83fd3eb8248b4a41ab7bcbbe193d93e57bc0034d20259c6e21dc6a427cfe0dcd

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 14:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Roshade.Setup.3.3.1.exe
Size

5.7MB
MD5

fe51cdac1d70cc17a57cae25c164bf47
SHA1

814144cb9df1c25942321ff04bb9b64ba55fc5fc
SHA256

83fd3eb8248b4a41ab7bcbbe193d93e57bc0034d20259c6e21dc6a427cfe0dcd
SHA512

87c02c489ecc68a186df7e5d2c5dda3d7ff594fd4fb19a2dacd8556ff91b9a7494889a466a28e930cbe02a57247f8042c1d6e84c91c064c4acb40f8afbcc8075
SSDEEP

98304:wSUoEyUQRr+SLX5fuK5QBEcMXiqvC7CjpLgMFX7e1V0fZAICcB5E3d66cIKwZ/0e:wn1QVFX5fZqBEcqvC2jTx76V0BACY3db

Score

8^/10

discovery evasion persistence privilege_escalation trojan upx

Malware Config

Signatures

Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation	msedgewebview2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation	msedgewebview2.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 22 IoCs

pid	Process
2820	wv.exe
3928	MicrosoftEdgeUpdate.exe
3812	MicrosoftEdgeUpdate.exe
4892	MicrosoftEdgeUpdate.exe
1968	MicrosoftEdgeUpdateComRegisterShell64.exe
3048	MicrosoftEdgeUpdateComRegisterShell64.exe
4532	MicrosoftEdgeUpdateComRegisterShell64.exe
3764	MicrosoftEdgeUpdate.exe
2100	MicrosoftEdgeUpdate.exe
1956	MicrosoftEdgeUpdate.exe
4364	MicrosoftEdgeUpdate.exe
1932	MicrosoftEdge_X64_126.0.2592.87.exe
2592	setup.exe
2508	setup.exe
3048	MicrosoftEdgeUpdate.exe
4432	msedgewebview2.exe
3652	msedgewebview2.exe
2148	msedgewebview2.exe
868	msedgewebview2.exe
392	msedgewebview2.exe
3220	msedgewebview2.exe
1508	7zr.exe

Loads dropped DLL 36 IoCs

pid	Process
3928	MicrosoftEdgeUpdate.exe
3812	MicrosoftEdgeUpdate.exe
4892	MicrosoftEdgeUpdate.exe
1968	MicrosoftEdgeUpdateComRegisterShell64.exe
4892	MicrosoftEdgeUpdate.exe
3048	MicrosoftEdgeUpdateComRegisterShell64.exe
4892	MicrosoftEdgeUpdate.exe
4532	MicrosoftEdgeUpdateComRegisterShell64.exe
4892	MicrosoftEdgeUpdate.exe
3764	MicrosoftEdgeUpdate.exe
2100	MicrosoftEdgeUpdate.exe
1956	MicrosoftEdgeUpdate.exe
1956	MicrosoftEdgeUpdate.exe
2100	MicrosoftEdgeUpdate.exe
4364	MicrosoftEdgeUpdate.exe
3048	MicrosoftEdgeUpdate.exe
4292	Roshade.Setup.3.3.1.exe
4432	msedgewebview2.exe
3652	msedgewebview2.exe
4432	msedgewebview2.exe
4432	msedgewebview2.exe
4432	msedgewebview2.exe
2148	msedgewebview2.exe
868	msedgewebview2.exe
868	msedgewebview2.exe
2148	msedgewebview2.exe
392	msedgewebview2.exe
392	msedgewebview2.exe
3220	msedgewebview2.exe
2148	msedgewebview2.exe
2148	msedgewebview2.exe
2148	msedgewebview2.exe
3220	msedgewebview2.exe
2148	msedgewebview2.exe
3220	msedgewebview2.exe
4432	msedgewebview2.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4292-0-0x00007FF687660000-0x00007FF6882D3000-memory.dmp	upx
behavioral2/memory/4292-195-0x00007FF687660000-0x00007FF6882D3000-memory.dmp	upx
behavioral2/memory/4292-492-0x00007FF687660000-0x00007FF6882D3000-memory.dmp	upx
behavioral2/memory/4292-555-0x00007FF687660000-0x00007FF6882D3000-memory.dmp	upx
behavioral2/memory/4292-695-0x00007FF687660000-0x00007FF6882D3000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Roshade.Setup.3.3.1.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	Roshade.Setup.3.3.1.exe

