2d711cdf078f65d2ec4869021fba98d9d2d4d0d27d89e7a8825ad6f659200505

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22-03-2023 04:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Orcus_Vgk.exe
Size

3.7MB
MD5

1e88604f32e24a69fcccf04bcb5a8fa0
SHA1

84f22a7ed74ce0ae4643c84343c0d2b94ceb16bf
SHA256

2d711cdf078f65d2ec4869021fba98d9d2d4d0d27d89e7a8825ad6f659200505
SHA512

0e21e15646e7acbec56cc148e60367387bd9002a16e37748903ada8c23b01918fcff5c7f2cf72a385ab23aa14e841babe7604eaec35b034d92f38820095bd9e2
SSDEEP

98304:nxULIzdQpR9cUEQZD8Q41wKE7WZBAIbbAhP3w3/yo:xUWI9bEMX4iL7UBAeAhPg3r

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Orcus_Vgk.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Orcus_Vgk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Orcus_Vgk.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Orcus_Vgk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Orcus_Vgk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Orcus_Vgk.exe

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/208-133-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmp	themida
behavioral1/memory/208-134-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmp	themida
behavioral1/memory/208-135-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmp	themida
behavioral1/memory/208-136-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmp	themida
behavioral1/memory/208-137-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmp	themida
behavioral1/memory/208-138-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmp	themida
behavioral1/memory/208-139-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmp	themida
behavioral1/memory/208-248-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmp	themida
behavioral1/memory/208-350-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmp	themida
behavioral1/memory/208-419-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Orcus_Vgk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Orcus_Vgk.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Orcus_Vgk.exe

pid process

208 Orcus_Vgk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Orcus_Vgk.exe

pid	process
208	Orcus_Vgk.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\bd87f888-5505-4fd2-ba3e-34cc2447fde4.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230322051314.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 36 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
4288	taskkill.exe
368	taskkill.exe
728	taskkill.exe
2348	taskkill.exe
2164	taskkill.exe
4828	taskkill.exe
3296	taskkill.exe
2752	taskkill.exe
2080	taskkill.exe
4308	taskkill.exe
1144	taskkill.exe
4828	taskkill.exe
4476	taskkill.exe
1476	taskkill.exe
2188	taskkill.exe
3936	taskkill.exe
5028	taskkill.exe
1072	taskkill.exe
2572	taskkill.exe
4680	taskkill.exe
2428	taskkill.exe
3580	taskkill.exe
4448	taskkill.exe
2008	taskkill.exe
2680	taskkill.exe
1712	taskkill.exe
540	taskkill.exe
1860	taskkill.exe
4688	taskkill.exe
2772	taskkill.exe
5084	taskkill.exe
3964	taskkill.exe
4616	taskkill.exe
3044	taskkill.exe
1740	taskkill.exe
1160	taskkill.exe

Modifies registry class 2 IoCs

Processes:

msedge.exeTrustedInstaller.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1529757233-3489015626-3409890339-1000\{C18AAA6F-2D4C-4CA2-BB1A-E01A893A9436}	TrustedInstaller.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeTrustedInstaller.exeidentity_helper.exemsedge.exe

pid	process
2152	msedge.exe
2152	msedge.exe
1316	msedge.exe
1316	msedge.exe
3764	TrustedInstaller.exe
3764	TrustedInstaller.exe
5244	identity_helper.exe
5244	identity_helper.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

1316 msedge.exe
1316 msedge.exe
1316 msedge.exe
1316 msedge.exe
1316 msedge.exe
1316 msedge.exe
1316 msedge.exe

