97cf7c8d47708f23419e1277d0879bf2089b790aee5944555f6aeab700f4d64f

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Roshade.Setup.3.3.0.exe
Size

5.5MB
MD5

c2455b603f5a4e995b7d5a184df3901d
SHA1

77c2835e9a0894a998c61b33788146a6bb555722
SHA256

97cf7c8d47708f23419e1277d0879bf2089b790aee5944555f6aeab700f4d64f
SHA512

e82c162012f4a0528a58b0756b56b66697f4ae29d08290f3078a548520fae905eae444f43a7561be41a8a63274e240c25c8f0410e78d7fa273e7e893f9d5e727
SSDEEP

98304:iyRWtk/CIxS5jouiKluqosq9eke1NQW3++MOySqDx8QxrahNsRRx4xRZAVMWtTje:hspr+eke1Nh3eNtxw1PZAftTC

Score

8^/10

discovery evasion persistence trojan upx

Malware Config

Signatures

Downloads MZ/PE file

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MicrosoftEdgeUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MicrosoftEdgeUpdate.exemsedgewebview2.exemsedgewebview2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	msedgewebview2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	msedgewebview2.exe

Executes dropped EXE 21 IoCs

Processes:

wv.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdge_X64_111.0.1661.54.exesetup.exeMicrosoftEdgeUpdate.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exe7zr.exe

pid	process
2816	wv.exe
3628	MicrosoftEdgeUpdate.exe
780	MicrosoftEdgeUpdate.exe
2764	MicrosoftEdgeUpdate.exe
1080	MicrosoftEdgeUpdateComRegisterShell64.exe
4496	MicrosoftEdgeUpdateComRegisterShell64.exe
4156	MicrosoftEdgeUpdateComRegisterShell64.exe
3800	MicrosoftEdgeUpdate.exe
4048	MicrosoftEdgeUpdate.exe
4900	MicrosoftEdgeUpdate.exe
3196	MicrosoftEdgeUpdate.exe
2780	MicrosoftEdge_X64_111.0.1661.54.exe
100	setup.exe
3636	MicrosoftEdgeUpdate.exe
1652	msedgewebview2.exe
3872	msedgewebview2.exe
1568	msedgewebview2.exe
4812	msedgewebview2.exe
2396	msedgewebview2.exe
3468	msedgewebview2.exe
5080	7zr.exe

Loads dropped DLL 42 IoCs

Processes:

MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeRoshade.Setup.3.3.0.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exe

pid	process
3628	MicrosoftEdgeUpdate.exe
780	MicrosoftEdgeUpdate.exe
2764	MicrosoftEdgeUpdate.exe
1080	MicrosoftEdgeUpdateComRegisterShell64.exe
2764	MicrosoftEdgeUpdate.exe
4496	MicrosoftEdgeUpdateComRegisterShell64.exe
2764	MicrosoftEdgeUpdate.exe
4156	MicrosoftEdgeUpdateComRegisterShell64.exe
2764	MicrosoftEdgeUpdate.exe
3800	MicrosoftEdgeUpdate.exe
4048	MicrosoftEdgeUpdate.exe
4900	MicrosoftEdgeUpdate.exe
4900	MicrosoftEdgeUpdate.exe
4048	MicrosoftEdgeUpdate.exe
3196	MicrosoftEdgeUpdate.exe
3636	MicrosoftEdgeUpdate.exe
3236	Roshade.Setup.3.3.0.exe
1652	msedgewebview2.exe
3872	msedgewebview2.exe
1652	msedgewebview2.exe
1652	msedgewebview2.exe
1652	msedgewebview2.exe
1568	msedgewebview2.exe
4812	msedgewebview2.exe
1568	msedgewebview2.exe
1568	msedgewebview2.exe
4812	msedgewebview2.exe
4812	msedgewebview2.exe
2396	msedgewebview2.exe
2396	msedgewebview2.exe
2396	msedgewebview2.exe
1652	msedgewebview2.exe
1568	msedgewebview2.exe
3468	msedgewebview2.exe
3468	msedgewebview2.exe
1568	msedgewebview2.exe
1568	msedgewebview2.exe
1568	msedgewebview2.exe
1568	msedgewebview2.exe
1568	msedgewebview2.exe
3468	msedgewebview2.exe
1652	msedgewebview2.exe

Registers COM server for autorun 1 TTPs 33 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\INPROCSERVER32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.51\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.51\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B896F458-C5BF-43D0-8982-B94F7A11B9C7}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B896F458-C5BF-43D0-8982-B94F7A11B9C7}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.51\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B896F458-C5BF-43D0-8982-B94F7A11B9C7}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.51\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B896F458-C5BF-43D0-8982-B94F7A11B9C7}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.51\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.51\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.51\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B896F458-C5BF-43D0-8982-B94F7A11B9C7}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.51\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B896F458-C5BF-43D0-8982-B94F7A11B9C7}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B896F458-C5BF-43D0-8982-B94F7A11B9C7}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B896F458-C5BF-43D0-8982-B94F7A11B9C7}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B896F458-C5BF-43D0-8982-B94F7A11B9C7}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.51\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\INPROCSERVER32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3236-133-0x00007FF7D55A0000-0x00007FF7D6214000-memory.dmp	upx
behavioral2/memory/3236-326-0x00007FF7D55A0000-0x00007FF7D6214000-memory.dmp	upx
behavioral2/memory/3236-569-0x00007FF7D55A0000-0x00007FF7D6214000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

setup.exe

description ioc process

Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce setup.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Roshade.Setup.3.3.0.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Roshade.Setup.3.3.0.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	setup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Roshade.Setup.3.3.0.exe

Checks system information in the registry 2 TTPs 10 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe

Drops file in Program Files directory 64 IoCs

Processes:

setup.exewv.exeMicrosoftEdge_X64_111.0.1661.54.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\Locales\am.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\Locales\is.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\mip_core.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\msedge.exe	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\Trust Protection Lists\Mu\Content	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\WidevineCdm\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\Locales\ne.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\Locales\tt.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\Locales\gd.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\Locales\ka.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\Locales\pt-BR.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\111.0.1661.54\Locales\pa.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\111.0.1661.54\identity_proxy\win10\identity_helper.Sparse.Dev.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_ms.dll	wv.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\Locales\cy.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\Locales\mr.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\msedgewebview2.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\Locales\ml.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\111.0.1661.54\Locales\sk.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F1F5699D-05DA-4441-A176-7E5E872679A2}\EDGEMITMP_3A094.tmp\setup.exe	MicrosoftEdge_X64_111.0.1661.54.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_lo.dll	wv.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\Locales\es.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\Locales\ja.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\msedge_100_percent.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\msvcp140_codecvt_ids.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\Trust Protection Lists\Sigma\Fingerprinting	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\111.0.1661.54\msedge.exe.sig	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_nb.dll	wv.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_zh-TW.dll	wv.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\Locales\lb.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\Notifications\SoftLandingAssetLight.gif	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\vulkan-1.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\cookie_exporter.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\elevation_service.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\Locales\bn-IN.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\Locales\lv.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\EBWebView\x86\EmbeddedBrowserWebView.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\111.0.1661.54\Locales\ca.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\111.0.1661.54\Locales\or.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\MicrosoftEdgeUpdateOnDemand.exe	wv.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_es-419.dll	wv.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_mi.dll	wv.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\Locales\bg.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\msedge_elf.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\Locales\sr-Cyrl-BA.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\Locales\ta.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\111.0.1661.54\Trust Protection Lists\Sigma\Staging	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\111.0.1661.54\Locales\pl.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\111.0.1661.54\Locales\sr-Cyrl-BA.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_eu.dll	wv.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\ffmpeg.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\identity_proxy\win11\identity_helper.Sparse.Stable.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\VisualElements\LogoBeta.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\msedge_wer.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\Locales\fr.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\identity_proxy\win10\identity_helper.Sparse.Dev.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\wns_push_client.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\identity_proxy\win10\identity_helper.Sparse.Canary.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\111.0.1661.54\WidevineCdm\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\111.0.1661.54\VisualElements\LogoDev.png	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_ml.dll	wv.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_lb.dll	wv.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\icudtl.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\Locales\uk.pak	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedgewebview2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe

Modifies data under HKEY_USERS 41 IoCs

Processes:

