4ded7f148a12c9134661f74d9de3962af2649d7000c5a0ba65d4b26462a030c7

Analysis

max time kernel
174s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bauchbeinepo.exe
Size

250KB
MD5

a4cb34b308433dee79296704ee059199
SHA1

4daee93d350f9972127786ec44499cc247d11997
SHA256

0b50fe70c1c36610388028cdbe442875146961c66b80ab32a928b60727844129
SHA512

6dde86bc95df8190aa3cc0678ee382a9762175e700745a9c3c48cdd22a073ece7ab02dbbf4dc45b1920a8599900e405b59fced2664f4af8fdc4336eb149c7879
SSDEEP

6144:nnwbl9wVeyDx578c4uxHWb/CWkIQo50GaDTt8zcjj133FWlNJhoD:nwb/wBDx57v4u1Wb/CWkIp5DaDTt8zKx

Score

7^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
5488	bauchbeinepo.exe
924	bauchbeinepo.exe
4496	bauchbeinepo.exe
4284	bauchbeinepo.exe
5880	bauchbeinepo.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
69	discord.com
74	discord.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-355097885-2402257403-2971294179-1000\{E9D4B15E-0106-4C2F-8E99-89A5786257B6}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
4052	msedge.exe
4052	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
3944	identity_helper.exe
3944	identity_helper.exe
4860	msedge.exe
4860	msedge.exe
456	msedge.exe
456	msedge.exe
5948	identity_helper.exe
5948	identity_helper.exe
4508	msedge.exe
4508	msedge.exe
2012	msedge.exe
2012	msedge.exe

Suspicious behavior: LoadsDriver 11 IoCs

pid	Process
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

pid	Process
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: 33	5976	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5976	AUDIODG.EXE
Token: SeRestorePrivilege	5300	7zFM.exe
Token: 35	5300	7zFM.exe
Token: SeSecurityPrivilege	5300	7zFM.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
5840	osk.exe
5840	osk.exe
5840	osk.exe
5840	osk.exe
5840	osk.exe
5840	osk.exe
5840	osk.exe
5840	osk.exe
5840	osk.exe
5840	osk.exe
5840	osk.exe
5840	osk.exe
5840	osk.exe
5840	osk.exe
2408	osk.exe
2408	osk.exe
2408	osk.exe
2408	osk.exe
2408	osk.exe
2408	osk.exe
2408	osk.exe
2408	osk.exe
2408	osk.exe
2408	osk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 2748	1456	msedge.exe	92
PID 1456 wrote to memory of 2748	1456	msedge.exe	92
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 2420	1456	msedge.exe	93
PID 1456 wrote to memory of 4052	1456	msedge.exe	94
PID 1456 wrote to memory of 4052	1456	msedge.exe	94
PID 1456 wrote to memory of 3620	1456	msedge.exe	95
PID 1456 wrote to memory of 3620	1456	msedge.exe	95
PID 1456 wrote to memory of 3620	1456	msedge.exe	95
PID 1456 wrote to memory of 3620	1456	msedge.exe	95
PID 1456 wrote to memory of 3620	1456	msedge.exe	95
PID 1456 wrote to memory of 3620	1456	msedge.exe	95
PID 1456 wrote to memory of 3620	1456	msedge.exe	95
PID 1456 wrote to memory of 3620	1456	msedge.exe	95
PID 1456 wrote to memory of 3620	1456	msedge.exe	95
PID 1456 wrote to memory of 3620	1456	msedge.exe	95
PID 1456 wrote to memory of 3620	1456	msedge.exe	95
PID 1456 wrote to memory of 3620	1456	msedge.exe	95
PID 1456 wrote to memory of 3620	1456	msedge.exe	95
PID 1456 wrote to memory of 3620	1456	msedge.exe	95
PID 1456 wrote to memory of 3620	1456	msedge.exe	95
PID 1456 wrote to memory of 3620	1456	msedge.exe	95
PID 1456 wrote to memory of 3620	1456	msedge.exe	95
PID 1456 wrote to memory of 3620	1456	msedge.exe	95
PID 1456 wrote to memory of 3620	1456	msedge.exe	95
PID 1456 wrote to memory of 3620	1456	msedge.exe	95