pid	process
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exemsedge.exetaskkill.exetaskkill.exetaskkill.exetaskkill.execmd.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeConhost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1860	taskkill.exe
Token: SeDebugPrivilege	2080	taskkill.exe
Token: SeDebugPrivilege	4680	taskkill.exe
Token: SeDebugPrivilege	728	taskkill.exe
Token: SeDebugPrivilege	1160	taskkill.exe
Token: SeDebugPrivilege	4688	taskkill.exe
Token: SeDebugPrivilege	540	taskkill.exe
Token: SeDebugPrivilege	2348	taskkill.exe
Token: SeDebugPrivilege	2428	taskkill.exe
Token: SeDebugPrivilege	2164	msedge.exe
Token: SeDebugPrivilege	368	taskkill.exe
Token: SeDebugPrivilege	2772	taskkill.exe
Token: SeDebugPrivilege	4288	taskkill.exe
Token: SeDebugPrivilege	5084	taskkill.exe
Token: SeDebugPrivilege	1144	cmd.exe
Token: SeDebugPrivilege	3964	taskkill.exe
Token: SeDebugPrivilege	4616	taskkill.exe
Token: SeDebugPrivilege	1476	taskkill.exe
Token: SeDebugPrivilege	3580	taskkill.exe
Token: SeDebugPrivilege	4308	taskkill.exe
Token: SeDebugPrivilege	2188	taskkill.exe
Token: SeDebugPrivilege	3936	taskkill.exe
Token: SeDebugPrivilege	3044	taskkill.exe
Token: SeDebugPrivilege	5028	taskkill.exe
Token: SeDebugPrivilege	4476	taskkill.exe
Token: SeDebugPrivilege	2752	taskkill.exe
Token: SeDebugPrivilege	1740	taskkill.exe
Token: SeDebugPrivilege	1072	Conhost.exe
Token: SeDebugPrivilege	4448	taskkill.exe
Token: SeDebugPrivilege	2008	taskkill.exe
Token: SeDebugPrivilege	2680	taskkill.exe
Token: SeDebugPrivilege	1712	taskkill.exe
Token: SeDebugPrivilege	4828	taskkill.exe
Token: SeDebugPrivilege	2572	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