MicrosoftEdgeUpdate.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\LOCALSERVER32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\ProgID\ = "MicrosoftEdgeUpdate.OnDemandCOMClassMachine.1.0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3COMClassService\CurVer\ = "MicrosoftEdgeUpdate.Update3COMClassService.1.0"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F09CD6C-5964-4573-82E3-EBFF7702865B}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32\ = "{B896F458-C5BF-43D0-8982-B94F7A11B9C7}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\VERSIONINDEPENDENTPROGID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\ = "Microsoft Edge Update Update3Web"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ = "IAppVersion"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ProxyStubClsid32\ = "{B896F458-C5BF-43D0-8982-B94F7A11B9C7}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ProxyStubClsid32\ = "{B896F458-C5BF-43D0-8982-B94F7A11B9C7}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\Elevation	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F09CD6C-5964-4573-82E3-EBFF7702865B}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.CoreClass"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\Elevation\Enabled = "1"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ = "IPolicyStatus3"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ = "IRegistrationUpdateHook"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ProxyStubClsid32\ = "{B896F458-C5BF-43D0-8982-B94F7A11B9C7}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods\ = "8"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\ELEVATION	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\LOCALSERVER32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\ = "Microsoft Edge Update CredentialDialog"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ = "IGoogleUpdate3WebSecurity"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\LocalServer32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\ProgID\ = "MicrosoftEdgeUpdate.OnDemandCOMClassSvc.1.0"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusSvc\CLSID\ = "{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\ProxyStubClsid32\ = "{B896F458-C5BF-43D0-8982-B94F7A11B9C7}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ProxyStubClsid32\ = "{B896F458-C5BF-43D0-8982-B94F7A11B9C7}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ProxyStubClsid32\ = "{B896F458-C5BF-43D0-8982-B94F7A11B9C7}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.OnDemandCOMClassMachine"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\MicrosoftEdgeUpdate.exe\AppID = "{CECDDD22-2E72-4832-9606-A9B0E5E344B2}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusSvc\CurVer\ = "MicrosoftEdgeUpdate.PolicyStatusSvc.1.0"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}\ = "Google Update Policy Status Class"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D47E8230-0C1F-4F8E-B50B-6F25865F4803}\InprocHandler32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreMachineClass.1\CLSID\ = "{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\ = "IPolicyStatus2"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D47E8230-0C1F-4F8E-B50B-6F25865F4803}\InprocHandler32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60355531-5BFD-45AB-942C-7912628752C7}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ProxyStubClsid32\ = "{B896F458-C5BF-43D0-8982-B94F7A11B9C7}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\Elevation\Enabled = "1"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\NumMethods\ = "12"	MicrosoftEdgeUpdateComRegisterShell64.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

MicrosoftEdgeUpdate.exeRoshade.Setup.3.3.0.exe

pid	process
3628	MicrosoftEdgeUpdate.exe
3628	MicrosoftEdgeUpdate.exe
3628	MicrosoftEdgeUpdate.exe
3628	MicrosoftEdgeUpdate.exe
3628	MicrosoftEdgeUpdate.exe
3628	MicrosoftEdgeUpdate.exe
3236	Roshade.Setup.3.3.0.exe
3236	Roshade.Setup.3.3.0.exe
3236	Roshade.Setup.3.3.0.exe
3236	Roshade.Setup.3.3.0.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

Processes:

msedgewebview2.exe

pid process

1652 msedgewebview2.exe

pid	process
1652	msedgewebview2.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

MicrosoftEdgeUpdate.exe7zr.exe

description	pid	process
Token: SeDebugPrivilege	3628	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	3628	MicrosoftEdgeUpdate.exe
Token: SeRestorePrivilege	5080	7zr.exe
Token: 35	5080	7zr.exe
Token: SeSecurityPrivilege	5080	7zr.exe
Token: SeSecurityPrivilege	5080	7zr.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Roshade.Setup.3.3.0.exemsedgewebview2.exe

pid process

3236 Roshade.Setup.3.3.0.exe
1652 msedgewebview2.exe

pid	process
3236	Roshade.Setup.3.3.0.exe
1652	msedgewebview2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Roshade.Setup.3.3.0.exewv.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdge_X64_111.0.1661.54.exemsedgewebview2.exe

description	pid	process	target process
PID 3236 wrote to memory of 2816	3236	Roshade.Setup.3.3.0.exe	wv.exe
PID 3236 wrote to memory of 2816	3236	Roshade.Setup.3.3.0.exe	wv.exe
PID 3236 wrote to memory of 2816	3236	Roshade.Setup.3.3.0.exe	wv.exe
PID 2816 wrote to memory of 3628	2816	wv.exe	MicrosoftEdgeUpdate.exe
PID 2816 wrote to memory of 3628	2816	wv.exe	MicrosoftEdgeUpdate.exe
PID 2816 wrote to memory of 3628	2816	wv.exe	MicrosoftEdgeUpdate.exe
PID 3628 wrote to memory of 780	3628	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 3628 wrote to memory of 780	3628	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 3628 wrote to memory of 780	3628	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 3628 wrote to memory of 2764	3628	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 3628 wrote to memory of 2764	3628	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 3628 wrote to memory of 2764	3628	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 2764 wrote to memory of 1080	2764	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdateComRegisterShell64.exe
PID 2764 wrote to memory of 1080	2764	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdateComRegisterShell64.exe
PID 2764 wrote to memory of 4496	2764	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdateComRegisterShell64.exe
PID 2764 wrote to memory of 4496	2764	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdateComRegisterShell64.exe
PID 2764 wrote to memory of 4156	2764	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdateComRegisterShell64.exe
PID 2764 wrote to memory of 4156	2764	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdateComRegisterShell64.exe
PID 3628 wrote to memory of 3800	3628	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 3628 wrote to memory of 3800	3628	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 3628 wrote to memory of 3800	3628	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 3628 wrote to memory of 4048	3628	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 3628 wrote to memory of 4048	3628	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 3628 wrote to memory of 4048	3628	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 4900 wrote to memory of 3196	4900	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 4900 wrote to memory of 3196	4900	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 4900 wrote to memory of 3196	4900	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 4900 wrote to memory of 2780	4900	MicrosoftEdgeUpdate.exe	MicrosoftEdge_X64_111.0.1661.54.exe
PID 4900 wrote to memory of 2780	4900	MicrosoftEdgeUpdate.exe	MicrosoftEdge_X64_111.0.1661.54.exe
PID 2780 wrote to memory of 100	2780	MicrosoftEdge_X64_111.0.1661.54.exe	setup.exe
PID 2780 wrote to memory of 100	2780	MicrosoftEdge_X64_111.0.1661.54.exe	setup.exe
PID 4900 wrote to memory of 3636	4900	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 4900 wrote to memory of 3636	4900	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 4900 wrote to memory of 3636	4900	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 3236 wrote to memory of 1652	3236	Roshade.Setup.3.3.0.exe	msedgewebview2.exe
PID 3236 wrote to memory of 1652	3236	Roshade.Setup.3.3.0.exe	msedgewebview2.exe
PID 1652 wrote to memory of 3872	1652	msedgewebview2.exe	msedgewebview2.exe
PID 1652 wrote to memory of 3872	1652	msedgewebview2.exe	msedgewebview2.exe
PID 1652 wrote to memory of 1568	1652	msedgewebview2.exe	msedgewebview2.exe
PID 1652 wrote to memory of 1568	1652	msedgewebview2.exe	msedgewebview2.exe
PID 1652 wrote to memory of 1568	1652	msedgewebview2.exe	msedgewebview2.exe
PID 1652 wrote to memory of 1568	1652	msedgewebview2.exe	msedgewebview2.exe
PID 1652 wrote to memory of 1568	1652	msedgewebview2.exe	msedgewebview2.exe
PID 1652 wrote to memory of 1568	1652	msedgewebview2.exe	msedgewebview2.exe
PID 1652 wrote to memory of 1568	1652	msedgewebview2.exe	msedgewebview2.exe
PID 1652 wrote to memory of 1568	1652	msedgewebview2.exe	msedgewebview2.exe
PID 1652 wrote to memory of 1568	1652	msedgewebview2.exe	msedgewebview2.exe
PID 1652 wrote to memory of 1568	1652	msedgewebview2.exe	msedgewebview2.exe
PID 1652 wrote to memory of 1568	1652	msedgewebview2.exe	msedgewebview2.exe
PID 1652 wrote to memory of 1568	1652	msedgewebview2.exe	msedgewebview2.exe
PID 1652 wrote to memory of 1568	1652	msedgewebview2.exe	msedgewebview2.exe
PID 1652 wrote to memory of 1568	1652	msedgewebview2.exe	msedgewebview2.exe
PID 1652 wrote to memory of 1568	1652	msedgewebview2.exe	msedgewebview2.exe
PID 1652 wrote to memory of 1568	1652	msedgewebview2.exe	msedgewebview2.exe
PID 1652 wrote to memory of 1568	1652	msedgewebview2.exe	msedgewebview2.exe
PID 1652 wrote to memory of 1568	1652	msedgewebview2.exe	msedgewebview2.exe
PID 1652 wrote to memory of 1568	1652	msedgewebview2.exe	msedgewebview2.exe
PID 1652 wrote to memory of 1568	1652	msedgewebview2.exe	msedgewebview2.exe
PID 1652 wrote to memory of 1568	1652	msedgewebview2.exe	msedgewebview2.exe
PID 1652 wrote to memory of 1568	1652	msedgewebview2.exe	msedgewebview2.exe
PID 1652 wrote to memory of 1568	1652	msedgewebview2.exe	msedgewebview2.exe
PID 1652 wrote to memory of 1568	1652	msedgewebview2.exe	msedgewebview2.exe
PID 1652 wrote to memory of 1568	1652	msedgewebview2.exe	msedgewebview2.exe
PID 1652 wrote to memory of 1568	1652	msedgewebview2.exe	msedgewebview2.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

