Analysis
-
max time kernel
82s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
22-03-2023 04:04
General
-
Target
Orcus_Vgk.exe
-
Size
3.7MB
-
MD5
1e88604f32e24a69fcccf04bcb5a8fa0
-
SHA1
84f22a7ed74ce0ae4643c84343c0d2b94ceb16bf
-
SHA256
2d711cdf078f65d2ec4869021fba98d9d2d4d0d27d89e7a8825ad6f659200505
-
SHA512
0e21e15646e7acbec56cc148e60367387bd9002a16e37748903ada8c23b01918fcff5c7f2cf72a385ab23aa14e841babe7604eaec35b034d92f38820095bd9e2
-
SSDEEP
98304:nxULIzdQpR9cUEQZD8Q41wKE7WZBAIbbAhP3w3/yo:xUWI9bEMX4iL7UBAeAhPg3r
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Orcus_Vgk.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Orcus_Vgk.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Orcus_Vgk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Orcus_Vgk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Orcus_Vgk.exe -
Processes:
resource yara_rule behavioral1/memory/4996-133-0x00007FF70F930000-0x00007FF710329000-memory.dmp themida behavioral1/memory/4996-134-0x00007FF70F930000-0x00007FF710329000-memory.dmp themida behavioral1/memory/4996-135-0x00007FF70F930000-0x00007FF710329000-memory.dmp themida behavioral1/memory/4996-136-0x00007FF70F930000-0x00007FF710329000-memory.dmp themida behavioral1/memory/4996-137-0x00007FF70F930000-0x00007FF710329000-memory.dmp themida behavioral1/memory/4996-138-0x00007FF70F930000-0x00007FF710329000-memory.dmp themida behavioral1/memory/4996-139-0x00007FF70F930000-0x00007FF710329000-memory.dmp themida behavioral1/memory/4996-249-0x00007FF70F930000-0x00007FF710329000-memory.dmp themida behavioral1/memory/4996-381-0x00007FF70F930000-0x00007FF710329000-memory.dmp themida -
Processes:
Orcus_Vgk.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Orcus_Vgk.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Orcus_Vgk.exepid process 4996 Orcus_Vgk.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\cf3baca4-b23a-460e-942f-b8f426e2b2ee.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230322040439.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 36 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1848 taskkill.exe 4424 taskkill.exe 1208 taskkill.exe 2520 taskkill.exe 3820 taskkill.exe 4268 taskkill.exe 2740 taskkill.exe 3512 taskkill.exe 4956 taskkill.exe 1248 taskkill.exe 4764 taskkill.exe 4388 taskkill.exe 2852 taskkill.exe 3944 taskkill.exe 3244 taskkill.exe 4712 taskkill.exe 116 taskkill.exe 1336 taskkill.exe 896 taskkill.exe 3852 taskkill.exe 4304 taskkill.exe 1820 taskkill.exe 492 taskkill.exe 3432 taskkill.exe 4192 taskkill.exe 3544 taskkill.exe 3484 taskkill.exe 1848 taskkill.exe 3908 taskkill.exe 3364 taskkill.exe 2000 taskkill.exe 392 taskkill.exe 4272 taskkill.exe 1060 taskkill.exe 4724 taskkill.exe 1636 taskkill.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exemsedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-144354903-2550862337-1367551827-1000\{72AA9AC1-6ECE-4EDE-B8CF-B468187EC821} msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exepid process 2912 msedge.exe 2912 msedge.exe 3948 msedge.exe 3948 msedge.exe 4160 msedge.exe 4160 msedge.exe 4756 identity_helper.exe 4756 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