Checks system information in the registry 2 TTPs 12 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	msedgewebview2.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\EdgeUpdate.dat	wv.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.87\Locales\ko.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.87\MEIPreload\manifest.json	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.87\VisualElements\LogoDev.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.87\pwahelper.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.87\Locales\kn.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	wv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.87\Locales\mk.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.87\prefs_enclave_x64.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\MicrosoftEdgeUpdateSetup.exe	wv.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.87\Locales\tt.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.87\msedge.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.87\Trust Protection Lists\Sigma\Social	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.87\Locales\el.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_az.dll	wv.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.87\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.87\vcruntime140_1.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.87\ffmpeg.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.87\Locales\kok.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\SetupMetrics\b987a2ca-29e6-4915-9e9f-cf96b65b4528.tmp	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\NOTICE.TXT	wv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.87\d3dcompiler_47.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.87\dxil.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.87\Locales\sl.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{50688E55-A33B-418C-A43D-47BAAACB13FF}\EDGEMITMP_157E2.tmp\setup.exe	MicrosoftEdge_X64_126.0.2592.87.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.87\msvcp140.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.87\Locales\ms.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.87\Locales\bn-IN.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_nn.dll	wv.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_bn.dll	wv.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_es-419.dll	wv.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_ga.dll	wv.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.87\edge_feedback\camera_mf_trace.wprp	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.87\msvcp140_codecvt_ids.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.87\Trust Protection Lists\Sigma\LICENSE	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.87\Locales\km.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\MicrosoftEdgeComRegisterShellARM64.exe	wv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.87\VisualElements\SmallLogoBeta.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.87\Locales\ar.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.87\Locales\zh-TW.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.87\msedge_elf.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.87\identity_proxy\dev.identity_helper.exe.manifest	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.87\BHO\ie_to_edge_stub.exe	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_mr.dll	wv.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_ug.dll	wv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.87\libGLESv2.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.87\Locales\nb.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.87\identity_proxy\win11\identity_helper.Sparse.Stable.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_sr-Cyrl-BA.dll	wv.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\psuser.dll	wv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.87\mip_core.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.87\Trust Protection Lists\Sigma\Cryptomining	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.87\Locales\fa.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.87\WidevineCdm\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.87\Locales\en-US.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.87\Locales\pt-PT.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\MicrosoftEdgeUpdateOnDemand.exe	wv.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.87\Locales\gl.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.87\Locales\ne.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.87\microsoft_shell_integration.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.87\msedge_wer.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.87\Locales\bn-IN.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.87\copilot_provider_msix\package_metadata	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_lv.dll	wv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedgewebview2.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133649235511045323"	msedgewebview2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachineFallback\CLSID\ = "{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\ProxyStubClsid32\ = "{0DD41A78-E3D4-44A8-9EAE-697BCF1781A3}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\NumMethods\ = "10"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ = "ICurrentState"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ = "IRegistrationUpdateHook"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CredentialDialogMachine.1.0\ = "Microsoft Edge Update CredentialDialog"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ProxyStubClsid32\ = "{0DD41A78-E3D4-44A8-9EAE-697BCF1781A3}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ProxyStubClsid32\ = "{0DD41A78-E3D4-44A8-9EAE-697BCF1781A3}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32\ = "{0DD41A78-E3D4-44A8-9EAE-697BCF1781A3}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC}\VersionIndependentProgID	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\APPID\MICROSOFTEDGEUPDATE.EXE	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{82CCB536-D2EE-4F19-9067-40531F08D1D4}\InprocHandler32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ProxyStubClsid32\ = "{0DD41A78-E3D4-44A8-9EAE-697BCF1781A3}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CredentialDialogMachine\CurVer\ = "MicrosoftEdgeUpdate.CredentialDialogMachine.1.0"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\NumMethods	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ = "IJobObserver"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\NumMethods\ = "27"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ProxyStubClsid32\ = "{0DD41A78-E3D4-44A8-9EAE-697BCF1781A3}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachineFallback\ = "Microsoft Edge Update Update3Web"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ = "IProcessLauncher"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\LOCALSERVER32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreClass\CLSID\ = "{8F09CD6C-5964-4573-82E3-EBFF7702865B}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\NumMethods	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0DD41A78-E3D4-44A8-9EAE-697BCF1781A3}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachine\CurVer\ = "MicrosoftEdgeUpdate.Update3WebMachine.1.0"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ = "ICoCreateAsync"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.ProcessLauncher.1.0\ = "Microsoft Edge Update Process Launcher Class"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\NumMethods	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.Update3WebMachine"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{82CCB536-D2EE-4F19-9067-40531F08D1D4}\InprocHandler32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.41\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ = "IGoogleUpdate3"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\NumMethods\ = "24"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ProxyStubClsid32\ = "{0DD41A78-E3D4-44A8-9EAE-697BCF1781A3}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\NumMethods	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ = "ICredentialDialog"	MicrosoftEdgeUpdate.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
3928	MicrosoftEdgeUpdate.exe
3928	MicrosoftEdgeUpdate.exe
3928	MicrosoftEdgeUpdate.exe
3928	MicrosoftEdgeUpdate.exe
3928	MicrosoftEdgeUpdate.exe
3928	MicrosoftEdgeUpdate.exe
4292	Roshade.Setup.3.3.1.exe
4292	Roshade.Setup.3.3.1.exe
4292	Roshade.Setup.3.3.1.exe
4292	Roshade.Setup.3.3.1.exe
4292	Roshade.Setup.3.3.1.exe
4292	Roshade.Setup.3.3.1.exe
4292	Roshade.Setup.3.3.1.exe
4292	Roshade.Setup.3.3.1.exe
1788	msedge.exe
1788	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3560	identity_helper.exe
3560	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4432	msedgewebview2.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3928	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	3928	MicrosoftEdgeUpdate.exe
Token: SeRestorePrivilege	1508	7zr.exe
Token: 35	1508	7zr.exe
Token: SeSecurityPrivilege	1508	7zr.exe
Token: SeSecurityPrivilege	1508	7zr.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4292	Roshade.Setup.3.3.1.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4292 wrote to memory of 2820	4292	Roshade.Setup.3.3.1.exe	85
PID 4292 wrote to memory of 2820	4292	Roshade.Setup.3.3.1.exe	85
PID 4292 wrote to memory of 2820	4292	Roshade.Setup.3.3.1.exe	85
PID 2820 wrote to memory of 3928	2820	wv.exe	86
PID 2820 wrote to memory of 3928	2820	wv.exe	86
PID 2820 wrote to memory of 3928	2820	wv.exe	86
PID 3928 wrote to memory of 3812	3928	MicrosoftEdgeUpdate.exe	87
PID 3928 wrote to memory of 3812	3928	MicrosoftEdgeUpdate.exe	87
PID 3928 wrote to memory of 3812	3928	MicrosoftEdgeUpdate.exe	87
PID 3928 wrote to memory of 4892	3928	MicrosoftEdgeUpdate.exe	88
PID 3928 wrote to memory of 4892	3928	MicrosoftEdgeUpdate.exe	88
PID 3928 wrote to memory of 4892	3928	MicrosoftEdgeUpdate.exe	88
PID 4892 wrote to memory of 1968	4892	MicrosoftEdgeUpdate.exe	89
PID 4892 wrote to memory of 1968	4892	MicrosoftEdgeUpdate.exe	89
PID 4892 wrote to memory of 3048	4892	MicrosoftEdgeUpdate.exe	90
PID 4892 wrote to memory of 3048	4892	MicrosoftEdgeUpdate.exe	90
PID 4892 wrote to memory of 4532	4892	MicrosoftEdgeUpdate.exe	91
PID 4892 wrote to memory of 4532	4892	MicrosoftEdgeUpdate.exe	91
PID 3928 wrote to memory of 3764	3928	MicrosoftEdgeUpdate.exe	92
PID 3928 wrote to memory of 3764	3928	MicrosoftEdgeUpdate.exe	92
PID 3928 wrote to memory of 3764	3928	MicrosoftEdgeUpdate.exe	92
PID 3928 wrote to memory of 2100	3928	MicrosoftEdgeUpdate.exe	93
PID 3928 wrote to memory of 2100	3928	MicrosoftEdgeUpdate.exe	93
PID 3928 wrote to memory of 2100	3928	MicrosoftEdgeUpdate.exe	93
PID 1956 wrote to memory of 4364	1956	MicrosoftEdgeUpdate.exe	95
PID 1956 wrote to memory of 4364	1956	MicrosoftEdgeUpdate.exe	95
PID 1956 wrote to memory of 4364	1956	MicrosoftEdgeUpdate.exe	95
PID 1956 wrote to memory of 1932	1956	MicrosoftEdgeUpdate.exe	97
PID 1956 wrote to memory of 1932	1956	MicrosoftEdgeUpdate.exe	97
PID 1932 wrote to memory of 2592	1932	MicrosoftEdge_X64_126.0.2592.87.exe	100
PID 1932 wrote to memory of 2592	1932	MicrosoftEdge_X64_126.0.2592.87.exe	100
PID 2592 wrote to memory of 2508	2592	setup.exe	101
PID 2592 wrote to memory of 2508	2592	setup.exe	101
PID 1956 wrote to memory of 3048	1956	MicrosoftEdgeUpdate.exe	104
PID 1956 wrote to memory of 3048	1956	MicrosoftEdgeUpdate.exe	104
PID 1956 wrote to memory of 3048	1956	MicrosoftEdgeUpdate.exe	104
PID 4292 wrote to memory of 4432	4292	Roshade.Setup.3.3.1.exe	105
PID 4292 wrote to memory of 4432	4292	Roshade.Setup.3.3.1.exe	105
PID 4432 wrote to memory of 3652	4432	msedgewebview2.exe	106
PID 4432 wrote to memory of 3652	4432	msedgewebview2.exe	106
PID 4432 wrote to memory of 2148	4432	msedgewebview2.exe	107
PID 4432 wrote to memory of 2148	4432	msedgewebview2.exe	107
PID 4432 wrote to memory of 2148	4432	msedgewebview2.exe	107
PID 4432 wrote to memory of 2148	4432	msedgewebview2.exe	107
PID 4432 wrote to memory of 2148	4432	msedgewebview2.exe	107
PID 4432 wrote to memory of 2148	4432	msedgewebview2.exe	107
PID 4432 wrote to memory of 2148	4432	msedgewebview2.exe	107
PID 4432 wrote to memory of 2148	4432	msedgewebview2.exe	107
PID 4432 wrote to memory of 2148	4432	msedgewebview2.exe	107
PID 4432 wrote to memory of 2148	4432	msedgewebview2.exe	107
PID 4432 wrote to memory of 2148	4432	msedgewebview2.exe	107
PID 4432 wrote to memory of 2148	4432	msedgewebview2.exe	107
PID 4432 wrote to memory of 2148	4432	msedgewebview2.exe	107
PID 4432 wrote to memory of 2148	4432	msedgewebview2.exe	107
PID 4432 wrote to memory of 2148	4432	msedgewebview2.exe	107
PID 4432 wrote to memory of 2148	4432	msedgewebview2.exe	107
PID 4432 wrote to memory of 2148	4432	msedgewebview2.exe	107
PID 4432 wrote to memory of 2148	4432	msedgewebview2.exe	107
PID 4432 wrote to memory of 2148	4432	msedgewebview2.exe	107
PID 4432 wrote to memory of 2148	4432	msedgewebview2.exe	107
PID 4432 wrote to memory of 2148	4432	msedgewebview2.exe	107
PID 4432 wrote to memory of 2148	4432	msedgewebview2.exe	107
PID 4432 wrote to memory of 2148	4432	msedgewebview2.exe	107
PID 4432 wrote to memory of 2148	4432	msedgewebview2.exe	107

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	msedgewebview2.exe

C:\Users\Admin\AppData\Local\Temp\Roshade.Setup.3.3.1.exe
"C:\Users\Admin\AppData\Local\Temp\Roshade.Setup.3.3.1.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4292
- C:\Users\Admin\AppData\Local\Temp\wv.exe
  "C:\Users\Admin\AppData\Local\Temp\wv.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\MicrosoftEdgeUpdate.exe" /installsource taggedmi /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks system information in the registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3928
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      PID:3812
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4892
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.41\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.41\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1968
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.41\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.41\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:3048
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.41\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.41\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4532
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODcuNDEiIHNoZWxsX3ZlcnNpb249IjEuMy4xODcuNDEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDgyRUM1RUUtMkY2MS00NTM0LTkxNjMtRkI2Nzg4RDZFNjI1fSIgdXNlcmlkPSJ7RkQ5MTUxMEYtOTIzMy00NTA4LUE1MDktMkExNUQ0QjZEREZDfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezExRTExNUVBLThDOTItNEFGQi04NEIyLUE1Q0MzNUUxNUU1RX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSI4IiBwaHlzbWVtb3J5PSI4IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTg3LjQxIiBuZXh0dmVyc2lvbj0iMS4zLjE4Ny40MSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDg5MDE5NTkzMCIgaW5zdGFsbF90aW1lX21zPSI2ODgiLz48L2FwcD48L3JlcXVlc3Q-
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks system information in the registry
      PID:3764
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource taggedmi /sessionid "{082EC5EE-2F61-4534-9163-FB6788D6E625}"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2100
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.87\msedgewebview2.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.87\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Roshade.Setup.3.3.1.exe --webview-exe-version=3.3.1 --user-data-dir="C:\Users\Admin\AppData\Local\Roshade\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI --enable-features=MojoIpcz --mojo-named-platform-channel-pipe=4292.752.10098082329096435416
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4432
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.87\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.87\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Roshade\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Roshade\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=126.0.6478.127 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.87\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=126.0.2592.87 --initial-client-data=0x15c,0x160,0x164,0x138,0x190,0x7ffe6f9f0148,0x7ffe6f9f0154,0x7ffe6f9f0160
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3652
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.87\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.87\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Roshade\EBWebView" --webview-exe-name=Roshade.Setup.3.3.1.exe --webview-exe-version=3.3.1 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,3206583168921232680,6670342898754424278,262144 --enable-features=MojoIpcz --disable-features=msPdfOOUI,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=1912 /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2148
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.87\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.87\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Roshade\EBWebView" --webview-exe-name=Roshade.Setup.3.3.1.exe --webview-exe-version=3.3.1 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=1796,i,3206583168921232680,6670342898754424278,262144 --enable-features=MojoIpcz --disable-features=msPdfOOUI,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=2056 /prefetch:3
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:868
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.87\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.87\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Roshade\EBWebView" --webview-exe-name=Roshade.Setup.3.3.1.exe --webview-exe-version=3.3.1 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=2280,i,3206583168921232680,6670342898754424278,262144 --enable-features=MojoIpcz --disable-features=msPdfOOUI,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=2284 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:392
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.87\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.87\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Roshade\EBWebView" --webview-exe-name=Roshade.Setup.3.3.1.exe --webview-exe-version=3.3.1 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --field-trial-handle=3472,i,3206583168921232680,6670342898754424278,262144 --enable-features=MojoIpcz --disable-features=msPdfOOUI,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=3484 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3220
- C:\Users\Admin\AppData\Local\Temp\Roshade\7zr.exe
  "C:\Users\Admin\AppData\Local\Temp\Roshade\7zr.exe" x -y files.7z
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.roblox.com/users/24354878/profile
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3556
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ffe61b946f8,0x7ffe61b94708,0x7ffe61b94718
    3⤵
    PID:2948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,4303532370230540781,2625312639299075679,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
    3⤵
    PID:4452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,4303532370230540781,2625312639299075679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,4303532370230540781,2625312639299075679,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
    3⤵
    PID:2660
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4303532370230540781,2625312639299075679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
    3⤵
    PID:596
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4303532370230540781,2625312639299075679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
    3⤵
    PID:4748
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4303532370230540781,2625312639299075679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
    3⤵
    PID:2016
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,4303532370230540781,2625312639299075679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:8
    3⤵
    PID:3828
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,4303532370230540781,2625312639299075679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3560
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4303532370230540781,2625312639299075679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4324 /prefetch:1
    3⤵
    PID:4208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4303532370230540781,2625312639299075679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
    3⤵
    PID:948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4303532370230540781,2625312639299075679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
    3⤵
    PID:4192
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4303532370230540781,2625312639299075679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
    3⤵
    PID:3032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4303532370230540781,2625312639299075679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2780 /prefetch:1
    3⤵
    PID:4580