1316 msedge.exe
1316 msedge.exe
1316 msedge.exe

pid	process
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Orcus_Vgk.execmd.execmd.execmd.execmd.execmd.exemsedge.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 208 wrote to memory of 3164	208	Orcus_Vgk.exe	cmd.exe
PID 208 wrote to memory of 3164	208	Orcus_Vgk.exe	cmd.exe
PID 208 wrote to memory of 4784	208	Orcus_Vgk.exe	cmd.exe
PID 208 wrote to memory of 4784	208	Orcus_Vgk.exe	cmd.exe
PID 4784 wrote to memory of 1860	4784	cmd.exe	taskkill.exe
PID 4784 wrote to memory of 1860	4784	cmd.exe	taskkill.exe
PID 208 wrote to memory of 2236	208	Orcus_Vgk.exe	cmd.exe
PID 208 wrote to memory of 2236	208	Orcus_Vgk.exe	cmd.exe
PID 2236 wrote to memory of 2080	2236	cmd.exe	taskkill.exe
PID 2236 wrote to memory of 2080	2236	cmd.exe	taskkill.exe
PID 208 wrote to memory of 1740	208	Orcus_Vgk.exe	cmd.exe
PID 208 wrote to memory of 1740	208	Orcus_Vgk.exe	cmd.exe
PID 1740 wrote to memory of 4680	1740	cmd.exe	taskkill.exe
PID 1740 wrote to memory of 4680	1740	cmd.exe	taskkill.exe
PID 208 wrote to memory of 3296	208	Orcus_Vgk.exe	cmd.exe
PID 208 wrote to memory of 3296	208	Orcus_Vgk.exe	cmd.exe
PID 3164 wrote to memory of 1316	3164	cmd.exe	msedge.exe
PID 3164 wrote to memory of 1316	3164	cmd.exe	msedge.exe
PID 3296 wrote to memory of 728	3296	cmd.exe	taskkill.exe
PID 3296 wrote to memory of 728	3296	cmd.exe	taskkill.exe
PID 208 wrote to memory of 3340	208	Orcus_Vgk.exe	cmd.exe
PID 208 wrote to memory of 3340	208	Orcus_Vgk.exe	cmd.exe
PID 1316 wrote to memory of 2180	1316	msedge.exe	msedge.exe
PID 1316 wrote to memory of 2180	1316	msedge.exe	msedge.exe
PID 208 wrote to memory of 4460	208	Orcus_Vgk.exe	cmd.exe
PID 208 wrote to memory of 4460	208	Orcus_Vgk.exe	cmd.exe
PID 3340 wrote to memory of 4768	3340	cmd.exe	certutil.exe
PID 3340 wrote to memory of 4768	3340	cmd.exe	certutil.exe
PID 3340 wrote to memory of 4648	3340	cmd.exe	find.exe
PID 3340 wrote to memory of 4648	3340	cmd.exe	find.exe
PID 3340 wrote to memory of 2308	3340	cmd.exe	find.exe
PID 3340 wrote to memory of 2308	3340	cmd.exe	find.exe
PID 4460 wrote to memory of 1160	4460	cmd.exe	taskkill.exe
PID 4460 wrote to memory of 1160	4460	cmd.exe	taskkill.exe
PID 208 wrote to memory of 4716	208	Orcus_Vgk.exe	cmd.exe
PID 208 wrote to memory of 4716	208	Orcus_Vgk.exe	cmd.exe
PID 4716 wrote to memory of 4688	4716	cmd.exe	taskkill.exe
PID 4716 wrote to memory of 4688	4716	cmd.exe	taskkill.exe
PID 208 wrote to memory of 3032	208	Orcus_Vgk.exe	cmd.exe
PID 208 wrote to memory of 3032	208	Orcus_Vgk.exe	cmd.exe
PID 3032 wrote to memory of 540	3032	cmd.exe	taskkill.exe
PID 3032 wrote to memory of 540	3032	cmd.exe	taskkill.exe
PID 208 wrote to memory of 1772	208	Orcus_Vgk.exe	cmd.exe
PID 208 wrote to memory of 1772	208	Orcus_Vgk.exe	cmd.exe
PID 1772 wrote to memory of 2348	1772	cmd.exe	taskkill.exe
PID 1772 wrote to memory of 2348	1772	cmd.exe	taskkill.exe
PID 208 wrote to memory of 3932	208	Orcus_Vgk.exe	cmd.exe
PID 208 wrote to memory of 3932	208	Orcus_Vgk.exe	cmd.exe
PID 3932 wrote to memory of 2428	3932	cmd.exe	taskkill.exe
PID 3932 wrote to memory of 2428	3932	cmd.exe	taskkill.exe
PID 208 wrote to memory of 4868	208	Orcus_Vgk.exe	cmd.exe
PID 208 wrote to memory of 4868	208	Orcus_Vgk.exe	cmd.exe
PID 4868 wrote to memory of 2164	4868	cmd.exe	msedge.exe
PID 4868 wrote to memory of 2164	4868	cmd.exe	msedge.exe
PID 208 wrote to memory of 4252	208	Orcus_Vgk.exe	cmd.exe
PID 208 wrote to memory of 4252	208	Orcus_Vgk.exe	cmd.exe
PID 4252 wrote to memory of 368	4252	cmd.exe	taskkill.exe
PID 4252 wrote to memory of 368	4252	cmd.exe	taskkill.exe
PID 208 wrote to memory of 1348	208	Orcus_Vgk.exe	cmd.exe
PID 208 wrote to memory of 1348	208	Orcus_Vgk.exe	cmd.exe
PID 1348 wrote to memory of 2772	1348	cmd.exe	taskkill.exe
PID 1348 wrote to memory of 2772	1348	cmd.exe	taskkill.exe
PID 1316 wrote to memory of 992	1316	msedge.exe	msedge.exe
PID 1316 wrote to memory of 992	1316	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\Orcus_Vgk.exe
"C:\Users\Admin\AppData\Local\Temp\Orcus_Vgk.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start https://discord.gg/UM2uzqxWhJ
2⤵
- Suspicious use of WriteProcessMemory
PID:3164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/UM2uzqxWhJ
3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0xfc,0x100,0x9c,0x104,0x7ffe316b46f8,0x7ffe316b4708,0x7ffe316b4718
4⤵
PID:2180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,16973732059614558589,17584106860793132508,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
4⤵
PID:992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,16973732059614558589,17584106860793132508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,16973732059614558589,17584106860793132508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
4⤵
PID:2144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16973732059614558589,17584106860793132508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:1
4⤵
PID:2952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16973732059614558589,17584106860793132508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:1
4⤵
PID:1972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16973732059614558589,17584106860793132508,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
4⤵
PID:3736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2152,16973732059614558589,17584106860793132508,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5204 /prefetch:8
4⤵
PID:3764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2152,16973732059614558589,17584106860793132508,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4788 /prefetch:8
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16973732059614558589,17584106860793132508,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
4⤵
PID:4388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16973732059614558589,17584106860793132508,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
4⤵
PID:4292

