7e01c4b.exe C:\Users\Admin\AppData\Roaming\vcwwbb.exe
PID 4464 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06afea8ebb1fd0ab752a2242b7e01c4b.exe C:\Users\Admin\AppData\Roaming\vcwwbb.exe
PID 4464 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06afea8ebb1fd0ab752a2242b7e01c4b.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06afea8ebb1fd0ab752a2242b7e01c4b.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06afea8ebb1fd0ab752a2242b7e01c4b.exe C:\Windows\SysWOW64\cmd.exe
PID 4188 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe C:\Windows\System32\vssadmin.exe
PID 4188 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe C:\Windows\System32\vssadmin.exe
PID 4328 wrote to memory of 1412 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\vcwwbb.exe
PID 4328 wrote to memory of 1412 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\vcwwbb.exe
PID 4328 wrote to memory of 1412 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\vcwwbb.exe
PID 4188 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 4188 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 4188 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 4188 wrote to memory of 960 N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4188 wrote to memory of 960 N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4188 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe C:\Windows\System32\vssadmin.exe
PID 4188 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\vcwwbb.exe C:\Windows\System32\vssadmin.exe
PID 960 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 4064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 4064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 960 wrote to memory of 3532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

System policy modification

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Roaming\vcwwbb.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06afea8ebb1fd0ab752a2242b7e01c4b.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06afea8ebb1fd0ab752a2242b7e01c4b.exe"

C:\Users\Admin\AppData\Roaming\vcwwbb.exe

C:\Users\Admin\AppData\Roaming\vcwwbb.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE >> NUL

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\vcwwbb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Users\Admin\AppData\Roaming\vcwwbb.exe

C:\Users\Admin\AppData\Roaming\vcwwbb.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RESTORE_FILES.TXT

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RESTORE_FILES.HTML

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x360,0x7fffadd1f208,0x7fffadd1f214,0x7fffadd1f220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1760,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=2496 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2120,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=2504 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2252,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=2248 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3512,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=3548 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3536,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=3640 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4176,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=4184 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4200,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=4240 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3716,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=3700 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4568,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=5288 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5100,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=5384 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3504,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=5344 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5872,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=5892 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5872,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=5892 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6064,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=6076 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6228,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=6360 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6324,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=6388 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6372,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=6444 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6576,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=6572 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6744,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=6728 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6740,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=6916 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6908,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=6940 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\vcwwbb.exe >> NUL

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=704,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=4512 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4424,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=3736 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4540,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=4520 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5348,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=5420 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6288,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=7072 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5340,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=3676 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=1812,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=5244 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6912,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=5272 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5272,i,7662202828132933204,3494702098035904097,262144 --variations-seed-version --mojo-platform-channel-handle=5988 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 8.8.8.8:53 asecproteccion.com udp
US 8.8.8.8:53 almaco.es udp
ES 217.76.128.47:80 almaco.es tcp
US 8.8.8.8:53 light-tech.pl udp
PL 185.208.164.61:80 light-tech.pl tcp
PL 185.208.164.61:443 light-tech.pl tcp
GB 2.18.27.82:443 www.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 mustdecor.com.br udp
US 8.8.8.8:53 ghostwriter-24.de udp
DE 91.90.146.100:80 ghostwriter-24.de tcp
DE 91.90.146.100:443 ghostwriter-24.de tcp
US 8.8.8.8:53 alexsinden.co.uk udp
GB 68.183.44.1:80 alexsinden.co.uk tcp
US 8.8.8.8:53 djdkduep62kz4nzx.onion.to udp
US 8.8.8.8:53 djdkduep62kz4nzx.tor2web.org udp
AU 103.198.0.111:443 djdkduep62kz4nzx.tor2web.org tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.28.11:80 edge.microsoft.com tcp
US 150.171.28.11:80 edge.microsoft.com tcp
GB 142.250.200.46:443 clients2.google.com tcp
US 150.171.28.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 copilot.microsoft.com udp
US 8.8.8.8:53 copilot.microsoft.com udp
GB 142.250.200.46:443 clients2.google.com tcp
US 150.171.28.11:443 edge.microsoft.com tcp
GB 2.18.27.92:443 copilot.microsoft.com tcp
GB 142.250.200.46:443 clients2.google.com tcp
GB 2.18.27.92:443 copilot.microsoft.com tcp
US 150.171.28.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 142.250.187.193:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com udp
US 8.8.8.8:53 msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com udp
US 8.8.8.8:53 asecproteccion.com udp
ES 217.76.128.47:80 almaco.es tcp
GB 2.18.190.174:443 msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com tcp
PL 185.208.164.61:80 light-tech.pl tcp
PL 185.208.164.61:443 light-tech.pl tcp
GB 2.18.27.76:443 www.bing.com tcp
US 150.171.28.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 mustdecor.com.br udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.27.11:443 edge.microsoft.com tcp
DE 91.90.146.100:443 ghostwriter-24.de tcp
N/A 224.0.0.251:5353 udp
GB 68.183.44.1:80 alexsinden.co.uk tcp
US 8.8.8.8:53 djdkduep62kz4nzx.onion.to udp
AU 103.198.0.111:443 djdkduep62kz4nzx.tor2web.org tcp
US 150.171.28.11:443 edge.microsoft.com tcp
US 150.171.27.11:443 edge.microsoft.com tcp
GB 2.18.27.76:443 www.bing.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 13.107.246.64:443 edge-consumer-static.azureedge.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp
US 8.8.8.8:53 static.edge.microsoftapp.net udp
US 8.8.8.8:53 static.edge.microsoftapp.net udp
US 13.107.246.64:443 static.edge.microsoftapp.net tcp
US 8.8.8.8:53 edge-mobile-static.azureedge.net udp
US 8.8.8.8:53 edge-mobile-static.azureedge.net udp
US 8.8.8.8:53 edge-cloud-resource-static.azureedge.net udp
US 8.8.8.8:53 edge-cloud-resource-static.azureedge.net udp
US 13.107.246.64:443 edge-cloud-resource-static.azureedge.net tcp
US 13.107.246.64:443 edge-cloud-resource-static.azureedge.net tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 199.232.214.172:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
GB 2.18.27.76:443 www.bing.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp

Files

memory/4464-0-0x0000000000710000-0x0000000000714000-memory.dmp

memory/4464-1-0x0000000000400000-0x000000000057F000-memory.dmp

memory/4464-5-0x0000000000830000-0x0000000000833000-memory.dmp

memory/4464-6-0x0000000074240000-0x0000000074279000-memory.dmp

C:\Users\Admin\AppData\Roaming\vcwwbb.exe

MD5 06afea8ebb1fd0ab752a2242b7e01c4b
SHA1 7a854db1ad7a94f356cf091ae2db4c0d4cb6b8a7
SHA256 ff0456237f7fd6c04b25859f926ed69cc6a55c979794afe923cefe1a0def39ea
SHA512 35efc508e78737c8079ecff981aeedae5928f4efe30c9d8b535029d8e8616aabeec10d843842367cdeb179d8de104fa37cba6cca57d36bb5796f22ea552a9f4b

memory/4188-11-0x0000000000400000-0x000000000057F000-memory.dmp

memory/4188-15-0x00000000006A0000-0x00000000006A3000-memory.dmp

memory/4464-17-0x0000000074240000-0x0000000074279000-memory.dmp

memory/4188-18-0x0000000074240000-0x0000000074279000-memory.dmp

memory/4464-16-0x0000000000400000-0x000000000057F000-memory.dmp

memory/1412-21-0x0000000000400000-0x000000000057F000-memory.dmp

C:\Users\restore_files_kikbf.txt

MD5 50f8b5ff1a695bb879671f3aa50f2316
SHA1 6db81b8895532fd820e4b215869535205994d837
SHA256 0d06b89054bda61d7f4ce8050b786ed5f6ccee3e45299e5dc58c87bdf95b651d
SHA512 8cd804a80378425fc6f1810525ceee944070d03d0440fa870a6e4377882ca9897021f709ff301ff2f1a1c0bdcd096c4a0d5585ba5341aead339d23245c53d842

C:\Users\restore_files_kikbf.html

MD5 0ed9e61d9eb0258408ddf2a3ac6788b8
SHA1 36d3d9b9e2596a53caeca5876d5f534b42af1ee0
SHA256 bf89680947ca1fc4530fe1b1e27d823a3cd64b1acf900a4c74bd57f9932cb117
SHA512 1cc82aa8fdad2ca27962a7bb14b56dda38f908986bb84d07e207c782af719391632ea566e2cdce0a2dba94537a36cdbfe92cc35c96ad35e97f65b629ae1c3488

memory/1412-43-0x0000000074240000-0x0000000074279000-memory.dmp

memory/1412-65-0x0000000000400000-0x000000000057F000-memory.dmp

memory/1412-66-0x0000000074240000-0x0000000074279000-memory.dmp

memory/4188-4742-0x0000000000400000-0x000000000057F000-memory.dmp

memory/4188-8861-0x0000000000400000-0x000000000057F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 86d82964f0f1af65f5670160f2760633
SHA1 7e2814924a303a2681bd348359032cb5241c536c
SHA256 8d3ffdbd57fae7374a0dbba31ebb5384e92f5ccd0e6cf8a472774e2f3558c1c3
SHA512 9f7d3f4136bbbbd23ada4aaab910ae773ee7452fd03298ee4a2ea7b3d0477487b7640500de62d31d53f9684e835414e1c2b6447e268325db07d92134272e1e62

