Malware Analysis Report

2025-03-15 06:42

Sample ID 250123-n2c25syqaw
Target RAT.exe
SHA256 6d93347f32f5046a8dff6e59d67f43e1e0c11f51ca718c85e55246a57e49c22c
Tags
orcus discovery rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6d93347f32f5046a8dff6e59d67f43e1e0c11f51ca718c85e55246a57e49c22c

Threat Level: Known bad

The file RAT.exe was found to be: Known bad.

Malicious Activity Summary

orcus discovery rat spyware stealer

Orcus

Orcus main payload

Orcurs Rat Executable

Orcus family

Orcurs Rat Executable

Uses the VBS compiler for execution

Loads dropped DLL

System Location Discovery: System Language Discovery

Browser Information Discovery

Unsigned PE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-23 11:53

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-23 11:53

Reported

2025-01-23 11:55

Platform

win7-20240903-en

Max time kernel

122s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RAT.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus family

orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RAT.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RAT.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\RAT.exe

"C:\Users\Admin\AppData\Local\Temp\RAT.exe"

Network

Country Destination Domain Proto
NL 195.88.218.126:10134 tcp
NL 195.88.218.126:10134 tcp
NL 195.88.218.126:10134 tcp
NL 195.88.218.126:10134 tcp
NL 195.88.218.126:10134 tcp

Files

memory/2628-0-0x00000000748EE000-0x00000000748EF000-memory.dmp

memory/2628-1-0x00000000010E0000-0x00000000011C8000-memory.dmp

memory/2628-2-0x00000000005D0000-0x00000000005DE000-memory.dmp

memory/2628-3-0x0000000000690000-0x00000000006EC000-memory.dmp

memory/2628-4-0x00000000748E0000-0x0000000074FCE000-memory.dmp

memory/2628-5-0x0000000000710000-0x0000000000722000-memory.dmp

memory/2628-6-0x0000000000A90000-0x0000000000AA8000-memory.dmp

memory/2628-7-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

memory/2628-8-0x00000000748E0000-0x0000000074FCE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabC0C2.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-23 11:53

Reported

2025-01-23 11:55

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RAT.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus family

orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Uses the VBS compiler for execution

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RAT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RAT.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1316 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\RAT.exe C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe
PID 1316 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\RAT.exe C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe
PID 1316 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\RAT.exe C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe
PID 3668 wrote to memory of 2456 N/A C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3668 wrote to memory of 2456 N/A C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3668 wrote to memory of 2456 N/A C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2472 wrote to memory of 1900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 4656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 4656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 2068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 2068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 2068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 2068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 2068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 2068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 2068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 2068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 2068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 2068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 2068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 2068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 2068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 2068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\RAT.exe

"C:\Users\Admin\AppData\Local\Temp\RAT.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x450 0x150

C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a4flzv0t\a4flzv0t.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9330.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc932F.tmp"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa5ed746f8,0x7ffa5ed74708,0x7ffa5ed74718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,1925297278131111815,12131536919112655279,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,1925297278131111815,12131536919112655279,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,1925297278131111815,12131536919112655279,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1925297278131111815,12131536919112655279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1925297278131111815,12131536919112655279,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1925297278131111815,12131536919112655279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1925297278131111815,12131536919112655279,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,1925297278131111815,12131536919112655279,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3496 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,1925297278131111815,12131536919112655279,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3496 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1925297278131111815,12131536919112655279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1925297278131111815,12131536919112655279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1925297278131111815,12131536919112655279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
NL 195.88.218.126:10134 tcp
US 8.8.8.8:53 214.72.21.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
NL 195.88.218.126:10134 tcp
NL 195.88.218.126:10134 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
NL 195.88.218.126:10134 tcp
US 8.8.8.8:53 126.218.88.195.in-addr.arpa udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 98.250.22.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 2.22.251.51:443 www.bing.com tcp
US 8.8.8.8:53 51.251.22.2.in-addr.arpa udp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
US 2.22.251.18:443 r.bing.com tcp
US 2.22.251.18:443 r.bing.com tcp
US 2.22.251.42:443 th.bing.com tcp
US 2.22.251.42:443 th.bing.com tcp
US 8.8.8.8:53 18.251.22.2.in-addr.arpa udp
US 8.8.8.8:53 42.251.22.2.in-addr.arpa udp
US 8.8.8.8:53 login.microsoftonline.com udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp

Files

memory/1316-0-0x0000000074D4E000-0x0000000074D4F000-memory.dmp

memory/1316-1-0x0000000000950000-0x0000000000A38000-memory.dmp

memory/1316-2-0x00000000013E0000-0x00000000013EE000-memory.dmp

memory/1316-3-0x0000000074D40000-0x00000000754F0000-memory.dmp

memory/1316-4-0x0000000005290000-0x00000000052EC000-memory.dmp

memory/1316-5-0x00000000059A0000-0x0000000005F44000-memory.dmp

memory/1316-6-0x0000000005490000-0x0000000005522000-memory.dmp

memory/1316-7-0x0000000005470000-0x0000000005482000-memory.dmp

memory/1316-8-0x0000000005950000-0x0000000005968000-memory.dmp

memory/1316-9-0x0000000005980000-0x0000000005990000-memory.dmp

memory/1316-10-0x0000000006270000-0x000000000627A000-memory.dmp

memory/1316-11-0x0000000074D4E000-0x0000000074D4F000-memory.dmp

memory/1316-12-0x0000000074D40000-0x00000000754F0000-memory.dmp

memory/1316-15-0x0000000006880000-0x00000000068E6000-memory.dmp

memory/1316-16-0x00000000072F0000-0x0000000007908000-memory.dmp

memory/1316-17-0x0000000006920000-0x0000000006932000-memory.dmp

memory/1316-18-0x0000000006D10000-0x0000000006D4C000-memory.dmp

memory/1316-19-0x0000000006D50000-0x0000000006D9C000-memory.dmp

memory/1316-20-0x0000000006ED0000-0x0000000006FDA000-memory.dmp

memory/1316-21-0x0000000007910000-0x0000000007AD2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\lib_7c04bcf8b3a04c3c8433437cb1b3ce73\SharpDX.dll

MD5 ffb4b61cc11bec6d48226027c2c26704
SHA1 fa8b9e344accbdc4dffa9b5d821d23f0716da29e
SHA256 061542ff3fb36039b7bbffdf3e07b66176b264c1dfd834a14b09c08620717303
SHA512 48aa6130bf1f5bd6de19256bbdf754c0158b43dd122cec47bb801a7a7b56f2da268bfdec24d135621764a23278ead3dcc35911a057e2dfa55a348bae8ef7b8a9

memory/1316-26-0x0000000006030000-0x0000000006074000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\lib_7c04bcf8b3a04c3c8433437cb1b3ce73\SharpDX.Direct3D11.dll

MD5 98eb5ba5871acdeaebf3a3b0f64be449
SHA1 c965284f60ef789b00b10b3df60ee682b4497de3
SHA256 d7617d926648849cbfef450b8f48e458ee52e2793fb2251a30094b778aa8848c
SHA512 a60025e304713d333e4b82b2d0be28087950688b049c98d2db5910c00b8d45b92e16d25ac8a58ff1318de019de3a9a00c7cbf8a6ad4b5bb1cb175dafa1b9bea2

memory/1316-33-0x0000000006280000-0x00000000062CA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\lib_7c04bcf8b3a04c3c8433437cb1b3ce73\SharpDX.Direct3D9.dll

MD5 934da0e49208d0881c44fe19d5033840
SHA1 a19c5a822e82e41752a08d3bd9110db19a8a5016
SHA256 02da4af8cd4a8de19d816000caaae885e676b9e52f136ff071a279c2b8ad34c7
SHA512 de62f629c2299b50af62893244a28895d63b78138c8632449984306f45de16bd01076eadbb0d75a700215e970c1df731e202ea640236c0f0da6ed15146193b59

memory/1316-40-0x0000000006330000-0x000000000638A000-memory.dmp

memory/1316-47-0x00000000062D0000-0x00000000062F6000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\lib_7c04bcf8b3a04c3c8433437cb1b3ce73\SharpDX.DXGI.dll

