rhadamanthys | 18b7e51b0f80744208e78cdbdc707e5b8467991af8bdea3c47f3ee25ad864277

Analysis

max time kernel
216s
max time network
222s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
19-07-2024 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LoaderV6.zip
Size

15.2MB
MD5

273e74c7c8e4fefcafca7ab2c634fef7
SHA1

9a01e91e93cef5c77de8c70b8ae80da15a540fff
SHA256

18b7e51b0f80744208e78cdbdc707e5b8467991af8bdea3c47f3ee25ad864277
SHA512

d3f788e51d165b72ebf9c46a3463dd594df308bc199a8f70db25945450ab0c5da3cb1aeffeb6cf9f46f323150bd4d5d660fefd054fed956a5b491dd21e228277
SSDEEP

393216:wjdAJ/kHfMO2/w1kBY8l5aFEYF/pAYfxXaI+vQkXLLcDlE610Cgr:wjKsHfMO2/wBFFF/pAYfR0vQk8DlN0Nr

Score

10^/10

rhadamanthys discovery execution persistence privilege_escalation stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3644 created 2612	3644	BitLockerToGo.exe	49

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
728	powershell.exe
2964	powershell.exe
728	powershell.exe
2964	powershell.exe

Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 27 IoCs

pid	Process
996	MicrosoftEdgeWebview2Setup.exe
4456	MicrosoftEdgeUpdate.exe
1176	MicrosoftEdgeUpdate.exe
1884	MicrosoftEdgeUpdate.exe
4252	MicrosoftEdgeUpdateComRegisterShell64.exe
2320	MicrosoftEdgeUpdateComRegisterShell64.exe
4852	MicrosoftEdgeUpdateComRegisterShell64.exe
4716	MicrosoftEdgeUpdate.exe
3124	MicrosoftEdgeUpdate.exe
2324	MicrosoftEdgeUpdate.exe
4820	MicrosoftEdgeUpdate.exe
3008	MicrosoftEdge_X64_126.0.2592.113.exe
4708	setup.exe
256	setup.exe
3508	MicrosoftEdgeUpdate.exe
4804	msedgewebview2.exe
1852	msedgewebview2.exe
1356	msedgewebview2.exe
5032	msedgewebview2.exe
2880	msedgewebview2.exe
2312	msedgewebview2.exe
4936	msedgewebview2.exe
3604	msedgewebview2.exe
3772	msedgewebview2.exe
2252	driver1.exe
1960	msedgewebview2.exe
2528	msedgewebview2.exe

Loads dropped DLL 47 IoCs

pid	Process
4456	MicrosoftEdgeUpdate.exe
1176	MicrosoftEdgeUpdate.exe
1884	MicrosoftEdgeUpdate.exe
4252	MicrosoftEdgeUpdateComRegisterShell64.exe
1884	MicrosoftEdgeUpdate.exe
2320	MicrosoftEdgeUpdateComRegisterShell64.exe
1884	MicrosoftEdgeUpdate.exe
4852	MicrosoftEdgeUpdateComRegisterShell64.exe
1884	MicrosoftEdgeUpdate.exe
4716	MicrosoftEdgeUpdate.exe
3124	MicrosoftEdgeUpdate.exe
2324	MicrosoftEdgeUpdate.exe
2324	MicrosoftEdgeUpdate.exe
3124	MicrosoftEdgeUpdate.exe
4820	MicrosoftEdgeUpdate.exe
3508	MicrosoftEdgeUpdate.exe
3940	loaderV6.exe
4804	msedgewebview2.exe
1852	msedgewebview2.exe
4804	msedgewebview2.exe
4804	msedgewebview2.exe
4804	msedgewebview2.exe
1356	msedgewebview2.exe
5032	msedgewebview2.exe
5032	msedgewebview2.exe
1356	msedgewebview2.exe
2880	msedgewebview2.exe
1356	msedgewebview2.exe
1356	msedgewebview2.exe
1356	msedgewebview2.exe
2880	msedgewebview2.exe
1356	msedgewebview2.exe
2312	msedgewebview2.exe
2312	msedgewebview2.exe
2312	msedgewebview2.exe
4804	msedgewebview2.exe
2580	loaderV6.exe
4936	msedgewebview2.exe
3604	msedgewebview2.exe
3772	msedgewebview2.exe
3772	msedgewebview2.exe
3772	msedgewebview2.exe
3288	loaderV6.exe
1960	msedgewebview2.exe
2528	msedgewebview2.exe
2528	msedgewebview2.exe
2528	msedgewebview2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	loaderV6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	loaderV6.exe