msedgewebview2.exe

description ioc process

Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection msedgewebview2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	msedgewebview2.exe

C:\Users\Admin\AppData\Local\Temp\Roshade.Setup.3.3.0.exe
"C:\Users\Admin\AppData\Local\Temp\Roshade.Setup.3.3.0.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3236

C:\Users\Admin\AppData\Local\Temp\wv.exe
"C:\Users\Admin\AppData\Local\Temp\wv.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2816

C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\MicrosoftEdgeUpdate.exe" /installsource taggedmi /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
3⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3628

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:780

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2764

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.51\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.51\MicrosoftEdgeUpdateComRegisterShell64.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:1080

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.51\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.51\MicrosoftEdgeUpdateComRegisterShell64.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:4496

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.51\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.51\MicrosoftEdgeUpdateComRegisterShell64.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:4156

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzMuNTEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzMuNTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MkY1NUU1OEMtNTlFMS00NkQyLTk5QUMtMzY3OTRENjY0RDdDfSIgdXNlcmlkPSJ7RjZEOUM1REQtRTExOC00OTAyLUE0OUYtRjdEMkFGMDRBRjFDfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezFFOTQwRDk4LTk2MDYtNDgzMy1CQzJELTBGQzk5MERERDFEOX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSI0IiBwaHlzbWVtb3J5PSI4IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iJnF1b3Q7cVdKU3pXd1BmZGNMUitYR0l2NnhyWmZpWU94aFBVMnMxTldtaldjYUZQZz0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE3My40NSIgbmV4dHZlcnNpb249IjEuMy4xNzMuNTEiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQzODE5ODQ0NTMiIGluc3RhbGxfdGltZV9tcz0iMTc4MiIvPjwvYXBwPjwvcmVxdWVzdD4
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
PID:3800

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource taggedmi /sessionid "{2F55E58C-59E1-46D2-99AC-36794D664D7C}"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4048

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\111.0.1661.54\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\111.0.1661.54\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Roshade.Setup.3.3.0.exe --webview-exe-version=3.3.0 --user-data-dir="C:\Users\Admin\AppData\Local\Roshade\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=MojoIpcz,msWebOOUI,msPdfOOUI --mojo-named-platform-channel-pipe=3236.4684.17049615647840477627
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1652

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\111.0.1661.54\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\111.0.1661.54\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Roshade\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Roshade\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=111.0.5563.111 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\111.0.1661.54\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=111.0.1661.54 --initial-client-data=0x104,0x108,0x10c,0xe0,0x118,0x7ffc1e68b5f8,0x7ffc1e68b608,0x7ffc1e68b618
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3872

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\111.0.1661.54\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\111.0.1661.54\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Roshade\EBWebView" --webview-exe-name=Roshade.Setup.3.3.0.exe --webview-exe-version=3.3.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1936,i,9064965321813402073,2956115011902730819,131072 --disable-features=MojoIpcz,msPdfOOUI,msWebOOUI /prefetch:2
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1568

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\111.0.1661.54\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\111.0.1661.54\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Roshade\EBWebView" --webview-exe-name=Roshade.Setup.3.3.0.exe --webview-exe-version=3.3.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2124 --field-trial-handle=1936,i,9064965321813402073,2956115011902730819,131072 --disable-features=MojoIpcz,msPdfOOUI,msWebOOUI /prefetch:3
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4812

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\111.0.1661.54\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\111.0.1661.54\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Roshade\EBWebView" --webview-exe-name=Roshade.Setup.3.3.0.exe --webview-exe-version=3.3.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2272 --field-trial-handle=1936,i,9064965321813402073,2956115011902730819,131072 --disable-features=MojoIpcz,msPdfOOUI,msWebOOUI /prefetch:8
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2396

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\111.0.1661.54\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\111.0.1661.54\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Roshade\EBWebView" --webview-exe-name=Roshade.Setup.3.3.0.exe --webview-exe-version=3.3.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --mojo-platform-channel-handle=3136 --field-trial-handle=1936,i,9064965321813402073,2956115011902730819,131072 --disable-features=MojoIpcz,msPdfOOUI,msWebOOUI /prefetch:1
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:3468

C:\Users\Admin\AppData\Local\Temp\Roshade\7zr.exe
"C:\Users\Admin\AppData\Local\Temp\Roshade\7zr.exe" x -y files.7z
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4900

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzMuNTEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzMuNTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MkY1NUU1OEMtNTlFMS00NkQyLTk5QUMtMzY3OTRENjY0RDdDfSIgdXNlcmlkPSJ7RjZEOUM1REQtRTExOC00OTAyLUE0OUYtRjdEMkFGMDRBRjFDfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezFDQTAyM0ZFLTcwNjAtNEQ2Ny1CMkZFLThBODZGMTE3NUMzRX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSI0IiBwaHlzbWVtb3J5PSI4IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iJnF1b3Q7cVdKU3pXd1BmZGNMUitYR0l2NnhyWmZpWU94aFBVMnMxTldtaldjYUZQZz0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTA2LjAuNTI0OS4xMTkiIG5leHR2ZXJzaW9uPSIxMDYuMC41MjQ5LjExOSIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjMiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ0MDY1MTQzNjMiLz48L2FwcD48L3JlcXVlc3Q-
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
PID:3196

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F1F5699D-05DA-4441-A176-7E5E872679A2}\MicrosoftEdge_X64_111.0.1661.54.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F1F5699D-05DA-4441-A176-7E5E872679A2}\MicrosoftEdge_X64_111.0.1661.54.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2780

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F1F5699D-05DA-4441-A176-7E5E872679A2}\EDGEMITMP_3A094.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F1F5699D-05DA-4441-A176-7E5E872679A2}\EDGEMITMP_3A094.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F1F5699D-05DA-4441-A176-7E5E872679A2}\MicrosoftEdge_X64_111.0.1661.54.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:100

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzMuNTEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzMuNTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MkY1NUU1OEMtNTlFMS00NkQyLTk5QUMtMzY3OTRENjY0RDdDfSIgdXNlcmlkPSJ7RjZEOUM1REQtRTExOC00OTAyLUE0OUYtRjdEMkFGMDRBRjFDfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezlBNDgzRkFDLThDODItNEMxOC04NkQ2LTMwOTJEQzc0REE4OH0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSI0IiBwaHlzbWVtb3J5PSI4IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTExLjAuMTY2MS41NCIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9Ii0xIiBpbnN0YWxsZGF0ZT0iLTEiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iOSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDQxOTE3MDk1NCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ0MTkzMjY2OTUiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0NTk5Nzk1NzQxIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuZi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy85OTc0MGM4Ny1mOGE3LTQyNDUtYTNlNC0yNmUwMWIwNDg4OWI_UDE9MTY4MDYyODUwMiZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1hUFFZTlNRM3ZQSDNxV1ZyQ1puYlZPQTMxbkMxVFJlRDBhUSUyYkIzTGtxWEc4dmdLVGVWMDRXYXpxS2FRZkNVdEdINWt4ckFnbUkwYVBMJTJiR2V2a2g2cGclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNDE4MzMxMzYiIHRvdGFsPSIxNDE4MzMxMzYiIGRvd25sb2FkX3RpbWVfbXM9IjkyMzQiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0NjAwMjY0NzUzIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDYyMjk0NTgwOCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5Njc1NyIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTQwNjg5ODc2MiIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjcxOSIgZG93bmxvYWRfdGltZV9tcz0iMTgwNDciIGRvd25sb2FkZWQ9IjE0MTgzMzEzNiIgdG90YWw9IjE0MTgzMzEzNiIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNzgzOTYiLz48L2FwcD48L3JlcXVlc3Q-
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
PID:3636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.54\Installer\setup.exe
Filesize
3.8MB