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODcuNDEiIHNoZWxsX3ZlcnNpb249IjEuMy4xODcuNDEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDgyRUM1RUUtMkY2MS00NTM0LTkxNjMtRkI2Nzg4RDZFNjI1fSIgdXNlcmlkPSJ7RkQ5MTUxMEYtOTIzMy00NTA4LUE1MDktMkExNUQ0QjZEREZDfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QjM4NzVGMTAtMkRERC00MDBGLUIwQzUtNkQwQ0U1QUE3Q0VFfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjExMC4wLjU0ODEuMTA0IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MjAxMTIwMzciIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM2NDU4NDI4MjQ4Mjc0MDgiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTE0MzI1IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0ODk1MzUxOTYwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  PID:4364
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{50688E55-A33B-418C-A43D-47BAAACB13FF}\MicrosoftEdge_X64_126.0.2592.87.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{50688E55-A33B-418C-A43D-47BAAACB13FF}\MicrosoftEdge_X64_126.0.2592.87.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{50688E55-A33B-418C-A43D-47BAAACB13FF}\EDGEMITMP_157E2.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{50688E55-A33B-418C-A43D-47BAAACB13FF}\EDGEMITMP_157E2.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{50688E55-A33B-418C-A43D-47BAAACB13FF}\MicrosoftEdge_X64_126.0.2592.87.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{50688E55-A33B-418C-A43D-47BAAACB13FF}\EDGEMITMP_157E2.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{50688E55-A33B-418C-A43D-47BAAACB13FF}\EDGEMITMP_157E2.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=126.0.6478.127 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{50688E55-A33B-418C-A43D-47BAAACB13FF}\EDGEMITMP_157E2.tmp\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=126.0.2592.87 --initial-client-data=0x22c,0x230,0x234,0x208,0x238,0x7ff67836aa40,0x7ff67836aa4c,0x7ff67836aa58
      4⤵
      Executes dropped EXE
      PID:2508
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODcuNDEiIHNoZWxsX3ZlcnNpb249IjEuMy4xODcuNDEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDgyRUM1RUUtMkY2MS00NTM0LTkxNjMtRkI2Nzg4RDZFNjI1fSIgdXNlcmlkPSJ7RkQ5MTUxMEYtOTIzMy00NTA4LUE1MDktMkExNUQ0QjZEREZDfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0ie0VGQTM2MUM2LTQ3RTktNEJCRS1COEU2LTQwQ0RGOEVBQkEzMH0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSI4IiBwaHlzbWVtb3J5PSI4IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxMjYuMC4yNTkyLjg3IiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iLTEiIGluc3RhbGxkYXRlPSItMSI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTA0NzI2NzE0IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDkwNDcyNjcxNCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUxMjQ4ODMyNTYiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5mLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2JkZTY0ZjQ3LThmYTMtNGY2Yy04YmNlLWQyNzQyNDFiNmEyYj9QMT0xNzIxMDU0Njc4JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PVdvbVlYRnY1bEklMmJHQWc3MmwlMmJkNlRyJTJiUnVXTlRBRDJiaUMlMmJ2WjRjWEF6dEFyOWFxdUlZQ09sRnZ2bTBlQ2tMZFE1OEMyMWJJQTdScW1QZVNhRkY0dXclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNzMwNDEyMjQiIHRvdGFsPSIxNzMwNDEyMjQiIGRvd25sb2FkX3RpbWVfbXM9IjE1MzQzIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTEyNDg4MzI1NiIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjYiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUxMzg5NDY4NDEiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9IjU1OTA2NjUwMTgiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSI0MjIiIGRvd25sb2FkX3RpbWVfbXM9IjIyMDAwIiBkb3dubG9hZGVkPSIxNzMwNDEyMjQiIHRvdGFsPSIxNzMwNDEyMjQiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIwIiBpbnN0YWxsX3RpbWVfbXM9IjQ1MTcyIi8-PC9hcHA-PC9yZXF1ZXN0Pg
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  PID:3048

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:860

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.87\Installer\setup.exe

Filesize
6.5MB

MD5
44bab1ba8bbc80a6f11a59a921ade1fe

SHA1
71292aa421fc9cefd9eeade06fc5af52f71e8dc2

SHA256
a03c11b73af7ccf83f2a4bc1995f9083f8415174d1e8f6d6465e9192aabb542a

SHA512
fcb6f75c3367b91da92b3d866ae6b85428d8c2ef13499344e80ddd3bb30f47d1243120aa41eba519756bcb6ff5f9708e7fe7281265c4c32766231765aa8104e2

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\EdgeUpdate.dat

Filesize
12KB

MD5
369bbc37cff290adb8963dc5e518b9b8

SHA1
de0ef569f7ef55032e4b18d3a03542cc2bbac191

SHA256
3d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3

SHA512
4f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\MicrosoftEdgeComRegisterShellARM64.exe

Filesize
179KB

MD5
687ccc0cc0a4c1de97e7f342e7a03baa

SHA1
90e600e88b4c9e5bb5514a4e90985a981884f323

SHA256
ecbab53f1a62d0459d6ca81f6c004651c09562f8e037b560dcb0890a2c51360d

SHA512
4da91ee55de7abb6ce59203edd9ae7e6fcacd5528ac26d9e0bfbd12169db74758a9bc3fde437e3c1d10afc95d74b04b0e94586472b0a0bb15b738f5e6ec41d8d

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
e3f7c1c2e2013558284331586ba2bbb2

SHA1
6ebf0601e1c667f8d0b681b0321a73e8f4e91fa3

SHA256
d19616ac12d3d536c8fbf034513a4977c88ef2d1676d358a2358fa051c8a42ba

SHA512
7d4fd7ad06b05d79211144cbaa0047bdb4910212565b79f292a6bea652735dacf69435b24c73bc679cbdad4207f6352726eb297a1e7af4f7eef14dbc8a2ca42d

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

Filesize
212KB

MD5
a177a23ca2ed6147d379d023725aff99

SHA1
1a789e5ef7bf9f15f2ccbac5f9cf3750ee41f301

SHA256
9c584238ea9189afd6b11cf71604b1c2762ac815d6ca8994788de7e076b21318

SHA512
c508ffd3e2cc953d857a2128e29dfdfe0f9e729da38c9cc3022c4376342aec946c6e79176e7885f6637008573c85339bdc8a9e261b3811887ecf5a7dd78383c3

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\MicrosoftEdgeUpdateCore.exe

Filesize
258KB

MD5
4f840a334c7f6d2a6cba74f201e83a7f

SHA1
cb032c7b1293190f8f1cd466f6ded4bbe71c47a1

SHA256
2ff44aa5f48a3e5b3ca3c5a3904be23d29a282b467e30d6f52494df3dc1d612d

SHA512
575c20fcdbebb16bcd17a137a656769d355a81817e7fa3743981976998e00bdf3ce42bbfa046c42a835e9e9e7a10ef6f8d7b306de9940fa332817cb2885db833