C:\Users\Admin\AppData\Local\Temp\bauchbeinepo.exe
"C:\Users\Admin\AppData\Local\Temp\bauchbeinepo.exe"
1⤵
PID:1768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff967f46f8,0x7fff967f4708,0x7fff967f4718
  2⤵
  PID:2748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,15647021850570032628,14391368336014900444,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,15647021850570032628,14391368336014900444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2440 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,15647021850570032628,14391368336014900444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
  2⤵
  PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15647021850570032628,14391368336014900444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15647021850570032628,14391368336014900444,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15647021850570032628,14391368336014900444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15647021850570032628,14391368336014900444,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1996 /prefetch:1
  2⤵
  PID:2900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15647021850570032628,14391368336014900444,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15647021850570032628,14391368336014900444,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,15647021850570032628,14391368336014900444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3392 /prefetch:8
  2⤵
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,15647021850570032628,14391368336014900444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3392 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4316

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:5520

C:\Windows\system32\osk.exe
"C:\Windows\system32\osk.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:5840

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x498 0x38c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5976

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5148

C:\Windows\system32\osk.exe
"C:\Windows\system32\osk.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2408

C:\Users\Admin\Desktop\bauchbeinepo.exe
"C:\Users\Admin\Desktop\bauchbeinepo.exe"
1⤵
PID:5876

C:\Users\Admin\Desktop\bauchbeinepo.exe
"C:\Users\Admin\Desktop\bauchbeinepo.exe"
1⤵
PID:2648

C:\Users\Admin\Desktop\bauchbeinepo.exe
"C:\Users\Admin\Desktop\bauchbeinepo.exe"
1⤵
PID:4456

C:\Users\Admin\Desktop\bauchbeinepo.exe
"C:\Users\Admin\Desktop\bauchbeinepo.exe"
1⤵
PID:1400

C:\Users\Admin\Desktop\bauchbeinepo.exe
"C:\Users\Admin\Desktop\bauchbeinepo.exe"
1⤵
PID:2068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff967f46f8,0x7fff967f4708,0x7fff967f4718
  2⤵
  PID:2952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,10651061620872086128,7364474695497205189,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  PID:2552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,10651061620872086128,7364474695497205189,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,10651061620872086128,7364474695497205189,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10651061620872086128,7364474695497205189,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10651061620872086128,7364474695497205189,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10651061620872086128,7364474695497205189,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4460 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10651061620872086128,7364474695497205189,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10651061620872086128,7364474695497205189,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1
  2⤵
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10651061620872086128,7364474695497205189,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,10651061620872086128,7364474695497205189,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5796 /prefetch:8
  2⤵
  PID:5928
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,10651061620872086128,7364474695497205189,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5796 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10651061620872086128,7364474695497205189,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
  2⤵
  PID:1536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10651061620872086128,7364474695497205189,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
  2⤵
  PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10651061620872086128,7364474695497205189,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1
  2⤵
  PID:2528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10651061620872086128,7364474695497205189,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10651061620872086128,7364474695497205189,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2132,10651061620872086128,7364474695497205189,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6136 /prefetch:8
  2⤵
  PID:216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2132,10651061620872086128,7364474695497205189,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6064 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10651061620872086128,7364474695497205189,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:1
  2⤵
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10651061620872086128,7364474695497205189,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10651061620872086128,7364474695497205189,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2384 /prefetch:1
  2⤵
  PID:5880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,10651061620872086128,7364474695497205189,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6000 /prefetch:8
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10651061620872086128,7364474695497205189,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:5896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,10651061620872086128,7364474695497205189,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6320 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5820

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6028

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Desktop.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5300

C:\Users\Admin\Desktop\New folder\bauchbeinepo.exe
"C:\Users\Admin\Desktop\New folder\bauchbeinepo.exe"
1⤵
- Executes dropped EXE
PID:5488