Checks system information in the registry 2 TTPs 12 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2252 set thread context of 3644	2252	driver1.exe	151

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_ka.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_ug.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\Locales\pt-PT.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\Locales\sk.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\prefs_enclave_x64.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\Locales\bs.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\identity_proxy\win11\identity_helper.Sparse.Stable.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_iw.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\VisualElements\SmallLogoCanary.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\Locales\ko.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\Locales\ru.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\Locales\ml.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\icudtl.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\Trust Protection Lists\Mu\TransparentAdvertisers	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\Locales\fr.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_sr-Cyrl-BA.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\msedge.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\Locales\is.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\Locales\ug.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\Locales\ne.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\Locales\fr-CA.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\Trust Protection Lists\Sigma\Advertising	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_kn.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\BHO\ie_to_edge_bho.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\vulkan-1.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\Locales\sv.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_fil.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\vcruntime140_1.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\Edge.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\Locales\pt-PT.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\Locales\sr-Cyrl-BA.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\identity_proxy\win10\identity_helper.Sparse.Canary.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\Trust Protection Lists\Mu\LICENSE	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\Locales\ar.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\Locales\fa.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\resources.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\WidevineCdm\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\Locales\bs.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\Locales\de.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\Locales\tt.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_fi.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\Locales\id.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\Trust Protection Lists\Mu\Fingerprinting	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\v8_context_snapshot.bin	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\Trust Protection Lists\Mu\Entities	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\msedge_200_percent.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_hu.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\Locales\is.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\Locales\lb.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\Locales\fil.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\VisualElements\SmallLogoBeta.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\MEIPreload\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\Locales\pl.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\copilot_provider_msix\copilot_provider_neutral.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\msedge.dll.sig	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\Locales\ka.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\Locales\af.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\Trust Protection Lists\Mu\Social	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\Locales\kn.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\delegatedWebFeatures.sccd	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_zh-TW.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\Locales\en-GB.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\pwahelper.exe	setup.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File created	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File created	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	msedgewebview2.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2840	3644	WerFault.exe	151
3868	3644	WerFault.exe	151

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4980	wmic.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
3060	tasklist.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe

GoLang User-Agent 2 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	87	Go-http-client/1.1
HTTP User-Agent header	90	Go-http-client/1.1