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\NOTICE.TXT

Filesize
4KB

MD5
6dd5bf0743f2366a0bdd37e302783bcd

SHA1
e5ff6e044c40c02b1fc78304804fe1f993fed2e6

SHA256
91d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5

SHA512
f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdate.dll

Filesize
2.1MB

MD5
1125e435063e7c722c0079fdf0a5b751

SHA1
9b1c36d2b7df507a027314ece2ef96f5b775c422

SHA256
7d8d1756343598bc651d62a0e81835820e0d6cf7a995503bb6b129b4bcc37df4

SHA512
153f096af5c874c00a3c38602fab590eccf885f642040007b67799ef39d919d7cb261fba43a9ffbd68c8824eddea219505d49e05b3dcc70f00e6016a1fbd12b9

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_af.dll

Filesize
29KB

MD5
3a8fa737407a1b3671d6c0f6adaabd8a

SHA1
b705b27c99349a90d7a379d64fd38679eed6ec30

SHA256
5995a5ae09cb7da69b5a6f8ea1a60406d8ebc2201b627417b578ebe903d22276

SHA512
9872f32a727b248d3edafe303e5290e1bae0c270a988500424221970c0041268c1626ebb94712a0b8ba0f21d2f29d833ab9dbc4db884f7f9af5a5063f94d71b5

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_am.dll

Filesize
24KB

MD5
86465afa3ac4958849be859307547f57

SHA1
9bbde5e4df719b5a7d815dd1704ab8215602f609

SHA256
921fce73f4fc7b47749d250f5ab885141bd5ddec2ad057b049e470cffa4a6b20

SHA512
13e178e317280cbd585261aa22a840ea2203d4ef5c845f4fd6d5b4fbf216d45aae55153aed43c1fe4284d45391c72e580e612347b2903effece8a2252a13b90e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_ar.dll

Filesize
26KB

MD5
819e3c9e056c95b894f1863208d628a2

SHA1
596993f5d21cfd92f29e2ea5b0a870dc2ac19917

SHA256
588adf8e9a300e39b51f7404356c4ae863dee1f404664933585f8d9f2467d494

SHA512
3a7e67248895ac2cbb1874514bffe62a23cdfff2c3674d21589f528ec283ccf3cc2e3abfea0d81f49046c7ba920f3e64cda100c5a20be69b91ce05095b50c06b

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_as.dll

Filesize
29KB

MD5
d1aa2764e05f7c8c88a17bb0cd25b537

SHA1
2bee78f103faffe3e25ca20c915cc6b46e2134e4

SHA256
3dd5aab43eeaa6202adc115f40fc1feb5332128388c2d8e62176fdea20035097

SHA512
80762e4611b8ac451490e5238c0650be048bf315526ed405d9c5837e5002bd6a9526f335a06c6baa009cba671ecb0613c76dce23086e13333f332480cbd9ced0

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_az.dll

Filesize
29KB

MD5
1e4093c3b0af3eed6f95d2620d45bf40

SHA1
e29a10ede562f2d057d6fc04c3a286996051a14d

SHA256
afcc0b001c7ffc1f5bbdea02fcbd6054e8b15aff9ae47366910bcf5908d4437d

SHA512
843480e2d2b431f32892830c26fc3e4b80656d069f83f9a9df78d10b1e22c9ceca99171360b2baa921d156995d87ea5223f18b11e2a8ac18fabdf905881940b1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_bg.dll

Filesize
29KB

MD5
c30674009659b56bdb6a60f8629f0eb2

SHA1
4b6fc6ea93620a206a621875513455b57fd24e83

SHA256
d09c23ecd92f5cfbe650c63bc93af84c11c9ae143a5838286c04169eab8bd103

SHA512
8947a9bada21ed2e0f2cf080d58f9473a5c54092a5c1f75ca9523b48143caed346e831714e80466cc2e88513e507aef422d8560b69cbf8663eb21ab05c61707c

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_bn-IN.dll

Filesize
29KB

MD5
a8817334810c093e0c280e2a61caf36b

SHA1
9b3b2a8e33de3fa8df0b6b6ab4a40ab1d088ab28

SHA256
18d4c6a9840ba877dd1906ff258fb06c245cfea6bab00bbffe18c442957393ac

SHA512
24ee9a0c29d42c96ccec7f4f3322c3b6a2ed0e4d68b17a5b424a364f789adaa8f1404784c8feae77986cd0be39579dacc9ca89a3fa868bb0bf11d94c95f0bb23

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_bn.dll

Filesize
29KB

MD5
4d2988ce0b2cf5cb02269a2455e1174b

SHA1
d89cd05805965648c9e7b8bb4bc8bd3605ce2d4a

SHA256
cbc9a8a3936e6cb279885dc8a23261a290e85907f947a1a16fe9e7d6bdee69f8

SHA512
64cee7e579367faca4864ebb5feb9dee310915f8640780a5a52c19f5c68d817adab7ef357913a68fe841a3b2e801e85de173a37402cdd49cf35319571ff6ce44

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_bs.dll

Filesize
29KB

MD5
3e817089a18c72bd505dd6bbe5ce6163

SHA1
2c21b568c2fda5e475a1a996b73874ba6fe420dd

SHA256
7c31aa69e3109d7134443c47b12859fffbade13a2f994f0bf42a8fdc12f796df

SHA512
20534eee7c59a9cdb595c3f6d01abc8cfa534aaf84a693d3b011e4dada3fde080142a95ba036270a6a2ad2b65e6fdb18b08e53552715cc4edfcb87662fbf8100

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_ca-Es-VALENCIA.dll

Filesize
30KB

MD5
e0de8c3f8252202d2f68341290c45e34

SHA1
1d3322ab111774484be8865c1893dd834c3f52f7

SHA256
ed3676152ff3f24f93034f3931b0a735b704906c50ed59a8b9cf49452afb1891

SHA512
bb22666ba675c88715aa1b906f2b356c0d4289723052b942f416d3b56f727666f4fb8cc51609ca96be0c76ffda85cfbdcea917979e8a1ada5a5ba1b82e5bf816

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_ca.dll

Filesize
30KB

MD5
9e4ddaa68d6d4f210905092096051b36

SHA1
f38198c364da7b5ebcc75aafdf42a7d55699d8d4

SHA256
8bbbe723da938f6f0b3cc35f48779949c5fc177b5dd157ee053a088e2968f48b

SHA512
d65102c0f4337cea443c5f8e65531f0f7b628c5edeff17257b427d1073a1b291d1cc90fe46dc4bbd2c2988f940480d46e5abb2cbb9985bcbafa7e5f3bc727151

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_cs.dll

Filesize
28KB

MD5
731cb513cd866dfc65e12446a0d4d62d

SHA1
be32570fb7fd50c43cf1ae24e7a35302eb5278fe

SHA256
829630039ca9125aeb8885d069214b4112972ed02dacd309ddd26fe087f3fec2

SHA512
6357f965c183e89e5a1c485a0e3becf56ab91265241568d7df7fdc1c01f1ac8fa58bd206762ada8cec99b6988eff60c41cf4836290d5e007fff63a69a78de68c

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_cy.dll

Filesize
28KB

MD5
04ee3ec0e73eae42509bdfb689927610

SHA1
6176e7ae836dcacea10f7004b04ba85e3e081da8

SHA256
5410d30b82c006e207a8fab3a771eed3abff145d19ddcc92e48d47bb54684e81

SHA512
89c41d77066fde1cad219603d1bbdd812a65bb0680d3c545ee4cb63135486296f1af934a69161e76ca53d00037729e75bdcc22a2eca954eba98cf3f34af5d839

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_da.dll

Filesize
29KB

MD5
9fa41c3ba8bbd84e85f71c3cd377d90d

SHA1
363c1d61c84fee42987193e8edeffa522eccbfdc

SHA256
157c6cee2a283c6a1966356f8d91172f55c05408f292dc352579a4dc9283c0e6

SHA512
34569a917bf08ac7d50add115b09cd8bf4583a3bc7652fa54c1cd606cb94e752f4e4e278fbb99ea1e41e2d712f82893ca5f59bbed05a57c8d29b2d7037d835e5

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_de.dll

Filesize
31KB

MD5
896c0f7b03a6cd211fea53ecc71a1308

SHA1
434eac60a992ea77945a77964050a5d0e41d48b2

SHA256
84ffabc322775aee896df188189fd633483c3eb10571c8c86ec55561c2329582

SHA512
7d2f9fc0086b3dc60275c6a2e17b0562626a57fb080dc1bc4cd5ad80c2501f366e89533aa961613eacd3a0bce343bf831e8cfa3d3a691c33481042b1ee02908f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_el.dll

Filesize
31KB

MD5
8cb60db631b0939688f39e76564505cc

SHA1
6dee577de716460737f7a330f440880b4e73c5c8

SHA256
e8f7c8baaa1187c430c22cfc5907541411ab46e0609a53d39b015d722e35bf6f

SHA512
d43216c1a8ed2daf51d70d476b789a3797bd62f69c1a556e306dfccc41efea73117eafb970010d7db151cd3ebfb7cd82de01efb4e2a2c0757b2027732a3361f5

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_en-GB.dll

Filesize
27KB

MD5
1b79536b20df86a2bd8b232abe07d533

SHA1
a9d24de616055f9800d5c4bc902cb2d0f625d178

SHA256
fbf5215552bf6e12e7ba5c3e6e69748c47b6750845f5e4f048096903ef009008

SHA512
ac4704fade4879992f0a67888e1e4098be2879e5e3ce2bd80275ce68729f0037497d975e1ececb587ace4d72f3e71b038f616725831d4fca12280d583cd77d7b