C:\Users\Admin\Desktop\New folder\bauchbeinepo.exe
"C:\Users\Admin\Desktop\New folder\bauchbeinepo.exe" "C:\Users\Admin\Desktop\New folder\iqvw64e.sys"
1⤵
- Executes dropped EXE
PID:924

C:\Users\Admin\Desktop\New folder\bauchbeinepo.exe
"C:\Users\Admin\Desktop\New folder\bauchbeinepo.exe"
1⤵
- Executes dropped EXE
PID:4496

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:1208
- C:\Users\Admin\Desktop\New folder\bauchbeinepo.exe
  bauchbeinepo.exe
  2⤵
  - Executes dropped EXE
  PID:4284
- C:\Users\Admin\Desktop\New folder\bauchbeinepo.exe
  bauchbeinepo.exe iqvw64e.sys
  2⤵
  - Executes dropped EXE
  PID:5880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e4f80e7950cbd3bb11257d2000cb885e

SHA1
10ac643904d539042d8f7aa4a312b13ec2106035

SHA256
1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

SHA512
2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b1aef3676143908be2b684dd6601e248

SHA1
6b1c544684c0c7fbe483212f7e27a3e8c5bfe3db

SHA256
0f1584b492e5dba4483992d595195856a28d4a079121c6f6831e1da8767be112

SHA512
a7bb38099020bfd2571be09326e2a5a9a0529a19f22a56d619142fb7a06e0e28fb116eb53fc2f67ed200b2c2cd33616b885a30115f23e6bf1570b28db8aee7ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
b6d7cc490b0f2c13bad376f2d85af063

SHA1
6f9210a0d916967f73fa73f6b1a0ee2d406eddef

SHA256
8aa297c1d83d2e9912cad6bf100aebd16b9e777d86ae077d098d75cf0b1c1bd8

SHA512
706656841d6883c219f05982dabf2fa0e76fd51773b7f04e9074f889c1f9d0df268ddc9eb023f901a01036d550ba1d7df194d89bcb1c36e6ee4213a71fe61f19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
143dd96ffc1700aa949804810d7a0ce6

SHA1
cb42735640a27cb4ca5a754f5710eeb403006753

SHA256
3affc16780a8ddc088cc9c88b28422382f355a8e80a5ac7949c4d59a6d2ccc1f

SHA512
7c7f5c22670a462e612e4cd370e002491169f171753054d578ca56f07209e6079522db7d2751e01f895d84bddcad4f4588d9c3737bd25720c8feb44b2993c66f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
de114a9bec913f134bf442ec62913a28

SHA1
c541a2ef2cb780f68f583bcd81bdc03dffaadd56

SHA256
e30c66962062f2a331166ecbec378a0decd5a34125c71162da37d662bcd4cdc9

SHA512
9572efa344f20e792ed0a9ced9e8b27fdf8712e164a3328bb2742fdaa46857bf0e403448b201c6d2ce56658e3e6b178f659b8bc1a743f25e0da06b1b8f35442f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
6B

MD5
a9851aa4c3c8af2d1bd8834201b2ba51

SHA1
fa95986f7ebfac4aab3b261d3ed0a21b142e91fc

SHA256
e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191

SHA512
41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
cada50f77e958779f8aed8977041346b

SHA1
6baea500c72cefbe576dd0f60445bae20fad4a85

SHA256
d1210e6c25e1d54f4869a183180765204c8ccde6c9dc06c525499a18f3779e2f

SHA512
cf1a657abe13e9e7f468a4a518d4324c4a09142d38685f4e817ba0012d6e54949c33730931254bce8117de2d102eea73d4986d713b814b649f389040e6442d6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Action Predictor

Filesize
36KB

MD5
cf4b0a74bdc68a111bd7ccbd8569daa5

SHA1
e567e83b8db5476018dfed63802d0f60690c8139

SHA256
f79fc9fca22eace1d33311f380f135b75b30baa639f2d819fa437580ef268b6d

SHA512
4ffda967282821d319e22334cc4410eb8883b436654c2ffa65a7a75fdac296a349a672c734e8fed023b9b34d5f17d1af611f81d433108f898459b5ae412dac9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
63425bdb8b72527a48937261a9d9915b

