Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
22-03-2023 04:12
General
-
Target
Orcus_Vgk.exe
-
Size
3.7MB
-
MD5
1e88604f32e24a69fcccf04bcb5a8fa0
-
SHA1
84f22a7ed74ce0ae4643c84343c0d2b94ceb16bf
-
SHA256
2d711cdf078f65d2ec4869021fba98d9d2d4d0d27d89e7a8825ad6f659200505
-
SHA512
0e21e15646e7acbec56cc148e60367387bd9002a16e37748903ada8c23b01918fcff5c7f2cf72a385ab23aa14e841babe7604eaec35b034d92f38820095bd9e2
-
SSDEEP
98304:nxULIzdQpR9cUEQZD8Q41wKE7WZBAIbbAhP3w3/yo:xUWI9bEMX4iL7UBAeAhPg3r
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Orcus_Vgk.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Orcus_Vgk.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Orcus_Vgk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Orcus_Vgk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Orcus_Vgk.exe -
Processes:
resource yara_rule behavioral1/memory/208-133-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmp themida behavioral1/memory/208-134-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmp themida behavioral1/memory/208-135-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmp themida behavioral1/memory/208-136-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmp themida behavioral1/memory/208-137-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmp themida behavioral1/memory/208-138-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmp themida behavioral1/memory/208-139-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmp themida behavioral1/memory/208-248-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmp themida behavioral1/memory/208-350-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmp themida behavioral1/memory/208-419-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmp themida -
Processes:
Orcus_Vgk.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Orcus_Vgk.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Orcus_Vgk.exepid process 208 Orcus_Vgk.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\bd87f888-5505-4fd2-ba3e-34cc2447fde4.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230322051314.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Kills process with taskkill 36 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 4288 taskkill.exe 368 taskkill.exe 728 taskkill.exe 2348 taskkill.exe 2164 taskkill.exe 4828 taskkill.exe 3296 taskkill.exe 2752 taskkill.exe 2080 taskkill.exe 4308 taskkill.exe 1144 taskkill.exe 4828 taskkill.exe 4476 taskkill.exe 1476 taskkill.exe 2188 taskkill.exe 3936 taskkill.exe 5028 taskkill.exe 1072 taskkill.exe 2572 taskkill.exe 4680 taskkill.exe 2428 taskkill.exe 3580 taskkill.exe 4448 taskkill.exe 2008 taskkill.exe 2680 taskkill.exe 1712 taskkill.exe 540 taskkill.exe 1860 taskkill.exe 4688 taskkill.exe 2772 taskkill.exe 5084 taskkill.exe 3964 taskkill.exe 4616 taskkill.exe 3044 taskkill.exe 1740 taskkill.exe 1160 taskkill.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exeTrustedInstaller.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1529757233-3489015626-3409890339-1000\{C18AAA6F-2D4C-4CA2-BB1A-E01A893A9436} TrustedInstaller.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exeTrustedInstaller.exeidentity_helper.exemsedge.exepid process 2152 msedge.exe 2152 msedge.exe 1316 msedge.exe 1316 msedge.exe 3764 TrustedInstaller.exe 3764 TrustedInstaller.exe 5244 identity_helper.exe 5244 identity_helper.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 1316 msedge.exe 1316 msedge.exe 1316 msedge.exe 1316 msedge.exe 1316 msedge.exe 1316 msedge.exe 1316 msedge.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exemsedge.exetaskkill.exetaskkill.exetaskkill.exetaskkill.execmd.