MD5
b221f1e0f820cbf2551d892753432cad

SHA1
1ece9b632490981a2391e2f89b0a3968d3115f9e

SHA256
50c33de974eaf04a838e68f020bafd4c1e2ed199918f7dbe8417c62baf036c25

SHA512
82600273f3dba434eabebaf1d21058b7f858819545c3fdbada235f892845762bbaea16c1d68d68c52853d76d60a14311b0d8d35e21ef11a9ae04cf91b4eaf5d3

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\111.0.1661.54\MicrosoftEdge_X64_111.0.1661.54.exe
Filesize
135.3MB

MD5
6139897c18598e5e4bea83271bcdde48

SHA1
8ee267b108f0886662f569e2973a6795418e3ca9

SHA256
5192e3488390e40e35d3c52b1bc484145c5871d7eeeeebf4c22f7c8d7d12246f

SHA512
e8499f423d7681a3e763327b28bef6f70aa6b90e1201b09bb102ff79a8f2f6af6543bbb516618742da317982cf9aeaf4e6b154db53e526b18af6d44aa7caf4a0

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
Filesize
201KB

MD5
41680b5d08d0f18ec731b58a73de4781

SHA1
30eb01cd07f55adaca44edcdcfbc152148078669

SHA256
f8f3ace5c3c404342251e16381132f0453514e03e9c65cf387a21cd288552200

SHA512
f936c26a26c5268a142f56c7ca0277efea42404a405679ac23060085ffe96702871ec8d2e0db5534878a03948e99f9464cb8a9da20784f9b0308be9ad30891ce

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\EdgeUpdate.dat
Filesize
12KB

MD5
369bbc37cff290adb8963dc5e518b9b8

SHA1
de0ef569f7ef55032e4b18d3a03542cc2bbac191

SHA256
3d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3

SHA512
4f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\MicrosoftEdgeComRegisterShellARM64.exe
Filesize
179KB

MD5
eeab009b340608e02f41c5aa1bbe67a7

SHA1
fc5c98a0ea110e8c4ecad3be8d8af6b1a50f9559

SHA256
22387c13beca9bf5f126511a0e86e1d90ae1ea70cdbdfd6c63a14aa532e53144

SHA512
6c438f035f222fec751a0839009adf24a5a1dcee4214146ee1d2ffef49dd900b38f1a70f532bca480b2aace3d4467fa86b429e8186e1cc13b5436286949b29fb

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\MicrosoftEdgeUpdate.exe
Filesize
201KB

MD5
41680b5d08d0f18ec731b58a73de4781

SHA1
30eb01cd07f55adaca44edcdcfbc152148078669

SHA256
f8f3ace5c3c404342251e16381132f0453514e03e9c65cf387a21cd288552200

SHA512
f936c26a26c5268a142f56c7ca0277efea42404a405679ac23060085ffe96702871ec8d2e0db5534878a03948e99f9464cb8a9da20784f9b0308be9ad30891ce

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\MicrosoftEdgeUpdate.exe
Filesize
201KB

MD5
41680b5d08d0f18ec731b58a73de4781

SHA1
30eb01cd07f55adaca44edcdcfbc152148078669

SHA256
f8f3ace5c3c404342251e16381132f0453514e03e9c65cf387a21cd288552200

SHA512
f936c26a26c5268a142f56c7ca0277efea42404a405679ac23060085ffe96702871ec8d2e0db5534878a03948e99f9464cb8a9da20784f9b0308be9ad30891ce

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe
Filesize
212KB

MD5
43796351e9ae674e05084827d15ddd3b

SHA1
f72112a34adefc9cd31c0f55074cd74e34260010

SHA256
29a9283e18d979e5c0d70ee63f333e5b8d45e33d8a2fc0443dcf20496879329e

SHA512
c5cf9f2c06cebaa05e95c4e1ce6ccf41060a4793bdc703c979f7941aef4ab4ca0eb3450777d9ee6f5dcea65825d6681bcad7d8c9f862e6739afa34f337e0f720

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\MicrosoftEdgeUpdateCore.exe
Filesize
257KB

MD5
c37873784d654850cfb9faad29387998

SHA1
d2d70e7db2c727c412c5530c24982d414d502889

SHA256
57fc701c6705a1e4905a3e7b21144ab700514a1f3a36b9f353cf70d3b7e29477

SHA512
cb9f1e5c0e8ad854f3b885b158bf8bf00b06a3e96a058e685223e3dc6d8d0fe032c88c25a2b66e9f10d5df9c344d1f77134c6a00d0a31ce552eec692c1d0e31a

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\NOTICE.TXT
Filesize
4KB

MD5
6dd5bf0743f2366a0bdd37e302783bcd

SHA1
e5ff6e044c40c02b1fc78304804fe1f993fed2e6

SHA256
91d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5

SHA512
f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdate.dll
Filesize
2.1MB

MD5
a1feca03b08e3d05abbfade260fc7291

SHA1
c5d8d736f416ac0e3b6bdd858153c88d4a27023c

SHA256
82f972e81d4a73ba84bd958cc79acea3b3610401c8773fddc955ea5f5a4cbd6e

SHA512
0f2b82d19f8dd95d05ff4f90f059aa8b2782c22147bca69789cae8cbe363a5c8b6e2e78b93253567f29ec6ab874ea1650af36228e52556b3627a7a43f37f68a1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdate.dll
Filesize
2.1MB

MD5
a1feca03b08e3d05abbfade260fc7291

SHA1
c5d8d736f416ac0e3b6bdd858153c88d4a27023c

SHA256
82f972e81d4a73ba84bd958cc79acea3b3610401c8773fddc955ea5f5a4cbd6e

SHA512
0f2b82d19f8dd95d05ff4f90f059aa8b2782c22147bca69789cae8cbe363a5c8b6e2e78b93253567f29ec6ab874ea1650af36228e52556b3627a7a43f37f68a1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_af.dll
Filesize
28KB

MD5
2268e40f1efd0731849c84f228e9f2e8

SHA1
8409af2c0d321053c99b56d6b46fb372fad227f4

SHA256
c68ee308e4b37175847d1cb0793f3850c87d997b57df0185bdf668b36cafd0da

SHA512
08160550d8d1e7b770a88d7c48494b60843dd0baff314868ec799a19f942ce3c41f0d62cb7968bada0db6e1630e13584f251e518aca8ff6411253001145f6d93

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_am.dll
Filesize
24KB

MD5
f44e945c31e5307da9cc4d06f0dae742

SHA1
04c2f4c9558bad2ebd6c6f22306fc7b7bff1326c

SHA256
f1f7001e5cc83824206bd9b2e895db63f4a135dee109acd672dee48b620d0ea1

SHA512
9df1a2b869e3c6e808057e673dd2b543590dd4b29285057bd0a6edd979a1684cea7e27468a7cc16cf64893b058f9956030b5c4245a30cb4e6d5f43be4bbddd08

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_ar.dll
Filesize
26KB

MD5
1dfa2cefb5ce71f320f5d70ba328df17

SHA1
e5ca9657111b77aba9fa46c90b40ddb5e00a5f89

SHA256
281a1a97f745585498ada34f2a48ac12e2255bc2d41de4bc1106b7d6e753772d

SHA512
047a2a3c1e160a8a3c673aa90adc529aecd5321095c6374cc0007450c0deb2cc193268bd3a4f6c6c285414e6cb55b581dd08c07c160e9901b94a2de2e1e842b6

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_as.dll
Filesize
28KB

MD5
bdc3cc27d5a9b93b94ab4701d1a17bde

SHA1
97689e8b90326f82bea7e3e4dc509b064462d5a8

SHA256
768223b04c3fee0e4f70f789fe46b9703d8a5fa7a0790c56b4412107587b18aa

SHA512
028a763d18f62f593c3b60208c37a1a3dcc6816e75f768e85b376e2fc3017bf48409add3ec357746c3dd0d1aa45bb7b98a634e83afa765f1f1de3e71e704cbc9