SHA1
6f6f089acebba56971119e2d26d5e7c66acca961

SHA256
34ad17523cae8e0792ebb8d9164ab702e997d16690ac8d6c408deafe1c4a6b86

SHA512
3d334b7d618d1be5c8664a7865e0e3c9275621d3993dadf49af58cbf73b2ca32cd3083ec71a218711becf05155304047c566b4cf5d13224cf3c7c52ef2f67a09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7346ab242943363c90266dec66dd6f7a

SHA1
910a497ec26e3004f536b98ce2f05e32ff84c094

SHA256
36e59cc4b550df2315d3b856083dc3c40654e1d378176aebe56d753675dd1dd3

SHA512
6954f85bb194a1690ed50da5c8d902fa16b1e5528ba4a4c3dc490daf90e9d24e1789b264828197095f64d49028e5854146914a4ce267c66d2552b5c4a5340ede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9b6283c9d377bdded6a9913784c21818

SHA1
8b4abdee1937815e5c60ef3210f4a390027c30f4

SHA256
35eaf34e3a567df64a607b219f5b3acb03d5c12cec2af6ff57d8cd8fe1082b89

SHA512
019e56329b68304428d7fea19b4f6f302bc4623fc56a517e285f16e41028d95afabbd6bdf69ad10f64192203a284d218798eacabb400662fc992f87e4f18c803

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1f82434e4bab77d0e663cfb2e39a8bc7

SHA1
3ab68dd85bfd0274d1fcf54a3a56927e292bfbb2

SHA256
2dcab8d52807f939bd856469a06a3eb9469cbcd5b24b0ea53442aaab96ea9e55

SHA512
03ece3faa6938cc090f042aff1dbc9dd7ce6fc07bec4fc958164e1d800fda6a7334b0b972c6fbd15ab5597ffef143af1f0472c84f352ada7b93d6ed5784ffc58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3cc5b5b08561dbe081744f39df10c3d0

SHA1
afd82e9390b337589cf48b82057c0d78818957a4

SHA256
622d26dadf03008ace43318492de4920444c6a644fe46ad422832237edbb96dd

SHA512
95571b77ce93638fb23f8ef5bff449118184e42cfb6b0d7517da9fd2ba54132e2e188ce697d6adf69ab9e908e44821ffa5caec5afcf22ee6cf578374e12a11fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7096d2737edfc4224fc8d77a9159d323

SHA1
f8d12159816a4ed6af488730629d746ea38a743e

SHA256
e6fe0fb0c5384dd1835bf53c10019b6a3174ed23aaa27493ef2d47c520224e60

SHA512
7a507fcdfdc751c83991d3d8cb56f9387b0097f589908d5e46edf17c0faabed6bc6bd0c72cb3de1f6c1a1e53a8dae4a84403208fed03b4620475223eb4c51754

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferredApps

Filesize
33B

MD5
2b432fef211c69c745aca86de4f8e4ab

SHA1
4b92da8d4c0188cf2409500adcd2200444a82fcc

SHA256
42b55d126d1e640b1ed7a6bdcb9a46c81df461fa7e131f4f8c7108c2c61c14de

SHA512
948502de4dc89a7e9d2e1660451fcd0f44fd3816072924a44f145d821d0363233cc92a377dba3a0a9f849e3c17b1893070025c369c8120083a622d025fe1eacf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
137B

MD5
a62d3a19ae8455b16223d3ead5300936

SHA1
c0c3083c7f5f7a6b41f440244a8226f96b300343

SHA256
c72428d5b415719c73b6a102e60aaa6ad94bdc9273ca9950e637a91b3106514e

SHA512
f3fc16fc45c8559c34ceba61739edd3facbbf25d114fecc57f61ec31072b233245fabae042cf6276e61c76e938e0826a0a17ae95710cfb21c2da13e18edbf99f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
1add704384e2a9c71d448553cef836d6