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeConhost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1860 taskkill.exe Token: SeDebugPrivilege 2080 taskkill.exe Token: SeDebugPrivilege 4680 taskkill.exe Token: SeDebugPrivilege 728 taskkill.exe Token: SeDebugPrivilege 1160 taskkill.exe Token: SeDebugPrivilege 4688 taskkill.exe Token: SeDebugPrivilege 540 taskkill.exe Token: SeDebugPrivilege 2348 taskkill.exe Token: SeDebugPrivilege 2428 taskkill.exe Token: SeDebugPrivilege 2164 msedge.exe Token: SeDebugPrivilege 368 taskkill.exe Token: SeDebugPrivilege 2772 taskkill.exe Token: SeDebugPrivilege 4288 taskkill.exe Token: SeDebugPrivilege 5084 taskkill.exe Token: SeDebugPrivilege 1144 cmd.exe Token: SeDebugPrivilege 3964 taskkill.exe Token: SeDebugPrivilege 4616 taskkill.exe Token: SeDebugPrivilege 1476 taskkill.exe Token: SeDebugPrivilege 3580 taskkill.exe Token: SeDebugPrivilege 4308 taskkill.exe Token: SeDebugPrivilege 2188 taskkill.exe Token: SeDebugPrivilege 3936 taskkill.exe Token: SeDebugPrivilege 3044 taskkill.exe Token: SeDebugPrivilege 5028 taskkill.exe Token: SeDebugPrivilege 4476 taskkill.exe Token: SeDebugPrivilege 2752 taskkill.exe Token: SeDebugPrivilege 1740 taskkill.exe Token: SeDebugPrivilege 1072 Conhost.exe Token: SeDebugPrivilege 4448 taskkill.exe Token: SeDebugPrivilege 2008 taskkill.exe Token: SeDebugPrivilege 2680 taskkill.exe Token: SeDebugPrivilege 1712 taskkill.exe Token: SeDebugPrivilege 4828 taskkill.exe Token: SeDebugPrivilege 2572 taskkill.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msedge.exepid process 1316 msedge.exe 1316 msedge.exe 1316 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Orcus_Vgk.execmd.execmd.execmd.execmd.execmd.exemsedge.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 208 wrote to memory of 3164 208 Orcus_Vgk.exe cmd.exe PID 208 wrote to memory of 3164 208 Orcus_Vgk.exe cmd.exe PID 208 wrote to memory of 4784 208 Orcus_Vgk.exe cmd.exe PID 208 wrote to memory of 4784 208 Orcus_Vgk.exe cmd.exe PID 4784 wrote to memory of 1860 4784 cmd.exe taskkill.exe PID 4784 wrote to memory of 1860 4784 cmd.exe taskkill.exe PID 208 wrote to memory of 2236 208 Orcus_Vgk.exe cmd.exe PID 208 wrote to memory of 2236 208 Orcus_Vgk.exe cmd.exe PID 2236 wrote to memory of 2080 2236 cmd.exe taskkill.exe PID 2236 wrote to memory of 2080 2236 cmd.exe taskkill.exe PID 208 wrote to memory of 1740 208 Orcus_Vgk.exe cmd.exe PID 208 wrote to memory of 1740 208 Orcus_Vgk.exe cmd.exe PID 1740 wrote to memory of 4680 1740 cmd.exe taskkill.exe PID 1740 wrote to memory of 4680 1740 cmd.exe taskkill.exe PID 208 wrote to memory of 3296 208 Orcus_Vgk.exe cmd.exe PID 208 wrote to memory of 3296 208 Orcus_Vgk.exe cmd.exe PID 3164 wrote to memory of 1316 3164 cmd.exe msedge.exe PID 3164 wrote to memory of 1316 3164 cmd.exe msedge.exe PID 3296 wrote to memory of 728 3296 cmd.exe taskkill.exe PID 3296 wrote to memory of 728 3296 cmd.exe taskkill.exe PID 208 wrote to memory of 3340 208 Orcus_Vgk.exe cmd.exe PID 208 wrote to memory of 3340 208 Orcus_Vgk.exe cmd.exe PID 1316 wrote to memory of 2180 1316 msedge.exe msedge.exe PID 1316 wrote to memory of 2180 1316 msedge.exe msedge.exe PID 208 wrote to memory of 4460 208 Orcus_Vgk.exe cmd.exe PID 208 wrote to memory of 4460 208 Orcus_Vgk.exe cmd.exe PID 3340 wrote to memory of 4768 3340 cmd.exe certutil.exe PID 3340 wrote to memory of 4768 3340 cmd.exe certutil.exe PID 3340 wrote to memory of 4648 3340 cmd.exe find.exe PID 3340 wrote to memory of 4648 3340 cmd.exe find.exe PID 3340 wrote to memory of 2308 3340 cmd.exe find.exe PID 3340 wrote to memory of 2308 3340 cmd.exe find.exe PID 4460 wrote to memory of 1160 4460 cmd.exe taskkill.exe PID 4460 wrote to memory of 1160 4460 cmd.exe taskkill.exe PID 208 wrote to memory of 4716 208 Orcus_Vgk.exe