Modifies data under HKEY_USERS 44 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedgewebview2.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133658654861146234"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\NumMethods\ = "11"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32\ = "{513C065E-085A-40C1-B47D-D2F56F9AA0D1}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ = "IAppBundle"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.193.5\\MicrosoftEdgeUpdateOnDemand.exe\""	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods\ = "6"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\NumMethods	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\NumMethods\ = "24"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\NumMethods\ = "43"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ProxyStubClsid32\ = "{513C065E-085A-40C1-B47D-D2F56F9AA0D1}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\MicrosoftEdgeUpdate.exe\AppID = "{A6B716CB-028B-404D-B72C-50E153DD68DA}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA92A799-267E-4DF5-A6ED-6A7E0684BB8A}\VersionIndependentProgID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreClass\ = "Microsoft Edge Update Core Class"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\NumMethods\ = "24"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\ProxyStubClsid32\ = "{513C065E-085A-40C1-B47D-D2F56F9AA0D1}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CredentialDialogMachine.1.0	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreClass.1\CLSID\ = "{8F09CD6C-5964-4573-82E3-EBFF7702865B}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ = "IGoogleUpdate3WebSecurity"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ProxyStubClsid32\ = "{513C065E-085A-40C1-B47D-D2F56F9AA0D1}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ = "ICoCreateAsyncStatus"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ = "ICredentialDialog"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ = "IPackage"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\NumMethods\ = "12"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\ProxyStubClsid32\ = "{513C065E-085A-40C1-B47D-D2F56F9AA0D1}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\NumMethods\ = "5"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{513C065E-085A-40C1-B47D-D2F56F9AA0D1}\InProcServer32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ = "IAppWeb"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\NumMethods	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ = "IAppCommand2"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9DA54E8E-61A7-4FEB-A84E-CE76BBDB5175}\InprocHandler32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.193.5\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC}\ProgID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods\ = "8"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.ProcessLauncher\CurVer	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachineFallback\CLSID\ = "{E421557C-0628-43FB-BF2B-7C9F8A4D067C}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ = "IAppVersionWeb"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods\ = "6"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\NumMethods	MicrosoftEdgeUpdate.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\LoaderV6.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2236	chrome.exe
2236	chrome.exe
3940	loaderV6.exe
4456	MicrosoftEdgeUpdate.exe
4456	MicrosoftEdgeUpdate.exe
4456	MicrosoftEdgeUpdate.exe
4456	MicrosoftEdgeUpdate.exe
4456	MicrosoftEdgeUpdate.exe
4456	MicrosoftEdgeUpdate.exe
728	powershell.exe
728	powershell.exe
728	powershell.exe
2964	powershell.exe
2964	powershell.exe
2964	powershell.exe
2580	loaderV6.exe
3288	loaderV6.exe
3644	BitLockerToGo.exe
3644	BitLockerToGo.exe
1072	openwith.exe
1072	openwith.exe
1072	openwith.exe
1072	openwith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
4804	msedgewebview2.exe
4804	msedgewebview2.exe
4804	msedgewebview2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe
Token: SeShutdownPrivilege	2236	chrome.exe
Token: SeCreatePagefilePrivilege	2236	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2852	2236	chrome.exe	90
PID 2236 wrote to memory of 2852	2236	chrome.exe	90
PID 2236 wrote to memory of 3076	2236	chrome.exe	91
PID 2236 wrote to memory of 3076	2236	chrome.exe	91
PID 2236 wrote to memory of 3076	2236	chrome.exe	91
PID 2236 wrote to memory of 3076	2236	chrome.exe	91
PID 2236 wrote to memory of 3076	2236	chrome.exe	91
PID 2236 wrote to memory of 3076	2236	chrome.exe	91
PID 2236 wrote to memory of 3076	2236	chrome.exe	91
PID 2236 wrote to memory of 3076	2236	chrome.exe	91
PID 2236 wrote to memory of 3076	2236	chrome.exe	91
PID 2236 wrote to memory of 3076	2236	chrome.exe	91
PID 2236 wrote to memory of 3076	2236	chrome.exe	91
PID 2236 wrote to memory of 3076	2236	chrome.exe	91
PID 2236 wrote to memory of 3076	2236	chrome.exe	91
PID 2236 wrote to memory of 3076	2236	chrome.exe	91
PID 2236 wrote to memory of 3076	2236	chrome.exe	91
PID 2236 wrote to memory of 3076	2236	chrome.exe	91
PID 2236 wrote to memory of 3076	2236	chrome.exe	91
PID 2236 wrote to memory of 3076	2236	chrome.exe	91
PID 2236 wrote to memory of 3076	2236	chrome.exe	91
PID 2236 wrote to memory of 3076	2236	chrome.exe	91
PID 2236 wrote to memory of 3076	2236	chrome.exe	91
PID 2236 wrote to memory of 3076	2236	chrome.exe	91
PID 2236 wrote to memory of 3076	2236	chrome.exe	91
PID 2236 wrote to memory of 3076	2236	chrome.exe	91
PID 2236 wrote to memory of 3076	2236	chrome.exe	91
PID 2236 wrote to memory of 3076	2236	chrome.exe	91
PID 2236 wrote to memory of 3076	2236	chrome.exe	91
PID 2236 wrote to memory of 3076	2236	chrome.exe	91
PID 2236 wrote to memory of 3076	2236	chrome.exe	91
PID 2236 wrote to memory of 3076	2236	chrome.exe	91
PID 2236 wrote to memory of 1884	2236	chrome.exe	92
PID 2236 wrote to memory of 1884	2236	chrome.exe	92
PID 2236 wrote to memory of 3104	2236	chrome.exe	93
PID 2236 wrote to memory of 3104	2236	chrome.exe	93
PID 2236 wrote to memory of 3104	2236	chrome.exe	93
PID 2236 wrote to memory of 3104	2236	chrome.exe	93
PID 2236 wrote to memory of 3104	2236	chrome.exe	93
PID 2236 wrote to memory of 3104	2236	chrome.exe	93
PID 2236 wrote to memory of 3104	2236	chrome.exe	93
PID 2236 wrote to memory of 3104	2236	chrome.exe	93
PID 2236 wrote to memory of 3104	2236	chrome.exe	93
PID 2236 wrote to memory of 3104	2236	chrome.exe	93
PID 2236 wrote to memory of 3104	2236	chrome.exe	93
PID 2236 wrote to memory of 3104	2236	chrome.exe	93
PID 2236 wrote to memory of 3104	2236	chrome.exe	93
PID 2236 wrote to memory of 3104	2236	chrome.exe	93
PID 2236 wrote to memory of 3104	2236	chrome.exe	93
PID 2236 wrote to memory of 3104	2236	chrome.exe	93
PID 2236 wrote to memory of 3104	2236	chrome.exe	93
PID 2236 wrote to memory of 3104	2236	chrome.exe	93
PID 2236 wrote to memory of 3104	2236	chrome.exe	93
PID 2236 wrote to memory of 3104	2236	chrome.exe	93
PID 2236 wrote to memory of 3104	2236	chrome.exe	93
PID 2236 wrote to memory of 3104	2236	chrome.exe	93
PID 2236 wrote to memory of 3104	2236	chrome.exe	93
PID 2236 wrote to memory of 3104	2236	chrome.exe	93
PID 2236 wrote to memory of 3104	2236	chrome.exe	93
PID 2236 wrote to memory of 3104	2236	chrome.exe	93
PID 2236 wrote to memory of 3104	2236	chrome.exe	93
PID 2236 wrote to memory of 3104	2236	chrome.exe	93
PID 2236 wrote to memory of 3104	2236	chrome.exe	93
PID 2236 wrote to memory of 3104	2236	chrome.exe	93