taskkill.execmd.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exesetup.exetaskkill.exesvchost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.execmd.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 4268 taskkill.exe Token: SeDebugPrivilege 3484 cmd.exe Token: SeDebugPrivilege 2740 taskkill.exe Token: SeDebugPrivilege 3244 taskkill.exe Token: SeDebugPrivilege 4956 taskkill.exe Token: SeDebugPrivilege 1820 taskkill.exe Token: SeDebugPrivilege 2000 taskkill.exe Token: SeDebugPrivilege 4712 taskkill.exe Token: SeDebugPrivilege 3512 setup.exe Token: SeDebugPrivilege 1848 taskkill.exe Token: SeDebugPrivilege 392 svchost.exe Token: SeDebugPrivilege 4724 taskkill.exe Token: SeDebugPrivilege 4764 taskkill.exe Token: SeDebugPrivilege 4272 taskkill.exe Token: SeDebugPrivilege 492 taskkill.exe Token: SeDebugPrivilege 3432 taskkill.exe Token: SeDebugPrivilege 4388 taskkill.exe Token: SeDebugPrivilege 1636 taskkill.exe Token: SeDebugPrivilege 1848 taskkill.exe Token: SeDebugPrivilege 4192 taskkill.exe Token: SeDebugPrivilege 3852 cmd.exe Token: SeDebugPrivilege 4304 taskkill.exe Token: SeDebugPrivilege 116 taskkill.exe Token: SeDebugPrivilege 4424 taskkill.exe Token: SeDebugPrivilege 1336 taskkill.exe Token: SeDebugPrivilege 2852 taskkill.exe Token: SeDebugPrivilege 1248 taskkill.exe Token: SeDebugPrivilege 1208 taskkill.exe Token: SeDebugPrivilege 3364 taskkill.exe Token: SeDebugPrivilege 3820 taskkill.exe Token: SeDebugPrivilege 896 taskkill.exe Token: SeDebugPrivilege 3944 taskkill.exe Token: SeDebugPrivilege 2520 taskkill.exe Token: SeDebugPrivilege 1060 taskkill.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msedge.exepid process 3948 msedge.exe 3948 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Orcus_Vgk.execmd.execmd.execmd.execmd.execmd.exetaskkill.exemsedge.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4996 wrote to memory of 2176 4996 Orcus_Vgk.exe cmd.exe PID 4996 wrote to memory of 2176 4996 Orcus_Vgk.exe cmd.exe PID 4996 wrote to memory of 2160 4996 Orcus_Vgk.exe cmd.exe PID 4996 wrote to memory of 2160 4996 Orcus_Vgk.exe cmd.exe PID 2160 wrote to memory of 4268 2160 cmd.exe taskkill.exe PID 2160 wrote to memory of 4268 2160 cmd.exe taskkill.exe PID 4996 wrote to memory of 912 4996 Orcus_Vgk.exe cmd.exe PID 4996 wrote to memory of 912 4996 Orcus_Vgk.exe cmd.exe PID 912 wrote to memory of 3484 912 cmd.exe cmd.exe PID 912 wrote to memory of 3484 912 cmd.exe cmd.exe PID 4996 wrote to memory of 3792 4996 Orcus_Vgk.exe cmd.exe PID 4996 wrote to memory of 3792 4996 Orcus_Vgk.exe cmd.exe PID 3792 wrote to memory of 2740 3792 cmd.exe taskkill.exe PID 3792 wrote to memory of 2740 3792 cmd.exe taskkill.exe PID 2176 wrote to memory of 3948 2176 cmd.exe msedge.exe PID 2176 wrote to memory of 3948 2176 cmd.exe msedge.exe PID 4996 wrote to memory of 1420 4996 Orcus_Vgk.exe cmd.exe PID 4996 wrote to memory of 1420 4996 Orcus_Vgk.exe cmd.exe PID 1420 wrote to memory of 3244 1420 cmd.exe taskkill.exe PID 1420 wrote to memory of 3244 1420 cmd.exe taskkill.exe PID 4996 wrote to memory of 684 4996 Orcus_Vgk.exe cmd.exe PID 4996 wrote to memory of 684 4996 Orcus_Vgk.exe cmd.exe PID 4996 wrote to memory of 4424 4996 Orcus_Vgk.exe taskkill.exe PID 4996 wrote to memory of 4424 4996 Orcus_Vgk.exe taskkill.exe PID 4424 wrote to memory of 4956 4424 taskkill.exe taskkill.exe PID 4424 wrote to memory of 4956 4424 taskkill.exe taskkill.exe PID 3948 wrote to memory of 4412 3948 msedge.exe msedge.exe PID 3948 wrote to memory of 4412 3948 msedge.exe msedge.exe PID 684 wrote to memory of 4980 684 cmd.exe certutil.exe PID 684 wrote to memory of 4980 684 cmd.exe certutil.exe PID 684 wrote to memory of 744 684 cmd.exe cmd.exe PID 684 wrote to memory of 744 684 cmd.exe cmd.exe PID 684 wrote to memory of 4756 684 cmd.exe find.exe PID 684 wrote to memory of 4756 684 cmd.exe find.exe PID 4996 wrote to memory of 5088 4996 Orcus_Vgk.exe cmd.exe PID 4996 wrote to memory of 5088 4996 Orcus_Vgk.exe cmd.exe PID 5088 wrote to memory of 1820 5088 