cmd.exe PID 208 wrote to memory of 4716 208 Orcus_Vgk.exe cmd.exe PID 4716 wrote to memory of 4688 4716 cmd.exe taskkill.exe PID 4716 wrote to memory of 4688 4716 cmd.exe taskkill.exe PID 208 wrote to memory of 3032 208 Orcus_Vgk.exe cmd.exe PID 208 wrote to memory of 3032 208 Orcus_Vgk.exe cmd.exe PID 3032 wrote to memory of 540 3032 cmd.exe taskkill.exe PID 3032 wrote to memory of 540 3032 cmd.exe taskkill.exe PID 208 wrote to memory of 1772 208 Orcus_Vgk.exe cmd.exe PID 208 wrote to memory of 1772 208 Orcus_Vgk.exe cmd.exe PID 1772 wrote to memory of 2348 1772 cmd.exe taskkill.exe PID 1772 wrote to memory of 2348 1772 cmd.exe taskkill.exe PID 208 wrote to memory of 3932 208 Orcus_Vgk.exe cmd.exe PID 208 wrote to memory of 3932 208 Orcus_Vgk.exe cmd.exe PID 3932 wrote to memory of 2428 3932 cmd.exe taskkill.exe PID 3932 wrote to memory of 2428 3932 cmd.exe taskkill.exe PID 208 wrote to memory of 4868 208 Orcus_Vgk.exe cmd.exe PID 208 wrote to memory of 4868 208 Orcus_Vgk.exe cmd.exe PID 4868 wrote to memory of 2164 4868 cmd.exe msedge.exe PID 4868 wrote to memory of 2164 4868 cmd.exe msedge.exe PID 208 wrote to memory of 4252 208 Orcus_Vgk.exe cmd.exe PID 208 wrote to memory of 4252 208 Orcus_Vgk.exe cmd.exe PID 4252 wrote to memory of 368 4252 cmd.exe taskkill.exe PID 4252 wrote to memory of 368 4252 cmd.exe taskkill.exe PID 208 wrote to memory of 1348 208 Orcus_Vgk.exe cmd.exe PID 208 wrote to memory of 1348 208 Orcus_Vgk.exe cmd.exe PID 1348 wrote to memory of 2772 1348 cmd.exe taskkill.exe PID 1348 wrote to memory of 2772 1348 cmd.exe taskkill.exe PID 1316 wrote to memory of 992 1316 msedge.exe msedge.exe PID 1316 wrote to memory of 992 1316 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Orcus_Vgk.exe"C:\Users\Admin\AppData\Local\Temp\Orcus_Vgk.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start https://discord.gg/UM2uzqxWhJ2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/UM2uzqxWhJ3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0xfc,0x100,0x9c,0x104,0x7ffe316b46f8,0x7ffe316b4708,0x7ffe316b47184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,16973732059614558589,17584106860793132508,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,16973732059614558589,17584106860793132508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,16973732059614558589,17584106860793132508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16973732059614558589,17584106860793132508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16973732059614558589,17584106860793132508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16973732059614558589,17584106860793132508,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2152,16973732059614558589,17584106860793132508,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5204 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2152,16973732059614558589,17584106860793132508,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4788 /prefetch:84⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16973732059614558589,17584106860793132508,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16973732059614558589,17584106860793132508,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,16973732059614558589,17584106860793132508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings4⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7c35a5460,0x7ff7c35a5470,0x7ff7c35a54805⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,16973732059614558589,17584106860793132508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16973732059614558589,17584106860793132508,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16973732059614558589,17584106860793132508,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,16973732059614558589,17584106860793132508,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im KsDumperClient.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im KsDumper.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Orcus_Vgk.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Orcus_Vgk.exe" MD53⤵