SHA1
3be0a028cd0a20405b7c5b29a0810623f6383f1e

SHA256
5cf73918387eda3eb877da10f1cf31bdffd2534850d6769dc2636acdd2c8c75a

SHA512
41c6427ae6da36f35884285d2d10373570198bc6b2ebf5d6efec3d53da2ba420c867470f6139aaa9da3ab664daa12faac8ed12038936c692872b20986234ca7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13368386024426058

Filesize
1KB

MD5
3dad3268a7970f90b32b0e7265744d70

SHA1
54bb04a3ac4f116ce5f57e667666dc5948171cd5

SHA256
a0f1bba0c2a985a331e724ea1e8d093534a47a8677a0ccd35f4a1f71690599b8

SHA512
ed227fbdeacd15693d2d14690efc099acf76b75a9e2bf7b30f9240c7531791c772d58c013b76c7ffe2ffcc6a59409e94dc8afd2b1d340cb1e9169b0d89c8df2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13368386024622058

Filesize
1KB

MD5
0f04c267e4c6b6d04945aabaf56023f7

SHA1
7184f7701fde6ca16249d5c9f634db35690f65cd

SHA256
2304ce060659b44f2e6b6165eb57711cd36cace3ab3d66322abd97c502fc0075

SHA512
578915a6db4d9c0c14b376c635e4201aacadf9d27c07ee311226b26ddb2f21d90b8546b3d05855cd782890bbce28383664e4ee64beb734db666e5ff4f008fa03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
57ffb77d9fa1550879ce5f0aa28d772d

SHA1
c91df9d943ca3d4f4703d4af663350d603d20f42

SHA256
dcc85bd500a5f66fd24c3b5be4964c701dfcfbe113baca922a733210b1deaea3

SHA512
7ddc4910721bd278b7364369fce96b5402a33ede8aa61b608b1e157553ea0a1874cc8a43fff6f246424e6d18797ed589821560333e0f968e2783a34ff1c5e92b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
a1847726a94ba71f38491f57ffc3113a

SHA1
9c872c96b6278cee6a68fb414c204a0f39019232

SHA256
7ca3ee7a501b3ab8e92466574bc1a25412e6bb7fc65c7a91b947ad5c75f31f76

SHA512
f68f91c08ab419888d7e8082a0d2c016550afc95225d103c269d3028ccfe3e6b344fc4a00a4e7f8bee2d38bf11d78e15e5a8f0570d96315d393e20a27fd9c242

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG

Filesize
136B

MD5
3e0e1e60fb6935b9b38ed275c83e59d8

SHA1
8896f4540547e8a26745b907b1888483be2b390b

SHA256
9437b41b3a35f896b1f1b67dd9ccb1d3f996cac8b577eae65d5c9b02b0ffda1d

SHA512
60de685195bb2f61dd8f830bfcbd6773b20b6da95942a9cc3b3d9af8b6a1196c90c3e0366a9fa45bec5bbcc000b55f68e891f403e6de975285606b1fa8ca6d60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000004

Filesize
50B

MD5
031d6d1e28fe41a9bdcbd8a21da92df1

SHA1
38cee81cb035a60a23d6e045e5d72116f2a58683

SHA256
b51bc53f3c43a5b800a723623c4e56a836367d6e2787c57d71184df5d24151da

SHA512
e994cd3a8ee3e3cf6304c33df5b7d6cc8207e0c08d568925afa9d46d42f6f1a5bdd7261f0fd1fcdf4df1a173ef4e159ee1de8125e54efee488a1220ce85af904

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
217d496f7f3b6fee38e568a3b16dabce

SHA1
55d952a79a3542376f6a7b9fd98e6d3296fa2ddc

SHA256
a5c141ac9e152674645c9e2b71cfd61c324f673a3c9fe8fe1288410d4f6c40c8

SHA512
74ad1d69229f75622619959948dda5422cebbd3fbe11aa295fb8244b6ebead62e9ff52eb25b5a5974f3a30e85123a93b0b18d0d774abfe6a3f6a399cd9a6a123