cmd.exe taskkill.exe PID 5088 wrote to memory of 1820 5088 cmd.exe taskkill.exe PID 4996 wrote to memory of 1536 4996 Orcus_Vgk.exe cmd.exe PID 4996 wrote to memory of 1536 4996 Orcus_Vgk.exe cmd.exe PID 1536 wrote to memory of 2000 1536 cmd.exe taskkill.exe PID 1536 wrote to memory of 2000 1536 cmd.exe taskkill.exe PID 4996 wrote to memory of 3740 4996 Orcus_Vgk.exe cmd.exe PID 4996 wrote to memory of 3740 4996 Orcus_Vgk.exe cmd.exe PID 3740 wrote to memory of 4712 3740 cmd.exe taskkill.exe PID 3740 wrote to memory of 4712 3740 cmd.exe taskkill.exe PID 3948 wrote to memory of 1268 3948 msedge.exe msedge.exe PID 3948 wrote to memory of 1268 3948 msedge.exe msedge.exe PID 3948 wrote to memory of 1268 3948 msedge.exe msedge.exe PID 3948 wrote to memory of 1268 3948 msedge.exe msedge.exe PID 3948 wrote to memory of 1268 3948 msedge.exe msedge.exe PID 3948 wrote to memory of 1268 3948 msedge.exe msedge.exe PID 3948 wrote to memory of 1268 3948 msedge.exe msedge.exe PID 3948 wrote to memory of 1268 3948 msedge.exe msedge.exe PID 3948 wrote to memory of 1268 3948 msedge.exe msedge.exe PID 3948 wrote to memory of 1268 3948 msedge.exe msedge.exe PID 3948 wrote to memory of 1268 3948 msedge.exe msedge.exe PID 3948 wrote to memory of 1268 3948 msedge.exe msedge.exe PID 3948 wrote to memory of 1268 3948 msedge.exe msedge.exe PID 3948 wrote to memory of 1268 3948 msedge.exe msedge.exe PID 3948 wrote to memory of 1268 3948 msedge.exe msedge.exe PID 3948 wrote to memory of 1268 3948 msedge.exe msedge.exe PID 3948 wrote to memory of 1268 3948 msedge.exe msedge.exe PID 3948 wrote to memory of 1268 3948 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Orcus_Vgk.exe"C:\Users\Admin\AppData\Local\Temp\Orcus_Vgk.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start https://discord.gg/UM2uzqxWhJ2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/UM2uzqxWhJ3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9fd4b46f8,0x7ff9fd4b4708,0x7ff9fd4b47184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,4833789514419538209,6127784022268852768,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,4833789514419538209,6127784022268852768,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,4833789514419538209,6127784022268852768,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4833789514419538209,6127784022268852768,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4833789514419538209,6127784022268852768,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4833789514419538209,6127784022268852768,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2060,4833789514419538209,6127784022268852768,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2668 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2060,4833789514419538209,6127784022268852768,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=2972 /prefetch:84⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4833789514419538209,6127784022268852768,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4833789514419538209,6127784022268852768,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,4833789514419538209,6127784022268852768,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3804 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings4⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x220,0x230,0x7ff790175460,0x7ff790175470,0x7ff7901754805⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,4833789514419538209,6127784022268852768,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3804 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4833789514419538209,6127784022268852768,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4833789514419538209,6127784022268852768,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:14⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im KsDumperClient.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im KsDumper.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Orcus_Vgk.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Orcus_Vgk.exe" MD53⤵