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im ProcessHacker.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im idaq.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im idaq64.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im Wireshark.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im Fiddler.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im FiddlerEverywhere.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im Xenos64.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im Xenos.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Xenos32.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im de4dot.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Cheat Engine.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im cheatengine-x86_64.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im MugenJinFuu-i386.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im cheatengine-x86_64.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im cheatengine-i386.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTP Debugger Windows Service (32 bit).exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im KsDumper.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im OllyDbg.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im x64dbg.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im x32dbg.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Ida64.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im OllyDbg.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Dbg64.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Dbg32.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD50820611471c1bb55fa7be7430c7c6329
SHA15ce7a9712722684223aced2522764c1e3a43fbb9
SHA256f00d04749a374843bd118b41f669f8b0a20d76526c34b554c3ccac5ebd2f4f75
SHA51277ea022b4265f3962f5e07a0a790f428c885da0cc11be0975285ce0eee4a2eec0a7cda9ea8f366dc2a946679b5dd927c5f94b527de6515856b68b8d08e435148
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5425e83cc5a7b1f8edfbec7d986058b01
SHA1432a90a25e714c618ff30631d9fdbe3606b0d0df
SHA256060a2e5f65b8f3b79a8d4a0c54b877cfe032f558beb0888d6f810aaeef8579bd
SHA5124bf074de60e7849ade26119ef778fe67ea47691efff45f3d5e0b25de2d06fcc6f95a2cfcdbed85759a5c078bb371fe57de725babda2f44290b4dc42d7b6001af
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
48B
MD5b564c67c7082a309f242d6bb27905ab6
SHA1cad6a8881c0c346bf53e59aa422bf6c3130df04e
SHA2562c97a303ae360922a75fca7ad7ecb8c30a66c307718e317518e1a7d4914dc202
SHA5123ca96fadf0c6bbf2f2e129ed686603c511e4e63651fe7253376268b6e7556f4bb3ba7c5795e8b53f77a030480011f95058cabcb7af4bc990871df5bda1e07055
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
408B
MD5fc3481bb2eed6d1174485a74fb3d5568
SHA19df46743d4c521fc9717b0a0215530d3025e0128
SHA25694ddda83cf5d8a51339d1d9268b9fce95bef63796a3e2cd2385702ee0d36c5b6
SHA5128c9fefd5857c8e3a7b105f6f9b412373e59aa75ddb26f9436c7d7482edda51adba07fd21a533a3b5756ddf9798f9eb25725d3ae3215f701b27095e1e688d4230
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.icoFilesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnkFilesize
2KB
MD50ec417b53fe546f3b89d98355a1cb8ec
SHA127ab20c682e5069aed9d64394738c2a12ddf1d1c
SHA2560d66244c49e8186ef79155245544c6041952f11c7c8d1530cae02ccfa063c7f9
SHA512573b573859b7317f0f895fa014ba39b3b21c906ddf69d053af37a27c25a93a3e2e55dc7c961beca06ba36f55d0685255f08dcba6bd718571b252b735d36cbd62