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
187B

MD5
d57a8ed5e22836ed077cb6e27506130e

SHA1
4731a42287378069c824cb8506fd5f700982ef81

SHA256
b5d29b2c20e9312a705fddfe3b4684cac387b11732d0bcbbdde9139a5b1a71dd

SHA512
a719a76c073e5dd590039fe3df78cf4027f96685453d6ae0b4512639f9f4949709b8ef2c2577cb16a61b3572d81fe631c2d789bde13ad30f02b487fcfaf9d050

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
b1a68e5d2a1f11a529631e4213652077

SHA1
9d2e1eaeefb413640051cf3a718b53cc7fef6666

SHA256
dea674dbb018189d4a57d3d777eb4f8f1047dcbe55898ba84eb20a374b50fef4

SHA512
0e92f7e81f72ed4013401e9f8537da011b2f043c476c4c8c1be878740d12a2f01ee6019a895770a5bd3613c0581baea18d2a899719f4e9a65334b6a7ffbdd166

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
565B

MD5
b4bb45b372d220723ef4c8d3196a66c2

SHA1
c3e47832747be1bc429264a1784d6472b38621b4

SHA256
ad86e6c318ed4b226a101f85ef9158ab5fff56f371655da57c94d61197ce3456

SHA512
3fec0564184bfacd087a818a659d8d63f7f1fbbda612658debb4d2912f8414039d1cda4e8c18734d1fcdf9b65bc579cea3e90445b0c44017d3fce9f18e71dde6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
7dc416c6025ac472a20673d04bc68bc3

SHA1
1ed53ef6ac86fbd448f8eaf4322e886cbf2b94bf

SHA256
c6efc510f5ce90702003671f1cece799f7215e4e983065f0353e75a24c9032bc

SHA512
75a57379c8d874808dac74494934200d4854a4a3e9df98f3a7026531d64836ba881d870b7742077d40e3d5814a010aff1e598a37b44404df944944283f5e1e29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
b5ab1fbed992a7dcd87d1c83ca341dfd

SHA1
5fa839e64c03ed081a6c25f52b49a15ef6005ead

SHA256
6f9dae5ee6e1e99416ac987e1e112b6179026382354785bf00681919af7c4afd

SHA512
80d544291c41fdc672a83668256df7005e6c16439ca8d45add5a91f7a29e9006299b50fa984bf93ef22c706609ac7c00b27d1d14a5286fec85f9cce8158d00b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
5d524545fd8e78f0b056f5e25adbfbe1

SHA1
0396dc16c67a77ed235400e7551b761a67f4c1d1

SHA256
d83e5bca4c978303b3bc25e3e1d2f0162cf44bcd1e79c015bb79b8987dedaa01

SHA512
d987210214a4016fd29440495a982fcc9c4eeea3a21a73641f514c0dafd9816d4391c2b09db288389c032fd4b08f092374347a08c141aaea45697133260279e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
d1204ffe8a620fec120848e0081e8d27

SHA1
a162e6df96541ed2e941ea73f15591a32ed4fb2f

SHA256
5b21406bffbb62ea3706b6cd3b57d59b16597f036b7fa7dfe0d08dfdc3f1549f

SHA512
a42c7d76325b442b48d812211358fa3031a2acfacad8c708b32842fd3af41643f8cdc31e64e92079239072186c44efea561145becc6256e9d15bc014a161c028

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000001

Filesize
22KB

MD5
1ac9e744574f723e217fb139ef1e86a9

SHA1
4194dce485bd10f2a030d2499da5c796dd12630f

SHA256
4564be03e04002c5f6eaeaea0aff16c5d0bbdad45359aef64f4c199cda8b195e

SHA512
b8515fb4b9470a7ce678331bbd59f44da47b627f87ea5a30d92ec1c6d583f1607539cd9318a5bccf0a0c6c2bd2637992e0519bd37acdf876f7a11ed184fb5109

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Browser

Filesize
120B

MD5
a397e5983d4a1619e36143b4d804b870

SHA1
aa135a8cc2469cfd1ef2d7955f027d95be5dfbd4

SHA256
9c70f766d3b84fc2bb298efa37cc9191f28bec336329cc11468cfadbc3b137f4

SHA512
4159ea654152d2810c95648694dd71957c84ea825fcca87b36f7e3282a72b30ef741805c610c5fa847ca186e34bde9c289aaa7b6931c5b257f1d11255cd2a816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f16a9116bb0ad0db4b5e8ca025907fb5