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,16973732059614558589,17584106860793132508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
4⤵
PID:2088

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
4⤵
- Drops file in Program Files directory
PID:2036

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7c35a5460,0x7ff7c35a5470,0x7ff7c35a5480
5⤵
PID:4540

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,16973732059614558589,17584106860793132508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:5244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16973732059614558589,17584106860793132508,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
4⤵
PID:5296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16973732059614558589,17584106860793132508,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
4⤵
PID:5304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,16973732059614558589,17584106860793132508,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 /prefetch:2
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4784

C:\Windows\system32\taskkill.exe
taskkill /f /im KsDumperClient.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\system32\taskkill.exe
taskkill /f /im KsDumper.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:3296

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Orcus_Vgk.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
2⤵
- Suspicious use of WriteProcessMemory
PID:3340

C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Orcus_Vgk.exe" MD5
3⤵
PID:4768

C:\Windows\system32\find.exe
find /i /v "md5"
3⤵
PID:4648

C:\Windows\system32\find.exe
find /i /v "certutil"
3⤵
PID:2308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\system32\taskkill.exe
taskkill /f /im ProcessHacker.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\system32\taskkill.exe
taskkill /f /im idaq.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\system32\taskkill.exe
taskkill /f /im idaq64.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\system32\taskkill.exe
taskkill /f /im Wireshark.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:3932

C:\Windows\system32\taskkill.exe
taskkill /f /im Fiddler.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4868

C:\Windows\system32\taskkill.exe
taskkill /f /im FiddlerEverywhere.exe
3⤵
- Kills process with taskkill
PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4252

C:\Windows\system32\taskkill.exe
taskkill /f /im Xenos64.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\system32\taskkill.exe
taskkill /f /im Xenos.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
2⤵
PID:4508

C:\Windows\system32\taskkill.exe
taskkill /f /im Xenos32.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
2⤵
PID:4476

C:\Windows\system32\taskkill.exe
taskkill /f /im de4dot.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
2⤵
PID:2228

C:\Windows\system32\taskkill.exe
taskkill /f /im Cheat Engine.exe
3⤵
- Kills process with taskkill
PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
2⤵
PID:4136

C:\Windows\system32\taskkill.exe
taskkill /f /im cheatengine-x86_64.exe
3⤵
- Kills process with taskkill
PID:1144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
2⤵
PID:4448

C:\Windows\system32\taskkill.exe
taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
2⤵
PID:2216

C:\Windows\system32\taskkill.exe
taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
2⤵
PID:1644

C:\Windows\system32\taskkill.exe
taskkill /f /im MugenJinFuu-i386.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
2⤵
PID:1860

C:\Windows\system32\taskkill.exe
taskkill /f /im cheatengine-x86_64.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
2⤵
PID:1700

C:\Windows\system32\taskkill.exe
taskkill /f /im cheatengine-i386.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
2⤵
PID:4916

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
3⤵
- Kills process with taskkill
PID:3296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
2⤵
PID:1568

C:\Windows\system32\taskkill.exe
taskkill /f /im KsDumper.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
2⤵
PID:2864