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_en.dll

Filesize
27KB

MD5
a430ce95b80c07bb729463063e0c7c48

SHA1
cc488bdc18c191d88dd93e45bb85fda19d496591

SHA256
c9c8a06948123607b7b35d0d46c9600b1d3e2f674e6117820b4f559818c26b60

SHA512
cc9c24b95d079a949a8e725002494b0c75c19bce9ec6457cb4307f5803b7433eed738944f1baf770df8e034212224b1d9662fa533aa5bc5c01568d192fa49efc

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_es-419.dll

Filesize
29KB

MD5
31177139af7d1da131c31d7d5cbe8099

SHA1
113f3b38baeab35d2d0f51f1238f5b9e11402f26

SHA256
39e80dad7071bc0a82fbd3475a780b50b9c0f1cac2240322c48b6befb1837163

SHA512
6828a1cab2fdefe642a0b58f47c31e02b9dba7b15ad28cdb8039b194d9a86e2d24ff0e658fdf982e3d2d4208a2b57eb7546136e4739e64d714939c14a3d58410

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_es.dll

Filesize
29KB

MD5
dd3dd031e05a54c4bbf6660dd8053608

SHA1
f32870bb0f7f522fd536c4ffae8c39c9d2f266f1

SHA256
2d71da96f961fafe269241c27290917bf54a3c7fc5ced2de0c4b33e4b0386dab

SHA512
7b0bb0ae619baea45cddab042d10d7e4b394c70a29c01632585fec7ff9aaa54a50a8fbc894f02af5e2130cff11c4573cf41ab6b5fc4c29392b69e72212c41c2d

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_et.dll

Filesize
28KB

MD5
2e1b7c75e1ee567906a62eb19ee4308d

SHA1
10b77bc1040db4a3712a94c2e5ba56be3a54bfd4

SHA256
83a38cc799974f6a018dea761420a77e25bf17d2c1b7d09d6d75a7b50c5762c2

SHA512
9bcbb626945390ca07c99b4a698036b2a59869040944866edb893f4e5f7a6524b8980183f9825b33bafa41b10165b7ef6d20dd7750e38edd880fc22362110c08

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_eu.dll

Filesize
29KB

MD5
60417e3a859f5e728bb9edeacc439309

SHA1
ee96ac74353e0e1725e09a6e5e6d070767286e45

SHA256
698dd9be2f9edce221977a6c076e894f72ffd1287c4a67423d1ea06ddfa90b21

SHA512
2470f2cb04c720e3b0259ea2440761adef1493253a7a93242ff543d52936a67685a59d36d3e7f39c7807c2ee1d2932109534337e3096137441668f9cf507d16c

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_fa.dll

Filesize
28KB

MD5
3d30bd97390f100a3dc9cf3263623434

SHA1
ac328d192b4218722e0994c8c3c67df1aa8383ba

SHA256
a66e9dc8829de13dfaf3e727ddf5a1655e0dd8844ab95fe461b61f996287a802

SHA512
bb45aaca5f13bab5ebb5b542a71635e15cf0a111ddf752db510f7f161bd889f58ff30d0fcc4f36e9882564271a32281d4d9a48cfffe06172e2a46041b2af62f9

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_fi.dll

Filesize
28KB

MD5
7483cb4ff3f422d05af3267a242130e3

SHA1
f723b294d2088cf8a4ff2478e18470b256116979

SHA256
c3800427be8e5550e6fa985f28bb4cf183f8b49d398533ad0eacea53a5a573d6

SHA512
fc5ef6b792a9c2f113f5fc6cef1bf268e8688ae8f5de369224458c07b4fa229da3b6bcf698b0d9962d4644b7e1b9c682cf4f4dfe66c46c0297a41a14fc6e53ed

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_fil.dll

Filesize
29KB

MD5
1b18f02bac918465032f9c4c6226f3ee

SHA1
8173e1be4375ba1ab5fcd35da8b8a4399bee1fbb

SHA256
e1f0c497bb4d9b2a9f4cb6cf6e382fb4fb8827979c5eb230737af3953db24bda

SHA512
baadab3af2d3988acc31a94f9b1321a613a794cd8b8da2ec2e938b7cf7774d586f566fa2bfdfff6da4f05c90e8cb101e261883faa4de48b9a911cc37576ec999

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_fr-CA.dll

Filesize
30KB

MD5
a2ca38f79d18fd44b0288fab8cb6f31f

SHA1
5e94d1265d5dee58d9ff7c72b7b1ba7b07eb4948

SHA256
40b00c38c1cb9b0ef6b916ffe1e52605f2523659592e29d06f3f08716033df69

SHA512
37a1aacbe69b90fb3b89bf92b6851a8f7038061dd009bb372db64227657224604ab01f0b09bee54d43205a08536cc43f992ede01cdab64cbad404cd557ccb34c

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_fr.dll

Filesize
30KB

MD5
9666bd1ba06b37249980b198b22aa208

SHA1
a26043d46dd8767f76e111cc971a53237ce720d3

SHA256
5f2461703e6da108b61709078bd19ddf18ff673e8059ec795d52ded554846fac

SHA512
61b893bf94fb3efb70b8da1412d6eb149734da1bb2d3eef2a62fefac469e0e0f3f25b851c6cc0ef2062f826e32ef777bd6469a3402d6dd7aa596600476f14331

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_ga.dll

Filesize
29KB

MD5
ee66c6c39b414cd5adc1c59be87074b1

SHA1
6f34917e48c5e55850ba55b528faa6e075a76230

SHA256
5ac439af44574f3b1c5557edcf8bc416babdba89aaebd51bd5d13d9c023ba5fe

SHA512
451fdf3331b8f02bb60530dc184a0ff5e2193bc05b59e602e8b633047209ca668e38968e7cdae268e993d619be44685fa0e06a46f2ac3c0f8c606a3e4b4825ff

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_gd.dll

Filesize
30KB

MD5
e4dbb357e40a839f9c8caaa5a1c1b827

SHA1
10c66bf5312110a2feed763afa41a448d4070bd7

SHA256
e18b53fd3b34c85dad87f43b7833b518e61c712c3b48c6967408312ff9e43b35

SHA512
a09ca0ae932a81919c37faf138dcf017bd2fe9ad21ae8a560444d7c7d3338213274e205d04b7378512603537af2d5fa0235c2ba2bd458cad947ece24c99c9e71

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_gl.dll

Filesize
29KB

MD5
d53c4b0747cd028a7a4a59fcdfe6f375

SHA1
edbb5606edb9f9899c18853872a2380bb02f39bc

SHA256
0ea76700d2286185f0b65d24106b81258e1593e617a4e66a129004b659518bd7

SHA512
56ff2ed53a6b9f3a2c2f36713b18049ac2bba2494992f0c1dc8d92d2d9dcfe0cb1296041e9a53394bb4d5402e03794b99a774f9054609dd48d42622eb192ac72

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_gu.dll

Filesize
29KB

MD5
099eef142a6e8af6f7bb01895dcac818

SHA1
02d320adb865e6cc6bc22c70ac51102b3473d1a2

SHA256
9208225c1d83b314ead913c9c5a4f7d5d353a048642f102cfd06bc94598a41a1

SHA512
e2586b5660ee6e0cd0030895f9c4c398432d041b2db03d1f94e2df47d404d78baa8a18eecab1736d313eb031fdfd2600cf3025b7a39c00cbb82d2b7b094de24a

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_hi.dll

Filesize
29KB

MD5
8ae7c60978f1797c22819452c28e5755

SHA1
e3c595e988d06248da11f415d279b7371b068e8a

SHA256
c591dbd7563109d709a6fd6b897a3439fca8e14270c4905e6cfbba98590fb6be

SHA512
fff4683ee4b0233f37bb8196e9b30e34d66712e0c462207b48c7e5ae40b36c440aeb6015f3b7db3f723bf02c5b0a3853cf2d0a424d187e2587bb4c568f93f3c9

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_hr.dll

Filesize
29KB

MD5
99298a89e5aaddd4c5d31c8159e9df40

SHA1
980b0840b77f5dfba8af1fe1132afeefa7343e55

SHA256
771d490248327bbed8e0f666284b02f691252198034f5b4873c4f5863b60dbda

SHA512
0776b89edf8a6be71e813db06c48f0bd97afb4f90387f39f882b255dbd818bd6edffa6ae719d758a63d7d0c236b303e0a053a3741bc9941f3b850e9298820b7d

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_hu.dll

Filesize
29KB

MD5
3b3917a776c95d41114b590f31513253

SHA1
6aaf5c9054a4c661f1374f4828ce15cb065d1db1

SHA256
a96e5b1a84537708d5ed1e16e59f593cfc35599024e333f0ebaba631f4655ce0

SHA512
f22b73146cd84f1e14eb83c461bebc56317bd32b3f734c5f2103cfe6f395a822da33873ff7331330b54c734c2f15685a2b9fac9dfc1895f80e46ee8f2fcc2155

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_id.dll

Filesize
27KB

MD5
eb92a889850152a3c67a046b26afb1de

SHA1
25744a9c829c08faa644d4fdddbaaef2c662605b

SHA256
f66d54d3e1ab099d8df66700a9dd04018d088d3d47422b59636bbe1868de495c

SHA512
14f353ed295e9b2adf1bae45e9eb8ffaeb738f1ca75b7bfdae9c1162b48e24d32ff8c2472d701924c341d9ad4a8216576f666bd08cf012167d325f013987f64b