SHA1
2301b7027c3450e2312d5ec32f956cbb88d20074

SHA256
48255e469bed1a468630aef2dc9689945ec4a59453d17cd55c85e2bd4de03437

SHA512
72615cc80c4d1ed6dcc583d6ec807bd2356b92ac2cb529d24d99d8dd6691c66b97f2ccb737ec95a4e68a95cf324effb3f14ea99820ad23199177369be2f70764

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
954443d816b269f2f4d26609dab46139

SHA1
e279cae3ae93196b5dfd7acd3cf075c90004cfc3

SHA256
934f6acc5ad2e5e1910c085403d577591934ff5003b59d6631117ddd9ab8d6aa

SHA512
8169b8c4fad1760bed4930b8452d95310e481fc1c055e01451f0495c0ed0534ecb5a4a7988f03681e1b4888420330c8c5e0db1485c96918a69dc304336fc8d1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3320759bf8604d22e5872e383b3a48c7

SHA1
d38f90d29a47b30a7a8461026ecf8fffeb16233e

SHA256
8b3d435a32f06eb9d92036b3b642278d867fcba163f4de3aeed5fbf531a085f4

SHA512
98c0588ebf8b20eb17140900da6c85fe6d578af1ee2f3b44db0c00e0ac7b95e30dae46fa233022e8cbcced8b15e95d27305dc7a9e17eba11998cb025d37533a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
21feafca213994e2bc229acf45ff4edd

SHA1
5c62d697a8656224049ee1ca94da15272517b125

SHA256
602be066e416d3c949d976deb69069eafe1912a0fd07db85b3203020b0528ae7

SHA512
a25f61a7129e69adf72f98f0e681af9903945ae10fcc5d6078f93c30fda52a73f78a23cb7600a592f83139c18590689b4f88a92beb1dc3e9831ef99dd253ec45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
2042aa1d2917dcd7609c5c3365ad0f40

SHA1
eb9d5119fc853a3b1343d172e20da97f0a169ce4

SHA256
c0067e9e71c7e630ff2fe764dd579e3a301bfae092a87a34b8e2ecd60ad5b4f3

SHA512
cff80002a67d331781db9b4f7a96300e0b52bfe7793a162db13da137d3a2b6f5bea93d508afc0bad0fbefdfea1dca974af6d0babe7d9388c9a60e8cbf4fa7131

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
3B

MD5
91f201466b96fd303ff8aa3f7cedfdf3

SHA1
e5b4ef08fb4d62da833dacd3ea87a6d792d5ca68

SHA256
ade97908779bd55c355bf52d2bdbd302f8bc7288808aeb9bd8b2e6b8a2bb51e2

SHA512
72287caf33e0d1daba9b2723605a493a92a97de416f86630d49812f875b237245a841176dd0db32840f9e37a08f6011d9ca4f62cb9faa0303d7df2c6f22b71d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
9353ddf50bd68529cd4e4b8cb760c9ca

SHA1
6aa321bc8ab779418695f1a67ace6d234a3024e1

SHA256
061b43cb42b2e1aed10bd866993451044cc7e17b5c2db9464b769dbfbc851974

SHA512
4a08eb4b0383bac3bd615e9fc7e897ba9934b972a02625cf78c5a5d6085d9d7253dd4436f4dc5bb266c5520848ac1ba9ea41d0ef903bdacc4ce3088df96951e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqvw64e.sys

Filesize
33KB

MD5
1898ceda3247213c084f43637ef163b3

SHA1
d04e5db5b6c848a29732bfd52029001f23c3da75

SHA256
4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b

SHA512
84c3ccc657f83725b24a20f83b87577603f580993920cc42d6da58648c6888d950fd19fbb8b404ce51a3eab674066c5cefe275763fbdb32e1ae1ba98097ab377

Download Submit