MD5 2b44c70c49b70d797fbb748158b5d9bb
SHA1 93e00e6527e461c45c7868d14cf05c007e478081
SHA256 3762d43c83af69cd38c9341a927ca6bd00f6bae8217c874d693047d6df4705bf
SHA512 faced62f6ecbfa2ee0d7a47e300302d23030d1f28758cbe9c442e9d8d4f8359c59088aa6237a28103e43d248c8efc7eeaf2c184028701b752df6cce92d6854d0

C:\Users\Admin\AppData\Roaming\Orcus\lib_7c04bcf8b3a04c3c8433437cb1b3ce73\TurboJpegWrapper.dll

MD5 ac6acc235ebef6374bed71b37e322874
SHA1 a267baad59cd7352167636836bad4b971fcd6b6b
SHA256 047b042cebf4c851f0d14f85f16ce952f03e48c20362d4ed9390875d4900fe96
SHA512 72ac8b8c8f27264cc261297c325d14a0be2084d007c6132ab8402d87f912fe9189cb074db11625d9f86d29a6188f22a89e58ae45c9131fac4522473567017081

memory/1316-54-0x0000000007DC0000-0x0000000007F14000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\lib_7c04bcf8b3a04c3c8433437cb1b3ce73\CSCore.dll

MD5 dde3ec6e17bc518b10c99efbd09ab72e
SHA1 a2306e60b74b8a01a0dbc1199a7fffca288f2033
SHA256 60a5077b443273238e6629ce5fc3ff7ee3592ea2e377b8fc28bfe6e76bda64b8
SHA512 09a528c18291980ca7c5ddca67625035bbb21b9d95ab0854670d28c59c4e7adc6d13a356fa1d2c9ad75d16b334ae9818e06ddb10408a3e776e4ef0d7b295f877

memory/1316-61-0x0000000007FB0000-0x0000000008036000-memory.dmp

memory/1316-64-0x0000000008670000-0x0000000008B9C000-memory.dmp

memory/1316-65-0x0000000074D40000-0x00000000754F0000-memory.dmp

memory/1316-66-0x0000000074D40000-0x00000000754F0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\lib_7c04bcf8b3a04c3c8433437cb1b3ce73\OpusWrapper.dll

MD5 bf0ef47bea0139b87d42a449a0240101
SHA1 37b65cd6830088707be692d4602b10062a46b91a
SHA256 07ec44bca9b44de3b22f9d212db3ecc5191201e27e4310d7bb2b199deffbab5a
SHA512 830c5b380c844a8490cf482ef4ca4821b6185f5fd204c3edf21de0b449727448835b9cbfb103eb74aa91f05abb7390ed1c0ed5e815a7101d9127fc38382daa8a

memory/1316-71-0x0000000009660000-0x000000000973A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a4flzv0t\a4flzv0t.cmdline

MD5 55e34ac86a6b50bf598b49c838cf688d
SHA1 9ef8f8e20e6296076df42a35cdb97da55f359a91
SHA256 ea95bc7667531ab0d20a4be001600d3e97559ac022d34cc84fbe2e353f59b008
SHA512 96992c333c5a4b1ac1e1f35e4067c208c55e87feb851ebd7bb8f29905b3cf56a047961f998f7ccf715a878e2336293561051b21c29526ab742a0b5ec978433d6

memory/3668-78-0x0000000003530000-0x0000000003540000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a4flzv0t\a4flzv0t.0.vb

MD5 0a43dfa95cb44176347e31049a66f71f
SHA1 6d7d6633e4981c6fafb0fd4022b0d379bd9eb417
SHA256 709389aaeaaf573b3642710488e63f16ff74358b5c2208c66ae538fe0eb781b4
SHA512 e507daf5adfbed7af1f6c7aca453adf0cbc996287ed6fbcc965aaf28ff8e5c7d1b2329d97c0acaa7998a4ebe014bc5b5cbdc5e7158d02a2187b3213d5e613f0e