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_is.dll

Filesize
28KB

MD5
3f3efa36258e2aa2e06d692e25003a72

SHA1
eb263e69ae3242a518ea0e4c6563e4a99e294292

SHA256
b5b48151003cdbf1368b2fc3431fcb5a9646504439b14a95248048706e0b89cd

SHA512
a5b20784e9531f37a0d25352b033a75d2d5286d914ffba2d401f37ac34fb3acfe024b70c1cbe8ba4a8e9f447db3cc5f45990e2e7e71461961a33d2ef2409efb4

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_it.dll

Filesize
30KB

MD5
7a928cdc306a15eca2acba8c6e7fb49c

SHA1
1d61d526ea7b21b5efcd70d40942bb0b2a3e78d9

SHA256
45f3d6c9396208c5a92af53562db2924a6369004a1f6a06bafdc5c51bbf7c084

SHA512
843d93cea038ace31ad92e9cf92f2d3b7b6a627c4926605c67760740c6b1e6d7adf965fd549c0aee327b409227e5afef8758944e0015278a035c8b9efd2ac8f7

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_iw.dll

Filesize
25KB

MD5
8e4ca001a9ae5aa92c5e74b9b6d490fa

SHA1
70e3a474c967873aad7d2ad9cb4831f17e032701

SHA256
34eca96f268259a6a67308cb4acd4ec00f33ca3b03c29d5e7cff47d83c137b4c

SHA512
997b66aa0c70e26b9b3893f61d9c26a05f87c6d8eb7c1d4a579bfcd1bd54382978f76c1fa6cb59cca20749bfa43890b6c4a65922d77e7914b00821c49fc5e0a2

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_ja.dll

Filesize
24KB

MD5
52a48aa3c01cb348b109e7e2233b85aa

SHA1
8bb93772ada23ad818788de655c2b1f68bfbf9ee

SHA256
1708bf78de41b10f3fe8c3f56de08af88670f672390970de76878dfcb5cfb1a7

SHA512
3c3246ab0b780576304765cad51aabf71dae49181983ea7eb4b084f31aef500794604db4c7153e9866abf09dcf5be971808eaf0910fdca7ef1e36fe10bedda92

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_ka.dll

Filesize
29KB

MD5
b2447c1b8586e9d659bd6c236589e60e

SHA1
9f0642a974738bd5eb0569dcea308d46d3235dce

SHA256
2a3830279c80da4ce28b02391703d5315e4b674cc81195bbd9cc18f1bcd6f67f

SHA512
7c2fb588fa440473436318e1028303831941988ea9f36ca56c5acd8936b4f52246973c6c76a1e7b3b25ba5069bdd986ec04709c6e0a4f6f2bafaa2029c1c0c91

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_kk.dll

Filesize
28KB

MD5
fe09bc3153f94b68208f3ae813e15cb0

SHA1
7e7264fe77a31826549919aa99c7af6ad3769c40

SHA256
3573e2e52e84b9ce87e535244376f8fb57c9bc565c5ef3a6defaeb7433a3a958

SHA512
a6cd7185c47496a3fb666f8fa53cdf40fa1f71cb3759a68088da5f20f54bc4198d0d0c85fc0f0fc215827f4631c1022eca43878487f9fc379a7cfbbd229fb102

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_km.dll

Filesize
27KB

MD5
a01f834efd28c57faee53d79949ecec5

SHA1
c3cf458bb2f1315f5d2fc4e2c4dfe2bdf8dcb0f7

SHA256
ee917d39a77d9a66491da123f0a54242c444f3a0e72645121488f7cdc75c8889

SHA512
b767e3be9a164736e8b5aca1768cba4452c2c2fe543f30e08707f6a63ce0d345474c922c9af09f702c437887d4d9dd2d1be59ba69395e9f0f0a47273d7a2e3df

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_kn.dll

Filesize
29KB

MD5
9360c3a97180c78044c67fcfa2f51a8b

SHA1
b1fe6cf821e6dedb1f961833c791a9ce7b2c5754

SHA256
84b3f954cb61c4a87c769c215ec570e8974141c6534517b128989931e881e7ee

SHA512
f65c857c1f6364fccf512125d841ac86d4457e0d1d8aae24bab65b1aaf79502993218a2e41916fe32d2ef10af3f8691fdf76c0b280d4778a67b3984fd3af2d8f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_ko.dll

Filesize
23KB

MD5
83995c5253aabdd4bd236d8238809ceb

SHA1
18c763f657ee6d3270829290564fb0199615f122

SHA256
bd4f94f7d9e3617d7b05fefe59925b7cbfe7dfbdcf051b6fb378291b7b7bfb25

SHA512
ebbf4bbd8970b6f7eac79d73a6858c0b9546d3ee7ec189f05e74045f6c91385376d4110256aced247828e17812e505919babcd5f623006289021dc3e5a2abb69

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_kok.dll

Filesize
28KB

MD5
4140a967a1579c92bf488998b934fd86

SHA1
9a174bec29f2c166c612e9cf2b25b47d99ef9be7

SHA256
9c9a0984b09ec8ace7e6879dabc5ca60cac45c00992972a91dd6425bf2bffe62

SHA512
12436a277adcea2aefcdacc3d96f78a759e8eabe313887dd7c2fe9a5f6c02b75bd301b82a8120a11f51b6c8120d56b47eb7988b3f9c7bada34dea2de182e27c4

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_lb.dll

Filesize
30KB

MD5
c6b06f583f3e048363e22c24caadbda6

SHA1
3c119a1008c463f7efb55492ad88ce56fbb3533c

SHA256
3a4342864e18ea9050f0c5c58a89c95fc5a1b868c835290a3be244965b08f314

SHA512
4aef4224601b9a8df3b07188133b9d97fa90e06a245f49397baec7fbcb85996ba886f13b41c3b909a6b87f821c4f969f77f6be112b1c71c21f8a585d087acdc1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_lo.dll

Filesize
27KB

MD5
96c98965a7904d7adaa31f5f8a1f1f95

SHA1
1d9fb588e7cca9c2a7836ec49eb9202081adeb1d

SHA256
b7285701b7a1ee1089568caa05a1e527825f578baf188eabf5d43179a934669f

SHA512
d316000ad7e65f9b131664411b8adbd0e27842e9f61a016b5f5f1624202c5281939459f9380ef63977b217126ac5bdb481d5ae9ae318beffa44aa57303930372

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_lt.dll

Filesize
28KB

MD5
41bb0d130f5466432a94b2a45028ed5c

SHA1
23a81de294a82986da25eb86b73097195a629e78

SHA256
ace485702162345de29b705b3be37826db72f568a44410d7961732d1cd62e56c

SHA512
f106ee7052352d41b0c56d0a557239860dc7e885823cf21ad2cffc00ecae603227ccd18f7d9d1edb2c6752263c9b159e444124d1256b8c442c921d1add69cfbb

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_lv.dll

Filesize
29KB

MD5
14c89980237895b168b2805db7964212

SHA1
8c2bccf5b24869c2ffc19e6230e866d5721bbc3c

SHA256
5a4fbb96bd165f7dc7a55d56f70ede22068819835b60ffc14d7a370c2c891804

SHA512
83f436072281daa4d6ad7ae4e27912ff661ff72bc3ad34e41f96574925e9abbedc1e3381d557320208aa23978c50a8b46c2d9ee2f6fdc630e30658d207803438

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_mi.dll

Filesize
28KB

MD5
761440b1b177daf4f51beb2f66d79c16

SHA1
76577f1e098e7e81b2ce9e61d6e853c5491a5dd2

SHA256
49e02d60f70fcd0d7ab35cd0deea17ba1f8c687dcd0484ed34a31a529d63ac46

SHA512
ebcb7c62427fe303d3f381b626fabbf4d1aa35583db7333b90889f0b3462b6196dc2dd8649d1071e893c1461870e046476f6089cdc2024f7a71dbc533e2fa103

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_mk.dll

Filesize
29KB

MD5
c3aeb80795b68157737bcf7535c69bd1

SHA1
163c1cb7d0ae484f1cb9e6eb25c80969efe2f702

SHA256
ef2578df3ec1bc94a9624f80af4bcf8e70392553ae28930063692dd7d1d4c46a

SHA512
ebef893a8e82f7fa99a5e6a5d94da72788c83e7ba4e385a8dc189c622e5759200f136742dcb812d1cae6f1564f97ee4ffc9d10650bde2b88e5bff298918b9432

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_ml.dll

Filesize
30KB

MD5
bd23100a9b8bf75e9e5e68966022bd71

SHA1
6562f97d29d19e41b864aae00a1c1279b7f44dfc

SHA256
e56c8c324b1578347bc93c0fe47d9b6276b999a18e9da52e414d56006e1fdf48

SHA512
d77594af22cf97afc68bc7857daf1032333009111675b52fde7c2f83bf7658585f6915abea38e5d3e524453a34b6633a5d5b00594f10cc86da7e4bcf616acf2f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUBF49.tmp\msedgeupdateres_mr.dll

Filesize
28KB

MD5
8725cb4ef60ec46f76f4129b959f6a6e

SHA1
5ed33580e581b6d9b026ba2b385df0b93d76d382

SHA256
2436c483e8789dd4ba5ca2d0713020b1c1f812b113d5dddc3f8473cdd9667408

SHA512
d65ec21da2ef8256125820f781bc2fb1a4feeffa62c873fe439f2a2f1c151ef548da1feb58618aba3a58f6a154ea4f3fb70e6aebffb588b5a84770d77d783fe7