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_az.dll
Filesize
29KB

MD5
2c9326086b35eb270ea18752cc8e65fe

SHA1
2825bfae46ff9a935b4b32124785065792cf5d6a

SHA256
def8743537d062302728897ba845c3b38caac1035c75943bab55ad79e07dde26

SHA512
642ee8c5a898faa2be9eb02e5a3bce923bef8e79e79f184063ff9895cacced0d0fa545993c69d394219830a3c6f1d6225066ac464ea5d785a32953950771f1ca

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_bg.dll
Filesize
29KB

MD5
d274f64d6f292162a97c28809fbbdf42

SHA1
1f621feabec3a746416ed07e8a712eaf8b68c9cc

SHA256
16bc725323dd5a1755e775747c392109894558cd7b7adc20cde1cdf68bd0fd8b

SHA512
3fcb22e476c1bc1ea948034f98459ea2e0aff86dc0922f078ab36f5a8119332e7ced4026f8721df6cbd45301968783ee1af4d8dde4659c51112b119b63df96a7

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_bn-IN.dll
Filesize
29KB

MD5
429cfeece0deb285ffd70787566a1f8d

SHA1
0aeb24f597b6aad061dee1d39e52e4e0b5d85bca

SHA256
7b8ba9164415277f1c29621335a8b1f9539a56bf40b72d7b5624f947855ed515

SHA512
ae306ccc4b5b799e7e3eb4800826406f9e558db447da7c7b2a5a7b41fd10fccba56983306f291a18f9437502d734cf00a74e786cae98490343c73f0ae8b051be

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_bn.dll
Filesize
29KB

MD5
79a4cbc2e0196d80bbe9f47b21d77537

SHA1
50ad550962fe5c3d50511540c27fc6c25a92f783

SHA256
7e70da6c44a4c6be85329868820a64089419f43a8f52bacad171c9f0ad511909

SHA512
30c5cb0157b9641b9e81bd7b424f5a1faeb40a31c32e31f492c10edae80ae4c931fd12c8e4547d43b85253f6aa625c87b364366199d2e513d559fbef39502cf3

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_bs.dll
Filesize
28KB

MD5
6092cfa76ed533d8eb675d093e33f54a

SHA1
bca4ead601c083c88137dbdd31ce7c75a927544a

SHA256
fdc8de2e46266a1ee0945d6359cc80033e10a23de7ebfdb758c647fe8f4ce8bc

SHA512
d99e2bfb44688e76097a649b5716091d640837b84f8f22131868a9dd6c243f378207925d54a4531cedc82fd84446a0c2364940996973b5653f680f0b1551a536

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_ca-Es-VALENCIA.dll
Filesize
29KB

MD5
b43fe6f45c12b79a3b4e4251629e627a

SHA1
75b6a26a82d5101bf2f1ab9d953b5d82e89a2252

SHA256
d448e6fc4472af532dec7c1b364c19bf38e389d540aa7704bbff46ae81019603

SHA512
cf30c496e9849fa1062a325d81f07f796af09165baf37f1b6c033663e0dfa033c41914d2893861d64806f90ed5bc9aa45b9d76db1318bc478615984a084e309c

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_ca.dll
Filesize
30KB

MD5
cfaaf9d0b4e779591a294969488de431

SHA1
8ca0eb1b8aad41d338bb61bbfa6b3b6b9e55ce38

SHA256
58c0c1c3de61c4ad6ab2b99f3ce7aba82bb70640a847334881d924a9cd0e2b75

SHA512
4f3b60af73ce9bddda0eebce3dca5681ca38459018e2dbccf29ed8bd17aafff35dc8cfedd2adab294583a71dd62a7c1ff25949cf02b84e050d929083e33dee38

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_cs.dll
Filesize
28KB

MD5
162c6a9ca055e8185e3cf05c1df40797

SHA1
1d4a2cb4c1acd1f88e96f1f1e4825e6f8d70b3d8

SHA256
4a5c7cdf85f4b38141209ea12c5dd84e3247e91f28b886427d75f42a33397abe

SHA512
bdc3b1c4899b4d0e8b478ee27d8bc41f26c5f5ec3bd63b600a8ba31838c876a10a088e5058a7dcafd770f8bd854f9a2d5ec78b04363da88f6aa3743e1d76d01c

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_cy.dll
Filesize
28KB

MD5
1628d317fc595231efcc022933504ab1

SHA1
80ee7f5938a4f8367839f1002f0522ac8a293ca5

SHA256
36abdbedc646c5baa856e6b22a6e9eaa4553ece3aa9b0bf7839104756af42195

SHA512
4ea12630b6cae888e48296e8b8632086df6aa5595f8aa6d2447d98b396a7ddaa6474f0bd48f0b4d9487a37e36cf58ade1e16cbca4c7af76a565a825840e91060

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_da.dll
Filesize
28KB

MD5
225acac8ba7345732245d1db02ee0dc3

SHA1
1aaa354024a71de59709c25a3f4b04291c36e7b6

SHA256
9cc284d2f64fca26c7c38d0851c7b20f62323cea48ff3972c20ba3a56a90f36a

SHA512
d9e4b2f30828165e71560fc9232e753d9e20099499fd44f071e790f4c5263c3f9fc5a6e92d64e30edef1063ed273bbe63b67a90e22c1c02edfbcd6969ed52fcb

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_de.dll
Filesize
30KB

MD5
a5e58bb56e4887483a1e2d87a94d14a9

SHA1
122e8f9a3c917ef4309f9d1b52b79549776f0f0c

SHA256
3330661175a0caeae799f9e9dc3dfca17222b99bb9086450a0e381ef47ed584b

SHA512
dba193e03abb7035f9f44b7ce291c819b85e597cdb3f92f7e3cc9c38c4d683ccd791b56941fa67d8a32946c9561e411f7f27136ee8d20fdf8a5ae57175b65cb8

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_el.dll
Filesize
30KB

MD5
8c1e1926c85097d6deed3fbf335ebd30

SHA1
29590076ac9ca7a0a97d1ea531a7d83dc546c16d

SHA256
acdab523d32be1b4e3512f7d5ddcd241e2062e0ed5db8913cc472a269f1d5afb

SHA512
9d712c074c90570f7d53b79c164681ec4a81fc40d12329870a76041e398b3fcc6ec07fdde7fc7f5f4745f3969a649c95e0f4370e8256c4fefdd0801a35fa1e20

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_en-GB.dll
Filesize
27KB

MD5
8fcd88ca1a1a7a4729abb9a779f091f7

SHA1
61e05fc51f5f7165c93af8c82119f8df0dd8165e

SHA256
b1ea2735cb3a7f44463c20cdb5b03ae105e320ce600f4c9c9fb557aab5b8b208

SHA512
a1c7c0921aba77573590fff965e742a9a03fae0c265d62ed23528914f7730c8e8a0edb7ca185d25764ca2b7f45bcf809ad50a0477bc130a60211308252f7e5ea

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_en.dll
Filesize
27KB

MD5
49ce49c35fe42ddccb14553421619069

SHA1
486adb2db118f5d114704d5f955a1e44904f45a7

SHA256
c898692f9b6f313d4d3ffed1e46f6263b198e8200af464e64eb19c2e0e38c8cd

SHA512
ee3c4b43221c31f5e581db49be7e9c3964049d84e352b7d17ee0e19bda5e27555174e8a4a6a77aa9fbcee93a220f5ef0cdf24207c75ce6b2caf922e3cac3eb06

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_es-419.dll
Filesize
29KB

MD5
95141d3cd46128d4d87708c0610e0344

SHA1
1f309c2b15f9647809f87e4a9ed7831ac0746173

SHA256
5e7ff3779a8923a444d85c4feef3be6a211d03dbfb09a3b5853994db3966fdde

SHA512
5cd85e5bf54514abc106dbea11d6ebe072838e8849d9c319da7aa83ac1857201d64991b5b8100ade62a059e6cdd2ac02e4685681994720cd4b6232aac4153f11

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_es.dll
Filesize
28KB

MD5
869aaf32630ea378477dd67d2fca47bb

SHA1
134357c3095da7581ee84e80fc03a0eabe1ce075

SHA256
f0e5fb8894a97379f781922f0642b1cab6739f2c9f74b79994b87ab29d19dc8f

SHA512
72880779da5f72569b183659ce7ce26031596d124bb25236ed560343ff8cf1a21734dc807b13cde7c2809c56e72c68da358b2dbd60183f5517a030ace300ddd5