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 41c6a05b2522c6a4ebdc7fd09a392ba2
SHA1 b03d79dbfad3b3e5a7f9c1943b1f5974b630650d
SHA256 863722e4be0e6e7df651251c3aed0de4ec8ef10ed750542c81f8e93280d776d0
SHA512 98031164190580c2a88b88142447145dc6ed7061ce0fc071cabfbf2b07f6791ad6aeea29338dd5ed2345baccb33233784ab12ab7dc1e121c80c9e19f1f980868

\??\pipe\crashpad_960_POSDOOUYHIJAUUAF

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 47589ace426d16ddc3dd8528247a8673
SHA1 2fbe33fe36e043407b0116b54b4e87b43ec020f6
SHA256 a69e6d97c80a37d33fa4f2a3007e583153bd27b83bcb30c99228d2d12ac2d8fa
SHA512 8ad251fcec1eeac9580ad4aefdaea7f15e8faf7ffb3d3b22a6c1ec9daba7eed7231193ff53efcd460a2185ae93cdaf0a287d8c1e36390b537daddc30cd878f2a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3e2d3f54d45c5239d94ff524828e2a3f
SHA1 7e4be8132f34e8d1c8be73eaf7e0f47942fbbdd4
SHA256 9a9a4dc3eca105b08d2a13e7399cd73db214eadad2bc8893d87eee5e93227ea9
SHA512 3a747f1d79e8e89ed3ac4645f1f223aa9b27271dae733c94d4d06c13b512bbd10206897ac7b0a7f25679085f44659a947f9455139329df9b43476cbabdd6381b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

MD5 164a788f50529fc93a6077e50675c617
SHA1 c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48
SHA256 b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17
SHA512 ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

MD5 a2a21130616df9e2c2e88a37e421112e
SHA1 495f59ca4555f3387d32da114311e2ddc83f8130
SHA256 7cb9403aa5ce6499aaa9112bc89c35ca8f925dbdc1f48e3e024d20bac4c2bfbd
SHA512 98fc2c16ae01e71e33620dd9a968efa1cf97a9f34a958ff73c1db0340cde4c8dbea460b7c92ead10c00f876702924acf314ec3944c3c97c68d7f41e04594cb25

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

MD5 06d55006c2dec078a94558b85ae01aef
SHA1 6a9b33e794b38153f67d433b30ac2a7cf66761e6
SHA256 088bb586f79dd99c5311d14e1560bbe0bb56225a1b4432727d2183341c762bcd
SHA512 ec190652af9c213ccbb823e69c21d769c64e3b9bae27bea97503c352163bf70f93c67cebbf327bfc73bfd632c9a3ae57283b6e4019af04750fe18a2410a68e60

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

MD5 76f49a2c146c7e8faf216c4e362d2faa
SHA1 a1f7bd5892da21171a6a1da24c3f788aac709dcc
SHA256 2075e51d1401d72a96f8272d0095303d474b48089d2193b4e0ed7378c85303fc
SHA512 c415e6f2f19b480d742c58e08ea4df370cf518bd38d6945f0cd9b6d5d1947f66719b30ee46e2e8d8935e294921d069587c1a858cbabf6d745602a2ea1fc4b62f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Temp\b401ed58-47c6-49a0-a202-b6edeffb79f9.tmp

MD5 cc05ed3e66468e692745ba6563c69740
SHA1 eae9dbd4d36aa91fd43f7d452ac3d252b103759d
SHA256 fb1311fb7142825abacb3c7aedddf948f5c9b258e447c953ce0f7f4b19c6dfff
SHA512 4b527db02d6ea36b914558a3e44fd3d15772bf2be4ba0a640bf70427af07dcde5ed6967930cc3624a244cfc82290f125eea2754812586216b3d5a37757ce8db4