Download Submit
C:\Program Files\MsEdgeCrashpad\settings.dat

Filesize
280B

MD5
e38e7c8f571d629d6283118b800e2cf0

SHA1
608f302526d874a606cbc5a0311590ae4ab9d262

SHA256
3b7f0c1ac46f1c4a0937debe7452990cc4387ab8e86ceedee7811cbe27ad0887

SHA512
0ca81c314515f2d50b92e44a52a1847a190c24fb447a75d934fc06f912e3e74c92b1a4575b2f86eeabbb293ddfb4bff70f25562b82f6b7b1be823f993d5ed187

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
200KB

MD5
1a92122c67a816e78034d856ddcb3b2e

SHA1
43157f05123b445e3e665d4ad5c148ca0ab9ce1a

SHA256
90dfef2b9015b0c70ac7308d732110fcf3f5835b522ad6caceceecda5d292c7b

SHA512
5f8758d8ed8ec3f7f4ff59b02be83930a7b9fe24fc44de8f68b8e8c96fe1795a89dfdc03ff7552bbe992f9002fd49747b4f5d1221b3cb5aa628ffd5d0930401f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f060e9a30a0dde4f5e3e80ae94cc7e8e

SHA1
3c0cc8c3a62c00d7210bb2c8f3748aec89009d17

SHA256
c0e69c9f7453ef905de11f65d69b66cf8a5a2d8e42b7f296fa8dfde5c25abc79

SHA512
af97b8775922a2689d391d75defff3afe92842b8ab0bba5ddaa66351f633da83f160522aa39f6c243cb5e8ea543000f06939318bc52cb535103afc6c33e16bc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a27d8876d0de41d0d8ddfdc4f6fd4b15

SHA1
11f126f8b8bb7b63217f3525c20080f9e969eff3

SHA256
d32983bba248ff7a82cc936342414b06686608013d84ec5c75614e06a9685cfe

SHA512
8298c2435729f5f34bba5b82f31777c07f830076dd7087f07aab4337e679251dc2cfe276aa89a0131755fe946f05e6061ef9080e0fbe120e6c88cf9f3265689c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
38265166fff9a109d5e1ef1a7e952b2e

SHA1
36a92e153cc7cebe182288c0b50fe2c28d45b0b8

SHA256
7bbb134f59d6f52b92a0afd1c3d2a8efe88586f1f395caf9548e65628193bea9

SHA512
f00df50e5b1aa1b0006550fb75577a1a3eca76d4eabc87bf1dc63395e19e61925ecdc55588292352f263126c0ff1dfa50d0b6e0eadbee80d8dc2baafa239f603

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
aa5af6d99b6ae069684452d65cc07251

SHA1
4df797198adc2f5e553ff34615656cdf20a2aded

SHA256
01a3848bd85583b1ac495f4bd9d4522a202fd75ac2d331c04f00af87d55ca43d

SHA512
a3081b519eaaa10804289eb2d30e019a35c4e9f3cb9b43120a6f223bcd6555562147c75954f12c12e2fd947e68f6ca50398c46fe5e496716a80564101b35d8be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6edef2179bf1741e3408cf4b99788be2

SHA1
9b5dc06476ec97a339cdeb17d621a0d937c04aca

SHA256
8a7bfdbfe11639b0eed91c8bb36dfd3e2113c053411f778e695e8ec5e39211c8

SHA512
0b3bce90ceac428c5f558582fb0879a8aca2e32a980ae0d251b01d603b20e4d591c68929d9f54db444cdb8ee601c1b4e1464abeabb44ba9b99eb8e6140c7457a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e5dd1de2df4b6c08f24a8fc6b2b20521

SHA1
0505377d547c5a8f4228a2c09f5ca78177786265

SHA256
759e00e799519139154c5f853fb7bbf9ae886d304f6b59379395bb109184dcc4

SHA512
9fcafbacb591601fc83c1091e0de3e6ebaa116d4bc06534f024fad5913124a191f4c6958b7a3df18ce04abce87589a7c915b657b4f829a0522e02d6d525e67c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b462623b5b8ff67e3b7253eb8465ad60

SHA1
4964e95c441effba8326ee9f179af75d550d7b9a

SHA256
1cb53be0a86452ebbc3371672ac907eeff3e083ded1e965fde0a3c516d925212

SHA512
a2a209da27c55b0ceb5620f22cfed0e2e4ae834a2252cfa5b889dda8e454dfa06bafcff9f842bb3772404b25bcf7db76164220499319c6624bb3d1431e9f3c41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
cadb4fcecd81c0fe90afa77a99a87b75

SHA1
e3d6debf1907bb9983090ae3969ee89bb1876b9b

SHA256
f9400379cae401e35f444309ec538dccac62e8cf2a088faf64c9081fe20dfbf1

SHA512
eb5f33f7272cc860c3b9d6ebde9790290c4c6e32cd32925bb134ed49786ae7c3f4ecc452e3a68a85c107a87f4ea81329214b36914a9a0c06db91735181f62add

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59b82b.TMP

Filesize
3KB

MD5
9b3d3adae1b66d2e6688a66d87e94632

SHA1
a4ec9337d734503e6b544dbcc6ee37154f410369

SHA256
c515a91dddfb18091cfb1fe8f885df4c92323a800ab96c823cfcc6f830855246

SHA512
35493345a00ceac1da3bcbd33df7183b20897527f265aa986aab7c19bd076dce2fecfb63a8093618bdb90a4c5f9056a36c6e095881a846b1e1b3cfbf34b93039

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
76c0b2df70bfa6e89436466e06fcb3e7

SHA1
2a54432d19dff91c1463f38c6a32c9bcf42b1013

SHA256
4a60807817e088d22680ecce238f768219f1259d443a24b963b2c434e602ea3b

SHA512
33a400e30091f2e1dab688f9cfb554e0bd092483e1a26ab2d05a340778250a73c61376f06db0ffd1e119f7ffd3969dde36495a86f0fa65b1f3ee508a957a585c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cd3686183a72e8a68eb76d55b2a8869c

SHA1
cabcd520eabb9a55a75763ef692e6fb6531cae96

SHA256
11f066158bed4f6eee799877152f9a2ac358f4a6b9d51b1d905d9e5dab22216d

SHA512
5b4f1cc4f144d6801af26da87981ed0ce275fe1bd54df07e294a9275eabf783ee0eeea91ee1c67510e1059ced222d7c5265b7754381ac12e9e2d39c5d6b52ef7

Download Submit
C:\Users\Admin\AppData\Local\Roshade\EBWebView\Crashpad\settings.dat

Filesize
280B

MD5
e5b3eafe78e142a80b472fefa4be07a3

SHA1
6583acfd4a643809e15f4d1f4628e6a98316e3ac

SHA256
fc53705ee4fba5343cc68539912d5b550a49cfc11774873b003407577900bed9

SHA512
c0669601449a9fe6b0040b3a6f8787d3b409b093251aaeb8552186d4ca08e806bed4f9e6ddd2f4c3e10de50a2b163f9d5f4ef5f78cfdb883264815ddd55dafbf

Download Submit
C:\Users\Admin\AppData\Local\Roshade\EBWebView\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
7d1497cb55759acfc846c4ca8dbca4b5

SHA1
1834b50e4ccc98d73893bc32e3aae3bc1ec386b7

SHA256
6c3a496feb59b0229a3947496d48e97c36f64a8c6ab801b08bbbca28ff5beef9

SHA512
7b3b030e360a6f03bc4b8fd0bec237cfdec6a21e6785e09ce53e08839050f55965500f6280ea9f3057389a44ed7b16cba24884407fafccbb1060a7d5895e9ae0

Download Submit
C:\Users\Admin\AppData\Local\Roshade\EBWebView\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
f92278949119ce3d66e47b0fb6029288

SHA1
81b28e030b0feed6413a192984e08891a6a248df

SHA256
1cf1af0c4df8fc36a996b19de37c3ab66aa6874890b5dd216050cb12238e2ec2

SHA512
ab8c89990b2ca82ca9c9804785e6b3224018aa7bf3522e3eb91d7f04f1ce07383cfc562c0e9f1e06f74243cb4b3f1119080ef92e48a6a1350991e3bc259f0109

Download Submit
C:\Users\Admin\AppData\Local\Roshade\EBWebView\Default\Extension Rules\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Roshade\EBWebView\Default\GPUCache\data_1

Filesize
264KB

MD5
d995c65e30f4840546fc0c2786fd78cd

SHA1
ed00810a8a7fa7d8551560be9b9d923eceb5ed72

SHA256
d15faee04882e8ee4efc46569a3624653d5cb939163b4bfcaf8fe25b988fc252

SHA512
68e24ae4cf8375729e6690c0ea9672a6eec4da0215c6716af1f17abaa96564930410077aa1c5560af301b7293cdb8fa013b7f9c550583a81179ac0459ea7cb59

Download Submit
C:\Users\Admin\AppData\Local\Roshade\EBWebView\Default\Network\Network Persistent State

Filesize
2KB

MD5
f9efafa5cbb1e19634951296f0186a2d

SHA1
21b992ddc8bb06ee6ee31a199ad3d20c4fe16ad7

SHA256
5413d253d347e82019229985f98aa33534e86d071e3a002173e3931d59cb641a

SHA512
b99c08125542742f93721a69c38b87f570137cc135098dc7cee116066678ca315d417e683aaf59e194574767bdbc9f1ad4bcd48d8746f418abdea5798dbd0e4f