C:\Users\Admin\AppData\Local\Temp\vbc932F.tmp

MD5 3b18d78a05359a9a4085233b47c36dc0
SHA1 4b3de13dc448611da510a545f10149aa7af27779
SHA256 a07e4aac7dd212e6c3ab5592177cfe8fc53c52d7a71681ec722e2f44fe324391
SHA512 9d5b36c95e5a6b886880b162813c4a82b7f3c8e638445e91caf4e2a56d378157ae09434491abb54c00cdec7c94d3eec9d749ec4c6ffdccada357f42d6c0c7e04

C:\Users\Admin\AppData\Local\Temp\RES9330.tmp

MD5 6c0ebd0e0a77cad2f72891a02a1f2225
SHA1 eca5a991c3f156abb2bd372032cd5af8d5834141
SHA256 3ca465fee8f284100c3e98607de12b81b484e5cf7270a9683c4b081f8570e687
SHA512 0adc8ec208ba4de05b8d717c897c9c187d041ea7046c83c07b52d126654defe1a029e22e3c4646efb12f9a8d6f27d90125ab2a317ec8ec4f34baba3e2f463e57

C:\Users\Admin\AppData\Local\Temp\a4flzv0t\a4flzv0t.dll

MD5 69fd480476e88b5021186629d7b26bc0
SHA1 2c6128c7354474594b1c13c87fa3e02ae0f012c2
SHA256 1aebe8d1de91874685509e023177c4fda29f621c010944244ae91ea5ecf1a7c1
SHA512 d46b25348922e116861f089e8191ff30d66673e50138c48a91bcae2b63bca74fc0fc5b74427d05084d95e0846e4c38c4c20b196bddbe6ebb49b8a8889f8d1309

memory/1316-89-0x00000000091E0000-0x00000000091E8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\lib_7c04bcf8b3a04c3c8433437cb1b3ce73\x86\turbojpeg.dll

MD5 82898ed19da89d7d44e280a3ced95e9b
SHA1 eec0af5733c642eac8c5e08479f462d1ec1ed4db
SHA256 5f4b9f8360764d75c9faaecd94f6d200c54611b33064cd216e363d973dae7c29
SHA512 ee7b884ce7d7366ee28fb17721b6c89bd4eba8fb373cdbb483e26a4ed7a74ab5db847513c54704d753d77a7e18b1fb9fee90ed6bbc0540bff702273fda36b682

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ba6ef346187b40694d493da98d5da979
SHA1 643c15bec043f8673943885199bb06cd1652ee37
SHA256 d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73
SHA512 2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

\??\pipe\LOCAL\crashpad_2472_YIEINRBAMCKGUKKW

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b8880802fc2bb880a7a869faa01315b0
SHA1 51d1a3fa2c272f094515675d82150bfce08ee8d3
SHA256 467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812
SHA512 e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2df5cdf9ad7020a675fca2c787cc7fd0
SHA1 370f68a576e998c5984f5c89f9c30720b3badd12
SHA256 954503660e84cfee9300fece28c5e4f8226f1f3b093f7bbc92b101cafa38fcb8
SHA512 05dab907e77460ca5902af80744d567da81042c75772d44ec9c7abbb6a6d513eb62d708c281eaa74b9b8e38e1a10c3cfb4d9574c88db5803dd5715ecedf62ff5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 7154a4bcbd9481b2605ba6ceb413aad4
SHA1 3799f30f903112a51a6f9a1271306d42e26e779d
SHA256 2a110ee391726afffd82d2f836847ac78f2e1eadd0c2eb57ebf8407ceafc2c0e
SHA512 3be5f4f7ab2d90450426da3551f87c6abafd13b99b629a147bcc01905590fc4018f86692bafea792dec2ea19f60b459d6398584709dc4a6c82bb8d9e060eee01

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 12894b06fe97d03b1d2deee03f165032
SHA1 93cd95d8af9f3c783d495443c4373b351ef75783
SHA256 a290d638df18dcc5f782a0f9ea4fd70d5d7b549de4a7a794c9fe5f6038f26c2c
SHA512 4b34ded7861f87313b5f493715b47bf596148d445d16ff52fd7bcb45f34ca67fd57714330e8ca74b49993f6a12e6b086916ec99d075b8923d22c43d8ec664007