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_et.dll
Filesize
28KB

MD5
24de30a546c91528560c78b225150dc2

SHA1
092810d0c8f232643f6ae4b51d8ddb9bba33d6ea

SHA256
26fd4f513369cd67b709261a486720456a39f3d9ca0cc6bead4a09ef289a45f2

SHA512
45dd708e037ac7ae3920de7f19c4fbceade14d8db01b12d9162ad6575d1936aba99547df1d8993e74a858127f5b11c728a060d298733f8c29ead2004fc8396a5

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_eu.dll
Filesize
28KB

MD5
72ac494795f47abd34673ecd18fa0ace

SHA1
df15bec0e290404fd77a2f8a34cbba8b9ecd3133

SHA256
e32a92004cbc245db0e372c19c6c7ddc299c62dc0b53d01b3201bd2a55dfdae4

SHA512
bb69a7bbefa205edac0820d0d71321e27682d2fc7b98c7c744a388d8d24dd7a8dccf9d8f3b85da38af6c2907d867b1fa4e41fb527629103b32840f21bed2c3c6

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_fa.dll
Filesize
27KB

MD5
5c4a4a7931c212f081f678e5f8776542

SHA1
c081778746abd461a58d9688e215212e05e20b86

SHA256
d70638350ecf4ce3b5c62d6f1fca06c4166e3d115bd70bf81d3f4f36769db9b5

SHA512
e3a37ef0780449456640ca1446f65149742731aa53ad960a7ce3ccaba35f01dec3bb7eeb9a65941e8a5ec97778d60b9089c6dcc56ab5da4e85456fcf52ff4620

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_fi.dll
Filesize
28KB

MD5
c231e9382b1e20e770485ce17368e808

SHA1
6f7ae9f23501b22838ef8d40a275515eb6b0b9b5

SHA256
cc9b47f59c1f042cbf778c335db244952ecf72b35e81a2a3f1d8de94491b956f

SHA512
7e694a51c90fa827b65752192179370a705e730898ef778f9f126e25793c4c16a8ef078d96caef9db2ca943e8da71cd375765f983889f12c5f7d73e90fdedc8d

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_fil.dll
Filesize
29KB

MD5
8e24339a170e96151a2da3458da6b089

SHA1
99e38b1c67c775f08ba01a2c38c853cb3e3168c4

SHA256
0d11e5f63ec6a408bb11add5d3b31b9b8a7fa01851552941dd6c29418ec3be48

SHA512
d94e3be30750ca667ebe9bf7f2064f652f27bc51efe0b1d39edc406738b38e90138e0982b6d1197623df2623fa4a204ec1fda3f13e0c243d70af1ee87be441a3

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_fr-CA.dll
Filesize
30KB

MD5
8aea9222bf0ab5a39d72769bbd8a6c1c

SHA1
f8bf248a2d4fdb7420a4c660bab505fcf1765244

SHA256
a85f4b58fe92592e6e512d492aeeee6b10de342e65efc8f5845af7e862916765

SHA512
fa367b3a98dcec900f02cc38e7460f81503fe3e9563d3244adfbf34f0092ebf6a72f148708fe0cfe14761288f37cbaeb6a7446f160a684e5c3ad6246a330c474

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_fr.dll
Filesize
30KB

MD5
448cd37a199ac30950df9324f1944536

SHA1
3870c93433d9e1e1f7a3945268123c6d977c6027

SHA256
85f2ddcde5d1a7e7d7542477c03964dc18237b8467be5d27338d83c5ddd36e94

SHA512
af2b8f0e41eef8ae207536c0b8e4f698a794c967edd8e1878d89f9b2415a879be5c9e565702c95584ac68a4a9b61813a6a2f33fb3ca6033249ac33473e15ca41

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_ga.dll
Filesize
28KB

MD5
e91138124da0bf9c6f598ddb2762f3eb

SHA1
1d5ac1cd975cc3ddc33b8033487c496608ab49ee

SHA256
65590918fd669ae162abd644ae2fb8c6724b175cb3d1c6cbdda015dc33b21bca

SHA512
5dc589b6b519beae95b1adf97145ceeb06aa3b91ffbfbd1ee024d0d7d7d76e25fccc824043b1d80dac3b23aae31e4862cbebc7a744f8d41e93d412f782a7de10

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_gd.dll
Filesize
30KB

MD5
afa9377508d33e4f56ae509d7381d359

SHA1
181c212d4a4f8a8cbe7bcb244cd697c5102a1a2f

SHA256
5176ccc3185e015374d78c53cbc99bebeece0355dd7f90f9d3e9979ca3c57369

SHA512
e24ca0cc668babd600971d4eadb45b7dfb51aec28b56560e6ec1709d972f748a0fc74ed9c71d19fc67ba9a7f22535738f01830151784ebae1d2b7a70b436a4b3

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_gl.dll
Filesize
28KB

MD5
08e4880a254fcb513b9897af2a3360f0

SHA1
63b0f085bf3c3b371aa16064e4fec5c2a77dca64

SHA256
3613e470dbfd6d41d279972d870c1accf03ef6878fb1ff801a588aa9f3e0a0fc

SHA512
c74f3a41c75730ea6b03f7d2d288bbcd2611f4b6a291005d873f02fb68e1648ccb73a2f6f4686978ea77467cb57dcdaae6a49539606117b5e8356fc948912995

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_gu.dll
Filesize
28KB

MD5
5c20ab205d5780c31eb0c6000b2e9a61

SHA1
e01d6572c3e20190de0af0b302286520394bca74

SHA256
f1084da872e13472a8c768c83aefeca6cbdc86fad89a3a99e46376c6bbaa42cc

SHA512
b0e8485bebaf3dca68e057e114ff6112945d9df251ec634ad9bc2fe760036e4edd7da4c746f3001be2341b90f51494de989f2a085af9946c2f9c8172d8448418

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_hi.dll
Filesize
28KB

MD5
04fbcea72025fbb5aac33009a0a28f97

SHA1
0eddeed3aeb0841abee1f2ae4f7c70910c2da8cf

SHA256
344f8972fca048ae34b4bf9fdfbf09dee5314615d7d29e908d553a1f33daedd6

SHA512
6954f804dfb6a419570ece2b9994a32f1011c3c964921db48897732b59c06e4132afd514be8a2a62ce3a4228b637d16827947f50fd2d26e0f0a1316f9a650f8d

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_hr.dll
Filesize
29KB

MD5
cdf4b247095e9fe19c52d7df2be49081

SHA1
b9e3a1a5c91d4faaaa9bc5adb39cd1ed47782f6c

SHA256
140a0956433c5f8330eaa2840ff1931c990be2b5c1ce9c14a42ccd9a44b87f7a

SHA512
2a9b6605aeabf21f92dea57c6cf6a5373796a3b912c0acc49c7c3325fd9c8ebae4547020f243ff0ae7732fbc2de1181a9488a2d4d31fe72edb3a5c354187df25

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_hu.dll
Filesize
29KB

MD5
321698ce486b3bab5cdd4cc744e901bf

SHA1
f838fecebe102f3f4269d98e9f1dc88b46828bc6

SHA256
c4fc0ccac77b19914e9584f1a8c16e44f3644a142a8feb65ee7b6c57527eb208

SHA512
7f7acb0e7b20e400c7ac82fc5d752720bf24442fb66b8c32a60da16013898b817b155913b26315a3519df601a9fd89baef21be907ab508aff6881679eee18cbb

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_id.dll
Filesize
27KB

MD5
4b4a28a9262f91fbfc1cda32d26d3578

SHA1
56d616fc67b51f20ae32b93a6581df1ecbb6f93e

SHA256
68935af95c3cf3073e52725e447474a0710e00f399346ef3132ca8e7efb9bc8f

SHA512
d27b13197e714f9e8a5a1345c2775a05be38633b2d74f74a64adda552db23282aa902ecf82e69095ebffb129c5b784f55fbd399861b8a1898ff6acc8ca81a0ae

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_is.dll
Filesize
28KB

MD5
677cfb20cca21f570716cb52f650ffa6

SHA1
f226488ce80e855a460f5cd4df5d27e971f33445

SHA256
5af739b3ef19d1eb8b39934ec92ae29da4f7ba1c9eb604a664da6c1c4ac6e062

SHA512
bea112919998e69956ed49c59bb838a8128f2569e8c9fb39bc64e3ca138fa513ae427922cbe411e10fa62d121202c9478c2b7fa8a0dba6ac489bc65f858059f2