C:\Users\Admin\AppData\Local\Temp\32dbcd0f-8607-4746-aa7e-17bccdc00ece.tmp

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Local\Temp\f72a8ea6-ca1f-4e5c-b388-0d0d75e6986e.tmp

MD5 78e47dda17341bed7be45dccfd89ac87
SHA1 1afde30e46997452d11e4a2adbbf35cce7a1404f
SHA256 67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550
SHA512 9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Ad Blocking\blocklist

MD5 d11d7533c72bb4f2e791d05650a45e2e
SHA1 eb1383e1d99a1c78ce2721fee15043eb7d498f63
SHA256 3d7124bd67434b44501704e52f34ba05d545541b01335cf5fbbcefde11703ba5
SHA512 52188a97e95b96b4ae1c219baead33cd56b84ebc82131fbb7312c379d4d847944491f42e17def5a22351796c1f4eadcbe66455162207c888eb93e7fdb1b46d71

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_1\content.js

MD5 3d20584f7f6c8eac79e17cca4207fb79
SHA1 3c16dcc27ae52431c8cdd92fbaab0341524d3092
SHA256 0d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643
SHA512 315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59

memory/4188-9329-0x0000000000400000-0x000000000057F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\55519206-4218-40eb-8284-b344cf19145c.tmp

MD5 b8d2574b7ef64966e8c70c441f2a9344
SHA1 9dae6666703b3e2add1a1ca93e192ad75dcc84f3
SHA256 8659359a8b9b43b5b40d4813c21fdce16210f72150c2779aff54410752e3a364
SHA512 d398845aa47c84f8030ec59716fb408f08ce8c55421d01493ab94bfeda0bd86de2473942944578e9021eb7514c28ed53f08c5bb59f28681edbc5e9f1adba5582

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 e3adad4f62f050c2bbf1b180d4299ba3
SHA1 ef512b67c22744643419ccf8fceb19d60fd7a2da
SHA256 589544aa7923c5ad82c5ae893d9fb175e79bb3cd528d16d4cfd1290c1156a542
SHA512 8973cf9d38c94233e478e94d764517a69f7c09e88892c1fd407124576ff294e67afd725ed365c9e911735aacb11754d1ca582c1e3ea1a3469ee3816a1c78b94f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 171cae284fb26e53a423530e825106c8
SHA1 0cb7ea9cda1b2bc0ed15bb55eacf1d4c340559f1
SHA256 32fb966682bbf657e95d6b7ebcf6bc31e5af14c3e287efee6385a38f8c81be0a
SHA512 ac9f01ff8350d901ae22e9a0e3a9ead3ead74115c31557ac2f3e3f98bc68ae73f4b62a19f02f2c4f9bed67c726be8e8f6e70f768ce27796765328a2518781869

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5863d6.TMP

MD5 7dad78f506b682ae9f41e7a226bc4cd5
SHA1 7244546106261bf981c7c6282f609ca3902c2c57
SHA256 bcbf1f33cdc34e05f1e5391d161ba2e632629530e0ac71ae2cc60ec55f05d854
SHA512 91f5d6df7d3b3edb41cb471bd0e07c6f7954613391a8efe6f71b082736028f1a7c3020be876ba3b943a5c9b0afa806d4d5461b2dc1b7f996c417c13651cf82ce

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 4535da9fec37c78d4362e48bed3c08ec
SHA1 cdcc1202085a99d9fe42681554629d051571b49f
SHA256 73682c60cce390abf0193406d87430f9fe7b2cc8256762458dd994dbb160edda
SHA512 0185c36c65e532cbc1b0b5c81250f5a0669f81ed2905420ef913ba758285f2d806711debdd1a50e89b0a5188a8ff5070437259b8b3b1c75d98e7f3b296777281

memory/4188-9448-0x0000000074240000-0x0000000074279000-memory.dmp

memory/4188-9447-0x0000000000400000-0x000000000057F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.91.1_0\service_worker_bin_prod.js.abc

MD5 d72bca2e9b290865b824cd77afb7059f
SHA1 e7df6aeb9d1de5d5dda56d3b9c439e83f63d244e
SHA256 9bf3a1021484cfb16c1fa07d2755738421b93b1b8969465f81efbe20f37e18dd
SHA512 c581d5286c3f09fa4c89a04779c5aa45eb561b4fab998fc0db68252d05b10225ae7a2133ba630a0698066a590443fe8e45f105def8e308c0a527e3e877cb9f15

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.91.1_0\page_embed_script.js.abc