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im ProcessHacker.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im idaq.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im idaq64.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Fiddler.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im FiddlerEverywhere.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Xenos32.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im de4dot.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Cheat Engine.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im cheatengine-x86_64.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im MugenJinFuu-i386.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im cheatengine-i386.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTP Debugger Windows Service (32 bit).exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&12⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im KsDumper.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im OllyDbg.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im x64dbg.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im x32dbg.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Ida64.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&12⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im OllyDbg.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Dbg64.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Dbg32.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im Wireshark.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Xenos64.exe1⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im Xenos.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im cheatengine-x86_64.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5462f3c1360a4b5e319363930bc4806f6
SHA19ba5e43d833c284b89519423f6b6dab5a859a8d0
SHA256fec64069c72a8d223ed89a816501b3950f5e4f5dd88f289a923c5f961d259f85
SHA5125584ef75dfb8a1907c071a194fa78f56d10d1555948dffb8afcacaaa2645fd9d842a923437d0e94fad1d1919dcef5b25bf065863405c8d2a28216df27c87a417
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5d2642245b1e4572ba7d7cd13a0675bb8
SHA196456510884685146d3fa2e19202fd2035d64833
SHA2563763676934b31fe2e3078256adb25b01fdf899db6616b6b41dff3062b68e20a1
SHA51299e35f5eefc1e654ecfcf0493ccc02475ca679d3527293f35c3adea66879e21575ab037bec77775915ec42ac53e30416c3928bc3c57910ce02f3addd880392e9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
48B
MD577500956f0c3583772d2b0e16bb843fc
SHA1888f6339f91ee05d948da0caf0ccc6a8df9f0860
SHA256cbb224c465b0d4161ac9c85d2f2183416cfd386f5e1483fdaf247f1f0bfaa445
SHA51237dc2a2b54c2f2525320e7aff47bdc24b6a4d83e5413ba31ed370bc7a7c4c71ebf39f083afb5070039a5f278fb335a99daeda19f75d9b6767d43319bd2b36f9e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
408B
MD51d169af663836fc7d0e03fd026afe228
SHA180e61c3474cd5f4e8c2250068c6e503daa555d38
SHA25675859db4ac77ad3b47a54ca74a6dd4a9bf1e9f041a43914a828b4b30d5d9bf55
SHA512b41e915569b95d1672b2d2fe7cc8d2c1626b8b177f3ee5d4ba178e6ab221e1918d3f50216d1ae0e9d82397f8d79bd110708847823efb8e91cd2d638bfc2aec19
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.icoFilesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnkFilesize
2KB
MD598ff8a9efcd4da8d4aeba6a209da077c
SHA145bc142b5b5af848986edb7ceed420ac815db948
SHA2569ddf58f6ad6ce314c96836f14e07b31f73596c1532066eb0c2d1317559c9ca69
SHA5129b822ca34c0d9c9eaa1b5c3d54d24a6e249c64aa3bb5fb92962e212d5f67b59cfd6c1adbc4d91a01671aaf8947da5dd30cf12327eced36554813640f80fa947f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
654B
MD56a2a0bae9033627ac0ef793bc87c786f
SHA14d1aa02e7cbd6bcf219610fb5a9e4586fb251622
SHA256ee802996a2e4368fc73954eb6daa2eb291ac42b9c8f3958cbacf4c0926b998dd
SHA512ec432379d0b4822e1d91b7b536627836899b24f2d16ee1eb09348c15a1becef10eccd0f4da795b2675554bb7c45a883e909338d5547f7f4a45490305395da3a2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
4KB
MD567d7000977b1e657d5722a6d59832e95
SHA1a42a4fe96cd83abbad98fe6116abbc57a3453020
SHA2565dc57e9d661b82e46a16d8af141bf6b02cfa8260bae452f4ac21e7325885917a
SHA512243190a5e2fe4c6581eb7448967f4f20635c1ab8a600ba574aef9a8e3d9703f3fc1750cea3cc278d8b73b05a08b1d3cdeff14fdbbf7d7149d77a6b52739a7764
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5aea711d7e92e9fac69e771110d5f1d9d
SHA1890dd1f28bc30cdcc54abc573278757584a07a38
SHA2566fe5937797493398b9d44193a317d302e87960c790e07513e9d55fddb7d3b7e6
SHA512b1b55b182989a049dbc5e9395f83752e0d5f6becbae3718a1a1a7a4cf620e568b920f61c3d30b5a180cfde0b7130655d86e842b5c60d3ca5605b658b2ec82887
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5c234f61a94c6236a398061c54c42d080
SHA1c3f1766b7f7e9ef798bcab9b14f9e49a87f5159e
SHA2569adbeacb04bea73c43d6b1778a5e07ba48fb871623498b6dc3defe64763f73f5
SHA51248371c51634291499045ad870b879381044f273ba6f47e3566b4b5cf120c6798a9c32c34a9211634eea18f6fbf0fe2701bc1ed87443827156ee06fb0b0e5332e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD5130644a5f79b27202a13879460f2c31a
SHA129e213847a017531e849139c7449bce6b39cb2fa
SHA2561306a93179e1eaf354d9daa6043ae8ffb37b76a1d1396e7b8df671485582bcd1
SHA512fbc8606bf988cf0a6dea28c16d4394c9b1e47f6b68256132b5c85caf1ec7b516c0e3d33034db275adf267d5a84af2854f50bd38a9ed5e86eb392144c63252e01
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
9KB
MD5e557b1996d5e7233c21cccf61bde1aa4
SHA163702cadc9a2b41bb42db25b0efa7b9056ec02a2
SHA256cc1f7968618ec0972239f8a59fe63d1439fc5e6a823fd29c3560fbe05dda7a48
SHA51275054c4eca02964cb6d876ef8e8cda1d0e7d8d86327697e1b8392eeed079bfbc6277102ab6df6ccc315821ebdcd886cc80e9c5ea9e321d7dc6b7dee491904376
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-msFilesize
3KB
MD5771ebcabecde6ca68157139985d4c9d0
SHA1fd13cd2e0aad4205f6b3e4f2adf47e522f28ce6f
SHA256caad6a358b70a49b52c5510281d8d39e205ef68a18064a8216676afac1d2e5bf
SHA512815170c99ff3c90abf2eb29e3d3925145fe58814935914acc12ff4a349f9d5c1acc45e0a41210ad54cbb65af7d35661606d508ab61715b52e188d51205e66209
-
\??\pipe\LOCAL\crashpad_3948_WDKFIFBILWDCYILJMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/4996-133-0x00007FF70F930000-0x00007FF710329000-memory.dmpFilesize
10.0MB
-
memory/4996-249-0x00007FF70F930000-0x00007FF710329000-memory.dmpFilesize
10.0MB
-
memory/4996-139-0x00007FF70F930000-0x00007FF710329000-memory.dmpFilesize
10.0MB
-
memory/4996-138-0x00007FF70F930000-0x00007FF710329000-memory.dmpFilesize
10.0MB
-
memory/4996-137-0x00007FF70F930000-0x00007FF710329000-memory.dmpFilesize
10.0MB
-
memory/4996-136-0x00007FF70F930000-0x00007FF710329000-memory.dmpFilesize
10.0MB
-
memory/4996-381-0x00007FF70F930000-0x00007FF710329000-memory.dmpFilesize
10.0MB
-
memory/4996-135-0x00007FF70F930000-0x00007FF710329000-memory.dmpFilesize
10.0MB
-
memory/4996-134-0x00007FF70F930000-0x00007FF710329000-memory.dmpFilesize
10.0MB