Download Submit
C:\Users\Admin\AppData\Local\Roshade\EBWebView\Default\Network\Network Persistent State~RFe5961dd.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Roshade\EBWebView\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Roshade\EBWebView\Default\Network\TransportSecurity

Filesize
523B

MD5
def53908f1bd5c9c7afcb0e2a607e8de

SHA1
a19e7e996aff25217d4e6b3b587900efc46cf096

SHA256
1b5bd6c63f8c5ea58289482ec5999e7842f71aacc87109b4f39b6812f35721aa

SHA512
c5296d4f09dfb2bc2317e8d3660739495393ef6a7e399d4addcfdc5ab09bde8a176a195117a917cad13af20108b7ad0671d8a257910d83147e2f926aae13beb1

Download Submit
C:\Users\Admin\AppData\Local\Roshade\EBWebView\Default\Network\TransportSecurity~RFe5961cd.TMP

Filesize
523B

MD5
d1142b643c3ea237816ff199762e28d9

SHA1
499196ccaaed1bf478104f9ace043225716cfdb4

SHA256
ae098c067acc2b9230d6151c150b29dfbe99833a5b7df74f7813f6a996c5ec48

SHA512
606cd220e3a0730eb63db74e29a86889af2e278a47dae2840bfcd8f159d3ffc813db0b7d14e451dfafb8d47548630e16536ab62ef57adae426404210a6250807

Download Submit
C:\Users\Admin\AppData\Local\Roshade\EBWebView\Default\Preferences

Filesize
6KB

MD5
a431649b17e8cd266232db8f87db5755

SHA1
3191068694376210d07dac3314027e124e1d7348

SHA256
5395b08fde6c23e6e82f1f1d19b79d0ad182f21fb23768b5174c64e0bc78fbc7

SHA512
022ed24cce32da7baf6ddf8d7bf3dd40bd5519a1c6e5ae5c37d52ee4e59cc1e8a184a834456a62a2bddaf1589423e2e47ed868a3d5254759849de200efe29a66

Download Submit
C:\Users\Admin\AppData\Local\Roshade\EBWebView\Default\Preferences~RFe59619e.TMP

Filesize
6KB

MD5
78a718d64c7310c3799bd47e22ca4cbe

SHA1
1347bc3630b614e68587bd9a839010edf130099e

SHA256
e4ee435cec6b82dd6cc888540932148228455278e58f49eb359fe69fd1105e41

SHA512
051f60698b25e68db274918e0236825f1b86b7ba802c1d681324815c3c0383ff0f3e7dbf040aada622ab78c3a0eb9599271dee1fbd1f90da16739f420257cccf

Download Submit
C:\Users\Admin\AppData\Local\Roshade\EBWebView\Default\Sync Data\LevelDB\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Roshade\EBWebView\GrShaderCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Roshade\EBWebView\GraphiteDawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Roshade\EBWebView\GraphiteDawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Roshade\EBWebView\Local State

Filesize
1KB

MD5
cb268dda28cb8a2b1d923b538c1e0e47

SHA1
f0df718fdd515a962c9f1d23cfee24b6801414a7

SHA256
bad8f1bdea6ffeef0ada3a51ecb2c45705ca17abaa913ed57e951813b5374fa6

SHA512
0c68df1e8ddf9bee6c6f956868e9e16387d5d5446494f71593cb6d6b1b49129c7af8a135c99f324bd303e47030110285786883615138fcdada0ae84b5f71d8c0

Download Submit
C:\Users\Admin\AppData\Local\Roshade\EBWebView\Local State

Filesize
2KB

MD5
b8717a1fce7a488fbc0250e297ad5f3d

SHA1
a4cd684f761bcce2bf7220897c229382c56644f4

SHA256
1f2718d06c9cfe12ee9b37773dcbd4f8788320b4b3d6acbb6fc0527232082a37

SHA512
afd21f9708ad3403db03de0b75261d0b98db1f0afbde420d12cbbf56e60f899b73a08b251ca53d32d61c6e39216258af767dd4e0b61afd6751e7c071dcc41955

Download Submit
C:\Users\Admin\AppData\Local\Roshade\EBWebView\Local State

Filesize
3KB

MD5
91bf111cf2b22cc93b9ed994a09798ff

SHA1
263767d3511c594652ab0e465cc866fa6ac5d3c5

SHA256
f995dd2fd31edddf2161dca75c283d17d6049b564df08fb9a64157983b08832e

SHA512
58e9427389c9cb01bd0429e626a243251b8a3a91eba02ad1aa7674cd4374cd87d9ac716691ee90c91b154093cfccc56ad0ca2632559ded1fcd7d34d62bb4f4ac

Download Submit
C:\Users\Admin\AppData\Local\Roshade\EBWebView\Local State

Filesize
16KB

MD5
ba42b7b28248ce58ba30b75c4a03fcb0

SHA1
6a771bf48e44c9aeb7f39f5f99aeeb8e350d901e

SHA256
3081c17e373fd0d574b0de3f7093706272599ce9a1cdf3cabac9171e5f90985a

SHA512
939d86b90642db8cd328add62c2e69de16a604ca55d8b507b1067526077f30b1151012ae2e9c50dbdea39f12a5f8665c95164023430baf396e9f730ebdfea313

Download Submit
C:\Users\Admin\AppData\Local\Roshade\EBWebView\Local State

Filesize
17KB

MD5
62fee326eb2a7ba636d4c561d40fac2d

SHA1
65566c486cbf9d34a320c5562a97b31b626c85c9

SHA256
bfd3978f98b7f4bd4ee344f199bee40bd9548ea430a9c36b02948d88ca8269da

SHA512
0eea8fa9d2a753a5128883074d960fa290c1dd5bbd1a8b927d7d1431ba6f836466c6db66b3ca2c5c38a62818e06e1aa835d311c74a1fd6bc72cb88fbdaf467de

Download Submit
C:\Users\Admin\AppData\Local\Roshade\EBWebView\Local State~RFe58de84.TMP

Filesize
1KB

MD5
639fdeeaee864c07e3582cfc39466c3c

SHA1
b1e7d7ae7fcc374f5376dd62e11e7c29c5f4ca5b

SHA256
bc3c9dabbae434b5095902d3abdda0e18a3d7321f8d70761e0648d71fb7912f9

SHA512
d3267886975b08f346e6c6f38d3a1ec6410018026d954e9a0dcead459b27ddae56b11e09c99e642ab808226b6149b7867b75cc9003624daa251162bd5b68bcc7

Download Submit
C:\Users\Admin\AppData\Local\Roshade\Roshade Launcher.url

Filesize
79B

MD5
82eae2bd26ed7b0ff2963676829088f7

SHA1
9eaa89c9bbd533cd248f616bdab1c62227f0faf7

SHA256
04a3e38d0d04f8d6bf803ccb28bbb4088b3d2eeddf66433a57857fd7fc3dc561

SHA512
44b2c3f7e825337d3c46a7802b12e2a5da112b8150857998ffab1225f00259b881f7681812f8493312dfaf256bbcb957d4990326bdaee814ccb2e3f19e2fcfab

Download Submit
C:\Users\Admin\AppData\Local\Temp\wv.exe

Filesize
1.6MB

MD5
db7fb67fcec9f1c442de25f3ad59f50c

SHA1
b600aa26d1cded59760304c6d77f4ff75722eabd

SHA256
c227208854734bbd38c9f74f39034111733da5c7ce71515b1610aedd79417f9f

SHA512
c14ec7d252a6f201dfea476d302fbc5140713cb4ea7bc8d4e610bfd806b3fa3c141153e2e9b8cb36255fba1fab4d4400ed83f5f5c1228d77d77bace41d5de7fe

Download Submit
memory/392-350-0x00007FFE7D460000-0x00007FFE7D461000-memory.dmp

Filesize
4KB

Download
memory/392-349-0x00007FFE7D7D0000-0x00007FFE7D7D1000-memory.dmp

Filesize
4KB

Download
memory/2148-288-0x00007FFE7DFF0000-0x00007FFE7DFF1000-memory.dmp

Filesize
4KB

Download
memory/2148-514-0x000001E0180B0000-0x000001E0181DA000-memory.dmp

Filesize
1.2MB

Download
memory/3220-347-0x00007FFE7DFF0000-0x00007FFE7DFF1000-memory.dmp

Filesize
4KB

Download
memory/3928-242-0x0000000074E70000-0x000000007508F000-memory.dmp

Filesize
2.1MB

Download
memory/3928-258-0x0000000000EF0000-0x0000000000F25000-memory.dmp

Filesize
212KB

Download
memory/3928-196-0x0000000000EF0000-0x0000000000F25000-memory.dmp

Filesize
212KB

Download
memory/3928-197-0x0000000074E70000-0x000000007508F000-memory.dmp

Filesize
2.1MB

Download
memory/4292-0-0x00007FF687660000-0x00007FF6882D3000-memory.dmp

Filesize
12.4MB

Download
memory/4292-492-0x00007FF687660000-0x00007FF6882D3000-memory.dmp

Filesize
12.4MB

Download
memory/4292-555-0x00007FF687660000-0x00007FF6882D3000-memory.dmp

Filesize
12.4MB

Download
memory/4292-695-0x00007FF687660000-0x00007FF6882D3000-memory.dmp

Filesize
12.4MB

Download
memory/4292-195-0x00007FF687660000-0x00007FF6882D3000-memory.dmp

Filesize
12.4MB

Download