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_it.dll
Filesize
30KB

MD5
24d8ccf90614593557e905683c199844

SHA1
db275660f0cbbbe66640ffd42eca0dfeb557fe75

SHA256
c3f727d5b0a7f4955b8793ac4e97502c0b13fd6ecd9aa1578a80428303c2d487

SHA512
6cb2f56fc06702aa5e74fc992a0411f16e39c0a7f0f34a3db80cde7afe04a34eed8a0e35cadc6a52455e927ac460f74fc8c4307da567197f962c02b0082fe71c

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_iw.dll
Filesize
25KB

MD5
1e47e738b1b19282e0c1131b55e43dd8

SHA1
898c4360422d3d4f5826e66dc1a55a6cc65f56bd

SHA256
319837ea306ce59d99ba5650a9a6e2b690e809d8a7d9747e5866889a585978c4

SHA512
695e064fcef5f4d05f8dcca87c907102d014354703cda8ed4ab3da05268e8d322cb790aae76aae12aa2c17c29b5f6a23e1d75e4b9540520b047afd502cabea6f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_ja.dll
Filesize
24KB

MD5
6a16ae7cbfe779f663c3ccecb00f11e4

SHA1
e1474f73c364eb832e21b5b8b70f797d1926dd93

SHA256
69ea2afaa1252387c7673532263afdabbce35145f1debe971f5c48c034662120

SHA512
5afea5db4cde7acdf8833fa73efd7210de8e2974462a35535bb0bca7f8e16baa94f1ced2944b7ecaf5d1593460e78b4b61a0052af963682f2f7f323c52d4762b

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_ka.dll
Filesize
29KB

MD5
f76fc90c2fce502c396f770017b16659

SHA1
10921f69d33e9dd0c58b734f43e4cec4c18acbc2

SHA256
40c4ee205bba51d34b3fee18b3b3b7826019f4aa18d70c9ada2b7458667ea73b

SHA512
b5a0f9caf994455f2dc9c1957db5ef4c396a4badec4e13471c7e6e8038fabf53d3a6277f069a2f884b31821eca1d2e9b657bb43b605057e7d3f5b6d143a74c6f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_kk.dll
Filesize
28KB

MD5
073ab02d719657020b368ea5eac5c6e9

SHA1
da45436e2923819de195418e6eda79d0553fb869

SHA256
40eafe1a20872fdb64d109fa176b07d601b1dd57bed80e1764c18d85d1f5bfbe

SHA512
3375cd543d10c60a28d4a02a5c6bca2afbfe27a62b4ae4f204e4b9d64dd71651d3152be9c41034797ef56b572f1d6e202da3e84fe68f7ef1175e056bbe24b0b5

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_km.dll
Filesize
27KB

MD5
9f920605e2977df35df07403f817bce7

SHA1
b58fb4d93158f53c676c011a0e0a4bd49c42ea47

SHA256
dbdfc1f34e21a0ff43be93a731dde2bdf73df86a32bd3b89a3d16584a6a7b87f

SHA512
40292a014db31af5b0093dbc9297ea87acbd856d92a58bcffcc4c78f30294e7458bfdd178696974d32334b763d22680b59a08640e39b0a54767cfae142279b75

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_kn.dll
Filesize
29KB

MD5
753a8b65205ecba2d23232c07915d71f

SHA1
e17ebe2bfdc3136cf94b515e0e9b42d651fe7cd9

SHA256
dcc541b2fb8a5e4f7c8ed9045aed3d45899bccbf114a72ce4c00b1bdd7e39026

SHA512
b9f4c413417305a66a397a35509324b19a857356b76ff1faa95b9da6442bed4da031466748e824e8a03ff72a7f2b95377ad60b10c71a5ad80b1dd4cd00d6f51f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_ko.dll
Filesize
23KB

MD5
3921501f4089f11e83af685aeae511c8

SHA1
53fa362b649f54439be857bdd4d62ac17bb4d63d

SHA256
ed5eca28d76e2380540c0feb08ae9f21c16899dcc53587ba991a4fe49fd5782e

SHA512
f65585a06cb40da68148b4315bdcaf53428f48b267a02b78e36cecbe246ea42e79acd9e1a9637650b483432e4c710035de11162dd6fcf4453dc012305b7da36d

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_kok.dll
Filesize
28KB

MD5
930cbe71cc2211ab903bc2e0a8b177a9

SHA1
8bc70a7ff55bd04876f320172b5cde10a32b4ddb

SHA256
4a35bdf521e406c1fcaefd9dc3e106dd7080ad86bed7633cc25ad0b268140701

SHA512
808d9866a9e8dd7f05717efa71e93871217604cfe779c8ab81d9b63071228566a43f1cdf0a0134bdf6a394832070092c37846cd5353fb79a8b7d0d349e0ac7b1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_lb.dll
Filesize
30KB

MD5
42db54d49d717acf2c7a28b4d1a45c9f

SHA1
9a5680e47de0c68cea9e653f2f32c815a0cd80c5

SHA256
b44c2d7826ea819c8d479b3c204f6351d80f72cf607d505308cfd73d185e9e47

SHA512
e3147c6bbb94b587ffa7ca75d6f46f942345d2f692cd82940665ee60b8d647a01728fd3b7c21c6602bce52d687f0e5171100669830d01218a8e9fdf2094a36af

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_lo.dll
Filesize
27KB

MD5
44880b87efd7c3bfcf5f4e280525709a

SHA1
9ff2bb529ef22564b97933cc8ccbc3570fac4109

SHA256
e12b1a5f9e9d2684de85a56e64e5a8ea235b1797328e7ba240686f63653b6254

SHA512
b8b061b2f91853b9cb4eaf7d6ba263b6795490b625aaea7499c458360f144c19c852c3a1b642c7e7c8867e7b51b829035569dfc5f25b9c2e5bfad4c165cdf5a1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_lt.dll
Filesize
27KB

MD5
1a5a02e2e94f4b894f5e47b46051d5b8

SHA1
ac7a2c2db37619a3dc90b372dfe9e772936dbb99

SHA256
555819595c52fa9bb7af9b1d21fc9f97c3eedbe49260bf3ff22b395f00e287de

SHA512
f8303dfde8a1e39fd8ebd9f84424d97b828aef313c7c9396c73666c02d12233c7637a14e23ca12fea013ec78db87df6cd1e9f8368455380234bef40899fd1814

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_lv.dll
Filesize
28KB

MD5
87fd0217498f329912b889ebcba889ca

SHA1
c9e5c6a4009867603c0122bbdee92846190561a4

SHA256
e8754807a21c46ca24bb804291e95bac57fa924f32c7476965433d8b80de91eb

SHA512
46b9310f2b29830083262c8b9944db6d4f8fbac03d0e63f16df57f4ab6999d07820117fc1f2d22aa67ab91482ab1f17f022cfa67376968e91121ca53742b415d

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_mi.dll
Filesize
28KB

MD5
421136f2eff1dbedb896cf30f7f5762d

SHA1
c6dd9263343781918a16050ac6809ac698995d98

SHA256
596eaf2a8e251602efb8d838b17705752cbdfe4f3e4cd00292de93917b176596

SHA512
9c03ce700f44aa75b9a1bb684f7941d165ba63a199320fc3c0469d098a047d0a8fcbe80eb821f4922c8a109321e6101395d7c1f4b0aa81f0646f8ec595394af7

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_mk.dll
Filesize
29KB

MD5
69415fe0624e9e84d6482fdcb7674117

SHA1
f2fa4bbc8b3b36e528b92fbd5f17c955168352e2

SHA256
dc2158c944ad5bceaadba46d67a045c1ad673fffda05e573ae458234374bd460

SHA512
f2a00c6357f583d2ad587557fca60c4ef1166dce3b2cfe9947441dfa86d426d7c32cc85e2ea090dc8add6318a873070d8d6f29793ec738b07966e66a37b46876

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_ml.dll
Filesize
30KB

MD5
6744ed5d8cf740f156d2d2a04c6e44be

SHA1
6dd30ff002698e0d02d8f45bb9ef2782edd07bc9

SHA256
974b0a40cd09725990e4c164217f255fd6869050100a0d514f61191bc72b8614

SHA512
108a9ad663f7bc89c897b1384403b35f0ad74781e833a3d2215ba07f2a1060146173b68f7ac1fcd6299b252f721d7b2ce4c3ed09e856d20b8a60311e9230b3c0