C:\Windows\system32\taskkill.exe
taskkill /f /im OllyDbg.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
2⤵
PID:2192

C:\Windows\system32\taskkill.exe
taskkill /f /im x64dbg.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
2⤵
PID:1240

C:\Windows\system32\taskkill.exe
taskkill /f /im x32dbg.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:2248

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:1516

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
2⤵
PID:3164

C:\Windows\system32\taskkill.exe
taskkill /f /im Ida64.exe
3⤵
- Kills process with taskkill
PID:1072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
2⤵
PID:3632

C:\Windows\system32\taskkill.exe
taskkill /f /im OllyDbg.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
2⤵
PID:2864

C:\Windows\system32\taskkill.exe
taskkill /f /im Dbg64.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
2⤵
PID:940

C:\Windows\system32\taskkill.exe
taskkill /f /im Dbg32.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:4112

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:2080

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
PID:4480

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:940

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0820611471c1bb55fa7be7430c7c6329

SHA1
5ce7a9712722684223aced2522764c1e3a43fbb9

SHA256
f00d04749a374843bd118b41f669f8b0a20d76526c34b554c3ccac5ebd2f4f75

SHA512
77ea022b4265f3962f5e07a0a790f428c885da0cc11be0975285ce0eee4a2eec0a7cda9ea8f366dc2a946679b5dd927c5f94b527de6515856b68b8d08e435148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
425e83cc5a7b1f8edfbec7d986058b01

SHA1
432a90a25e714c618ff30631d9fdbe3606b0d0df

SHA256
060a2e5f65b8f3b79a8d4a0c54b877cfe032f558beb0888d6f810aaeef8579bd

SHA512
4bf074de60e7849ade26119ef778fe67ea47691efff45f3d5e0b25de2d06fcc6f95a2cfcdbed85759a5c078bb371fe57de725babda2f44290b4dc42d7b6001af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
48B

MD5
b564c67c7082a309f242d6bb27905ab6

SHA1
cad6a8881c0c346bf53e59aa422bf6c3130df04e

SHA256
2c97a303ae360922a75fca7ad7ecb8c30a66c307718e317518e1a7d4914dc202

SHA512
3ca96fadf0c6bbf2f2e129ed686603c511e4e63651fe7253376268b6e7556f4bb3ba7c5795e8b53f77a030480011f95058cabcb7af4bc990871df5bda1e07055

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
408B

MD5
fc3481bb2eed6d1174485a74fb3d5568

SHA1
9df46743d4c521fc9717b0a0215530d3025e0128

SHA256
94ddda83cf5d8a51339d1d9268b9fce95bef63796a3e2cd2385702ee0d36c5b6

SHA512
8c9fefd5857c8e3a7b105f6f9b412373e59aa75ddb26f9436c7d7482edda51adba07fd21a533a3b5756ddf9798f9eb25725d3ae3215f701b27095e1e688d4230

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
0ec417b53fe546f3b89d98355a1cb8ec

SHA1
27ab20c682e5069aed9d64394738c2a12ddf1d1c

SHA256
0d66244c49e8186ef79155245544c6041952f11c7c8d1530cae02ccfa063c7f9

SHA512
573b573859b7317f0f895fa014ba39b3b21c906ddf69d053af37a27c25a93a3e2e55dc7c961beca06ba36f55d0685255f08dcba6bd718571b252b735d36cbd62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
656B

MD5
9047774474f57a2576c4e526a519671a

SHA1
cd31ebc04f6cf300382599b929d6f5abd8f7b685

SHA256
05b073e9477061b97535eecf73909ff0428a74406bb36637db792439d7ea1252

SHA512
078eff9f093de5a4047a3162a00a14a710d5464f2951a5feeb8a7526a2a4e8b3da142bb56bf4d42c046a3ca4b99b2bda3d786727cf049eeffba1b4de7901522c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
690a3ba22b0066a88a3fe21ae2313450