MD5 e12834ab6547583522c71ea4e50b575b
SHA1 a9cf50f48570d61e55c852b80a785aa2f101c9b2
SHA256 c8fb368cf131a8b656ba2dc1b52e83575fd979752b56250a4159161b9650a4a3
SHA512 d43992b5ff995916d4dd5902446269aaf3ea7a08f9100532d086743793b37a317999c2a43d6c72d9cba19925f992393797a0f33309e8c14662471fa7a36d1ec3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.91.1_0\offscreendocument_main.js.abc

MD5 ec93b184f306d8160b7d39399ba8ca1a
SHA1 631f39298227a9e156c8fae0a70e54d5814765e6
SHA256 d2d2c9e2908c1a2dc44605b0077cd394754b168610006b2fe8adacbae1e897d1
SHA512 c9363851341f9854296c67254b3b51eb754c56c6a8d1f05fb0b62381003e2c5330bdc83bba05dae3f9f6f6f55299dcf7f5d174c4ff3be9199736b9a0083d5892

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.91.1_0\128.png.abc

MD5 7d4c49af771a86e60da26a52ef9f8311
SHA1 4a2238f583a04a3856e9f42218c44bfce50711d7
SHA256 064f1242cf1c9c317b39ea63924f6fc44eb4cdbeb585aebad40ad5009fdf269e
SHA512 1d81d0afcce1fda3b11f9f3d5b13d7d077ae6a8355a65068b2230935866744e237cf6760f07a463d7550f5bba2ee854ece3e51f3a69836f4527a0e3f6cbc1159

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

MD5 ea043dd177f4cdd50880f10c150c3d50
SHA1 8103600713aa3c7cc9b52d6598973961685dc29d
SHA256 363803ea8192fb55ea7da9f152b013c084140b89a7fea071c89596bff31cca7a
SHA512 26abc54bfb30bd0bcd90a3c390325e205ca53a28c0eefe578f5065cd72833ca491c869e3df9196924ed51346d623cefeceff9b381709df5b49bbf8cecec3c281

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog~RFe58fdf3.TMP

MD5 51e9fa45536dcb71d262ba67c1569cfb
SHA1 9ab8d33c89806d08da5432e62a2550369064edc6
SHA256 917169468a6754abf8e2fdcbe50d789517e9f85edf8edc8300699ba463347199
SHA512 d18e9d4fe69083b689d153296a416f6795bf32db5ba550b2d34aa93efb8a6a42526dd8dc6518c8b8755196cb850e65f7ade29c029847ebbc9aa80c14a85e2b40

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

MD5 3bca8411b45106afaa963d562c371631
SHA1 78857d33a65e7061ca18a3540c304f01e7e85325
SHA256 4503345ee70aa9ca0f90012b665743d7c13ec7052e7a943222287973b752b9c7
SHA512 a6a7e9af6613a30730a0b87be76f87144a3483afb756445d462de7b22543027e5e8f5822e0337ba2d7b65e413e526da962783d05d226c0d13d113d57d28b56ff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig~RFe590006.TMP

MD5 22ed3cc04fcc2e66b81335c4395971fd
SHA1 12ef48d70ec6f360644d2573dde99756f6ac05fb
SHA256 27bffcff6642dfcb87ac33eea61059552bc35ccd3c0d9f4da550398351836df9
SHA512 9219928d246a8aa761ee289b0baacc7214b028976b1b890c7f1df38ecac61cb3a90e8af1b3861929155d07af304d58ae8f7304466769669a7cd40c55ae61cf40

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

MD5 479c0f1985bc69e9ec0457a27a43952e
SHA1 e8934a643be4583f6f19dc3e8e9d3575b517e072
SHA256 b30fa8fac5316e6472eea4457afa1454f03261e4c88982ad8f20e92fdff30da5
SHA512 e73b416146e2f0d0b38aaa6a1818fbd982f8b94394d981d35e1ca9f592b2eebd34473cc1baa2a03f3a3252be96b135e8592ed9e8f01c53e8533bc3f8ccdeddd1