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUEBEB.tmp\msedgeupdateres_mr.dll
Filesize
28KB

MD5
db76a7f0cda20e44bcdc1e77a286a6e0

SHA1
02a339fd5e966a82e8181d8179aad080d7e5d4a5

SHA256
de52183729988d354956d4698a9962db24e46c754962e4ddce7a78e3e1f921c9

SHA512
dc76b2cd0c78d58ea32c0b7547b33f8981c6f53d67eb3a41bb8c21d527d3b28cec6f714ff38dcba4d0848941736cde0283e500d7bd4332e305c2b18c2e0bb55f

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
Filesize
149KB

MD5
0ed0e6de55231ea33808ec79aa5c7771

SHA1
fe2cd1190c3ae007b854c79c7f9d90073db20319

SHA256
91cbb03376abda60d807903c3d856df6b26f37549ee18c7a88173d4332f972b2

SHA512
7abf483422d6bbae497a27a19f1d9f45aa7c5404fcd196a6bb4b88a9c9c9c7cf18e0b7cd565496a2789343c7704016c50d0414453b09f6feb144a2e68d02fa43

Download Submit
C:\Users\Admin\AppData\Local\Roshade\EBWebView\Crashpad\settings.dat
Filesize
280B

MD5
079bcf33ba6025bfc5c6a32c635b1b95

SHA1
8deacb575e6843fe37f0cbb7549898bc2e2b0d99

SHA256
84659e726d2b06174c6c3f15d18c7838dc9cee43dc7c8c8f0d11cda0108757fc

SHA512
344af85bb00caafe07b20cb7042db3453eadf0cbf3bb970c117bb7ad9bbc76a3e67f4d4c822feb360311a7d42743a2ea93dac1edd34e86bff62fe504c767b2fd

Download Submit
C:\Users\Admin\AppData\Local\Roshade\EBWebView\Crashpad\settings.dat
Filesize
280B

MD5
079bcf33ba6025bfc5c6a32c635b1b95

SHA1
8deacb575e6843fe37f0cbb7549898bc2e2b0d99

SHA256
84659e726d2b06174c6c3f15d18c7838dc9cee43dc7c8c8f0d11cda0108757fc

SHA512
344af85bb00caafe07b20cb7042db3453eadf0cbf3bb970c117bb7ad9bbc76a3e67f4d4c822feb360311a7d42743a2ea93dac1edd34e86bff62fe504c767b2fd

Download Submit
C:\Users\Admin\AppData\Local\Roshade\EBWebView\Crashpad\settings.dat
Filesize
280B

MD5
8406168adcf982f6963fadbe0961f52e

SHA1
6406c222c8078db6feac86e5f0dfd317541bbb08

SHA256
fa1bf8a16be21f49a790d4076127fe91da1444ec4d0ae4e914231adb1c8b12bc

SHA512
ad63862062a89de350cd23d020725e3d72aa7ca430079b01109f150350a3a4d4300ed91abef28302fc9cc09af5eafd2a9762de3dbe160d1023ba8177788b3361

Download Submit
C:\Users\Admin\AppData\Local\Roshade\EBWebView\Default\Cache\Cache_Data\data_0
Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Roshade\EBWebView\Default\Cache\Cache_Data\data_2
Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Roshade\EBWebView\Default\Cache\Cache_Data\data_3
Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Roshade\EBWebView\Default\Code Cache\js\index-dir\the-real-index
Filesize
96B

MD5
1be8f6ec29ae05a65c0de5ef61bc4ce9

SHA1
6ebc3f8c0c588b51cb1bd23b1d844bef17af1ef3

SHA256
6a419135017281342d27a9ec19718c899b3a415f27655b3b59e5f933e38ce377

SHA512
f8c71fb1289ec79713054b1680181c52b04ec81538a1e503f15437b8401081b1293e3cbc85e2049dec94cfd45ca82f7c9fbbe2edf409a14af16cb9c4eab74eed

Download Submit
C:\Users\Admin\AppData\Local\Roshade\EBWebView\Default\Code Cache\js\index-dir\the-real-index~RFe58f23b.TMP
Filesize
48B

MD5
376314f047d37d76b0f1e7744a3ff435

SHA1
cd391655b539d3f7c94ffd77812e71a895717446

SHA256
ba5b7248c3f73e4c7a14ffde7b4cd490599ea1d85ff72317636589fb41f815d4

SHA512
08b65e0243dacbb92ddea33cd31c2ba465b997cf3ff764371a487ef731c1e5f61425ed0851d9c61488686ab0e40f3c291fce714c4caf0d55d2e79265e383e97f

Download Submit
C:\Users\Admin\AppData\Local\Roshade\EBWebView\Default\Extension Scripts\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Roshade\EBWebView\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Roshade\EBWebView\Default\shared_proto_db\metadata\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Roshade\EBWebView\Local State
Filesize
1KB

MD5
0c0201900772c452399c313826c9ce13

SHA1
0c9a55f70dc4740a94d0b22a2673b864d61e6536

SHA256
237b99b67b2fb2226c536e7172ab8632e74dab8c7eb9cac30c83c30f832d113d

SHA512
e22d504b521b92be3c189c6a354d83982d9a15f6ac0ed20a21c8961784b700d09e967295a25d6fc442d2659aaa33939acbd63233490945f7979c73c468c8dc6d

Download Submit
C:\Users\Admin\AppData\Local\Roshade\EBWebView\Local State
Filesize
52KB

MD5
20c106d32c4d26bc4f4aabed6533970b

SHA1
ee4133bc6da7dd0168d4928d039b2e69a41b84bf

SHA256
7627c473129942c3204469a92bff2d3a2dd7a045c9388b6ad9e3f3f843a362f3

SHA512
8cc9c4212a78ced42d4c38c03b50e83f79da0c5f78387e7e16a1513d1841c6e6e3e2d03ab244816422d7f899f70a0b4b06f3c72c9632dd8a6a426e84c81ef52d

Download Submit
C:\Users\Admin\AppData\Local\Roshade\EBWebView\Local State~RFe589b12.TMP
Filesize
900B

MD5
5e9428549cfcc675e9bd4214b64f184c

SHA1
2cbefee622dae378e4dd6b185db068d56d2e135b

SHA256
4efdc4083016ac9d890ea6fa384c97bf52da469d8f9c640b47ab947f56596005

SHA512
0e904b5b3e4333a0a6878f47e33e1b445e5118455b289557879141a73744b87f66740144554f87078343f3c77a9d65f7a814fef84126ef98e5ca63a04057c8a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wv.exe
Filesize
1.5MB

MD5
da34ffb9048638664dea4c1f9179c07d

SHA1
3a854948eccbdb7d7b6d2829cf5ca72793afa89c

SHA256
e00bd8875c84b17544f30c66ef2d55fdc847d34d888c7327078ade1a67b6441f

SHA512
ec4c448dd49fba17accbab2e50b1fda1e1452e5760dea47a4041aea6940edd4a92a8bddaef847a2698da2f147bea0e8cdd6f3b6a3455af7620f6bd63a30c3077

Download Submit
C:\Users\Admin\AppData\Local\Temp\wv.exe
Filesize
1.5MB

MD5
da34ffb9048638664dea4c1f9179c07d

SHA1
3a854948eccbdb7d7b6d2829cf5ca72793afa89c

SHA256
e00bd8875c84b17544f30c66ef2d55fdc847d34d888c7327078ade1a67b6441f

SHA512
ec4c448dd49fba17accbab2e50b1fda1e1452e5760dea47a4041aea6940edd4a92a8bddaef847a2698da2f147bea0e8cdd6f3b6a3455af7620f6bd63a30c3077

Download Submit
memory/2396-434-0x00007FFC3CD40000-0x00007FFC3CD41000-memory.dmp

Filesize
4KB

Download
memory/2396-430-0x00007FFC3D050000-0x00007FFC3D051000-memory.dmp

Filesize
4KB

Download
memory/3236-133-0x00007FF7D55A0000-0x00007FF7D6214000-memory.dmp

Filesize
12.5MB

Download
memory/3236-569-0x00007FF7D55A0000-0x00007FF7D6214000-memory.dmp

Filesize
12.5MB

Download
memory/3236-326-0x00007FF7D55A0000-0x00007FF7D6214000-memory.dmp

Filesize
12.5MB

Download
memory/3468-455-0x00007FFC3CC70000-0x00007FFC3CC71000-memory.dmp

Filesize
4KB

Download