SHA1
a1b0dc5171390e0a6c6764e53aa64c4d52137abb

SHA256
a9418b284760a45ac77ba6deb98460479c168cd6124e50b7c15f3846554b31d5

SHA512
26ca4587306b477e2d553bedb8420391e84615b1e3d9ea57ab2825f98c14c6306a7412273810d104d66457aa12bb7dcdf77bd743f597c1a80e8afc70c29c0538

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
2fe4699cad76b7b2ae5ee451532c8b7c

SHA1
c74b963154f1780f4b7cd22fb6aa4d05d1cf866e

SHA256
c546a5098b69c11972900055b4cef27f70da494338c5c1170f1baa51be9aad77

SHA512
a34ba7a158f5993e633805df6663b41cfa5e235a2e2d13b9a02fff94a62d82c54acabf447a418965fba0fbaea397bc52d6e7996759c2b9c2a6862d7c00053a4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
4192319e0209c186e133d54b1dc4afc4

SHA1
fd29665736b5cbc6a9178b8d32cf016ce98d5574

SHA256
5546c1b0a35251a92a0a80f4443ca79542bc9ddacf7fb2386ab8f1b7be25d630

SHA512
7a21e9df7c765bc68692a06d8d94d8540442f79f030f638ef0818708da55beb9e9ad7efae3691baa90d71a189b73a148b29f81c7ce630a210d37d2a0e840db2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
d53ac35ab3976e67caeed75c4d44ffc1

SHA1
c139ab66d75dc06f98ada34b5baf4d5693266176

SHA256
647867c7236bcb78b7d585b476d82a101a077fac43c78dc59e612253fbf69437

SHA512
391355c71734ded913239a6db10a3202087e756bccc8e29411108f21b3f2460d9a9c606619aadd785285be70eddcf61ef9519441cd387cd3823c1399a6967cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
803dc1784af6c23fefe6f422910a15de

SHA1
5be95b5ff0c51b4a8457fcbfc06a889f97f49958

SHA256
7898328cfdacad2ffc73764dc6c6e659049b9b9fc042cfcd86e99cbf920d7670

SHA512
3645cb8bb72eaa83767b32b3415069dbae186929b535bc21091d102ea3b58e8fa1c6cb5e0d010269cd686803e27e0bcf41070ddcfee7ed00f869dc5d1c055b32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
dcada4ade69e7ea2a288fb61ab3dc6e3

SHA1
76dde96a26fb65a2464e939a6e93702e47b7cc04

SHA256
b960a63d0327e28fef5e8ff94aa2680f15cf791b523ba6047d17f7dd71e4ee47

SHA512
4291175381b20545e369071ae4fec43378c4a71ae3bd623412ee958f95513bbe920a249bd54fb84254c0715adbee99e57a20c589cf96729869acdb964b0733ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
3KB

MD5
a4bf7dfe731430bb94d657cd819a7bea

SHA1
bb8d451361096e1dc8ba4cdd18329f39d955c1a2

SHA256
ba50758e093e1e9b14f1a228a0472b96b46aef37026aed652088735a6696c7a1

SHA512
30a3c1421c76aeb81e2d0b4506e8f4a4c44a0e5947a2650e9b53b14807e8c3c67771280a4b4f14f440b4c33e419556a444ef49146abfc52d3224ca6cdff2ddeb

Download Submit
\??\pipe\LOCAL\crashpad_1316_VJHYDISQEUMVKIZU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/208-248-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmp

Filesize
10.0MB

Download
memory/208-138-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmp

Filesize
10.0MB

Download
memory/208-137-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmp

Filesize
10.0MB

Download
memory/208-133-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmp

Filesize
10.0MB

Download
memory/208-350-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmp

Filesize
10.0MB

Download
memory/208-136-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmp

Filesize
10.0MB

Download
memory/208-135-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmp

Filesize
10.0MB

Download
memory/208-139-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmp

Filesize
10.0MB

Download
memory/208-134-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmp

Filesize
10.0MB

Download
memory/208-419-0x00007FF7BD590000-0x00007FF7BDF89000-memory.dmp

Filesize
10.0MB

Download