C:\Program Files\chrome_Unpacker_BeginUnzipping960_1186905608\manifest.json

MD5 af3a9104ca46f35bb5f6123d89c25966
SHA1 1ffb1b0aa9f44bdbc57bdf4b98d26d3be0207ee8
SHA256 81bd82ac27612a58be30a72dd8956b13f883e32ffb54a58076bd6a42b8afaeea
SHA512 6a7a543fa2d1ead3574b4897d2fc714bb218c60a04a70a7e92ecfd2ea59d67028f91b6a2094313f606560087336c619093f1d38d66a3c63a1d1d235ca03d36d1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b1419219d2331706259e7275d779d7d8
SHA1 7fa1178af7f6df6621b5c9d0952f069565a38fb8
SHA256 7c8d29f1c6bec73b58450cc30aa768286b1163fa9985a9ce4180aaa48e39a45b
SHA512 3d01309b50084a5450b8cf4d7cdfaa51562ffed7bf2f27d41aacc37f87ab1cd996137b20fc1945a3dbbe96c6e58c44ce7610db0df6abd15ccc5c54e929f8d0a2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 28ab0a82cd032a44a253fff6000faba8
SHA1 5be6f9510047ff976021fc5f731c87fe921f2fbb
SHA256 8f9ccbb8806157a6823d2f5c90541de52ce8504aaa4c330ae48dc89e75027fc0
SHA512 7ee5138dc70b2461d2f2dbf039518f16b3b699105d113bb51065f1fcc98b2cfcb5bbd95d7b6e0b18ad17277e5d2ca1ec29e5f5e25c97d5de0612c3551ff4690a

C:\Program Files\chrome_Unpacker_BeginUnzipping960_1327106174\manifest.json

MD5 049c307f30407da557545d34db8ced16
SHA1 f10b86ebfe8d30d0dc36210939ca7fa7a819d494
SHA256 c36944790c4a1fa2f2acec5f7809a4d6689ecb7fb3b2f19c831c9adb4e17fc54
SHA512 14f04e768956bdd9634f6a172104f2b630e2eeada2f73b9a249be2ec707f4a47ff60f2f700005ca95addd838db9438ad560e5136a10ed32df1d304d65f445780

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.9\protocols.json

MD5 f9fd82b572ef4ce41a3d1075acc52d22
SHA1 fdded5eef95391be440cc15f84ded0480c0141e3
SHA256 5f21978e992a53ebd9c138cb5391c481def7769e3525c586a8a94f276b3cd8d6
SHA512 17084cc74462310a608355fbeafa8b51f295fb5fd067dfc641e752e69b1ee4ffba0e9eafa263aab67daab780b9b6be370dd3b54dd4ba8426ab499e50ff5c7339

C:\Program Files\chrome_Unpacker_BeginUnzipping960_1788052671\manifest.json

MD5 c3911ceb35539db42e5654bdd60ac956
SHA1 71be0751e5fc583b119730dbceb2c723f2389f6c
SHA256 31952875f8bb2e71f49231c95349945ffc0c1dd975f06309a0d138f002cfd23d
SHA512 d8b2c7c5b7105a6f0c4bc9c79c05b1202bc8deb90e60a037fec59429c04fc688a745ee1a0d06a8311466b4d14e2921dfb4476104432178c01df1e99deb48b331

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\WorkspacesNavigationComponent\1.0.0.5\nav_config.json

MD5 499d9e568b96e759959dc69635470211
SHA1 2462a315342e0c09fd6c5fbd7f1e7ff6914c17e6
SHA256 98252dc9f9e81167e893f2c32f08ee60e9a6c43fadb454400ed3bff3a68fbf0d
SHA512 3a5922697b5356fd29ccf8dcc2e5e0e8c1fd955046a5bacf11b8ac5b7c147625d31ade6ff17be86e79c2c613104b2d2aebb11557399084d422e304f287d8b905

C:\Program Files\chrome_Unpacker_BeginUnzipping960_714335852\manifest.json

MD5 a24a1941bbb8d90784f5ef76712002f5
SHA1 5c2b6323c7ed8913b5d0d65a4d21062c96df24eb
SHA256 2a7fe18a087d8e8be847d9569420b6e8907917ff6ca0fa42be15d4e3653c8747
SHA512 fd7dfec3d46b2af0bddb5aaeae79467507e0c29bab814007a39ea61231e76123659f18a453ed3feb25f16652a0c63c33545e2a0d419fafea89f563fca6a07ce2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Data Protection Lists\2.0.0.0\office_endpoints_list.json

MD5 94406cdd51b55c0f006cfea05745effb
SHA1 a15dc50ca0fd54d6f54fbc6e0788f6dcfc876cc9
SHA256 8480f3d58faa017896ba8239f3395e3551325d7a6466497a9a69bf182647b25e
SHA512 d4e621f57454fea7049cffc9cc3adfb0d8016360912e6a580f6fe16677e7dd7aa2ee0671cb3c5092a9435708a817f497c3b2cc7aba237d32dbdaae82f10591c3