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
656B
MD59047774474f57a2576c4e526a519671a
SHA1cd31ebc04f6cf300382599b929d6f5abd8f7b685
SHA25605b073e9477061b97535eecf73909ff0428a74406bb36637db792439d7ea1252
SHA512078eff9f093de5a4047a3162a00a14a710d5464f2951a5feeb8a7526a2a4e8b3da142bb56bf4d42c046a3ca4b99b2bda3d786727cf049eeffba1b4de7901522c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
4KB
MD5690a3ba22b0066a88a3fe21ae2313450
SHA1a1b0dc5171390e0a6c6764e53aa64c4d52137abb
SHA256a9418b284760a45ac77ba6deb98460479c168cd6124e50b7c15f3846554b31d5
SHA51226ca4587306b477e2d553bedb8420391e84615b1e3d9ea57ab2825f98c14c6306a7412273810d104d66457aa12bb7dcdf77bd743f597c1a80e8afc70c29c0538
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD52fe4699cad76b7b2ae5ee451532c8b7c
SHA1c74b963154f1780f4b7cd22fb6aa4d05d1cf866e
SHA256c546a5098b69c11972900055b4cef27f70da494338c5c1170f1baa51be9aad77
SHA512a34ba7a158f5993e633805df6663b41cfa5e235a2e2d13b9a02fff94a62d82c54acabf447a418965fba0fbaea397bc52d6e7996759c2b9c2a6862d7c00053a4f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD54192319e0209c186e133d54b1dc4afc4
SHA1fd29665736b5cbc6a9178b8d32cf016ce98d5574
SHA2565546c1b0a35251a92a0a80f4443ca79542bc9ddacf7fb2386ab8f1b7be25d630
SHA5127a21e9df7c765bc68692a06d8d94d8540442f79f030f638ef0818708da55beb9e9ad7efae3691baa90d71a189b73a148b29f81c7ce630a210d37d2a0e840db2d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD5d53ac35ab3976e67caeed75c4d44ffc1
SHA1c139ab66d75dc06f98ada34b5baf4d5693266176
SHA256647867c7236bcb78b7d585b476d82a101a077fac43c78dc59e612253fbf69437
SHA512391355c71734ded913239a6db10a3202087e756bccc8e29411108f21b3f2460d9a9c606619aadd785285be70eddcf61ef9519441cd387cd3823c1399a6967cc2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
9KB
MD5803dc1784af6c23fefe6f422910a15de
SHA15be95b5ff0c51b4a8457fcbfc06a889f97f49958
SHA2567898328cfdacad2ffc73764dc6c6e659049b9b9fc042cfcd86e99cbf920d7670
SHA5123645cb8bb72eaa83767b32b3415069dbae186929b535bc21091d102ea3b58e8fa1c6cb5e0d010269cd686803e27e0bcf41070ddcfee7ed00f869dc5d1c055b32
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5dcada4ade69e7ea2a288fb61ab3dc6e3
SHA176dde96a26fb65a2464e939a6e93702e47b7cc04
SHA256b960a63d0327e28fef5e8ff94aa2680f15cf791b523ba6047d17f7dd71e4ee47
SHA5124291175381b20545e369071ae4fec43378c4a71ae3bd623412ee958f95513bbe920a249bd54fb84254c0715adbee99e57a20c589cf96729869acdb964b0733ee
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-msFilesize
3KB
MD5a4bf7dfe731430bb94d657cd819a7bea
SHA1bb8d451361096e1dc8ba4cdd18329f39d955c1a2
SHA256ba50758e093e1e9b14f1a228a0472b96b46aef37026aed652088735a6696c7a1
SHA51230a3c1421c76aeb81e2d0b4506e8f4a4c44a0e5947a2650e9b53b14807e8c3c67771280a4b4f14f440b4c33e419556a444ef49146abfc52d3224ca6cdff2ddeb
-
\??\pipe\LOCAL\crashpad_1316_VJHYDISQEUMVKIZUMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/208-248-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmpFilesize
10.0MB
-
memory/208-138-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmpFilesize
10.0MB
-
memory/208-137-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmpFilesize
10.0MB
-
memory/208-133-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmpFilesize
10.0MB
-
memory/208-350-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmpFilesize
10.0MB
-
memory/208-136-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmpFilesize
10.0MB
-
memory/208-135-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmpFilesize
10.0MB
-
memory/208-139-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmpFilesize
10.0MB
-
memory/208-134-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmpFilesize
10.0MB
-
memory/208-419-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmpFilesize
10.0MB