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	msedgewebview2.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2612
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1072

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\LoaderV6.zip
1⤵
PID:1968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff833a2cc40,0x7ff833a2cc4c,0x7ff833a2cc58
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1968,i,15672988327557802393,1009879256476621063,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1964 /prefetch:2
  2⤵
  PID:3076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1736,i,15672988327557802393,1009879256476621063,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2128 /prefetch:3
  2⤵
  PID:1884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2152,i,15672988327557802393,1009879256476621063,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2240 /prefetch:8
  2⤵
  PID:3104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3092,i,15672988327557802393,1009879256476621063,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:2580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,15672988327557802393,1009879256476621063,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:1940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4476,i,15672988327557802393,1009879256476621063,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:3124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4708,i,15672988327557802393,1009879256476621063,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4740 /prefetch:8
  2⤵
  PID:4704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4744,i,15672988327557802393,1009879256476621063,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4932 /prefetch:8
  2⤵
  PID:1484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4772,i,15672988327557802393,1009879256476621063,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4996 /prefetch:1
  2⤵
  PID:1880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3088,i,15672988327557802393,1009879256476621063,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4336 /prefetch:8
  2⤵
  PID:3424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4404,i,15672988327557802393,1009879256476621063,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3492 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2324

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:4404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1848

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3584

C:\Users\Admin\Desktop\LoaderV6\loaderV6.exe
"C:\Users\Admin\Desktop\LoaderV6\loaderV6.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:3940
- C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe
  C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:996
- - C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\MicrosoftEdgeUpdate.exe" /installsource taggedmi /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks system information in the registry
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:4456
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      PID:1176
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      PID:1884
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.193.5\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.193.5\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4252
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.193.5\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.193.5\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2320
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.193.5\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.193.5\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4852
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTMuNSIgc2hlbGxfdmVyc2lvbj0iMS4zLjE5My41IiBpc21hY2hpbmU9IjEiIHNlc3Npb25pZD0ie0YzQTZGNTA2LURCRTUtNDFFRi05OEUxLTU4MkJEQ0NDRTdEQ30iIHVzZXJpZD0iezA0MTI1MzQzLTRCNTAtNDRFQS04RUNCLTE5MTMxQUI3Q0M4Nn0iIGluc3RhbGxzb3VyY2U9InRhZ2dlZG1pIiByZXF1ZXN0aWQ9IntCQzc2NzYwRC0zQkI1LTQyQzQtQjhEOC03MjBBRTU2MUNGQzZ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE0My41NyIgbmV4dHZlcnNpb249IjEuMy4xOTMuNSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTU3NTQ0NDQ2NyIgaW5zdGFsbF90aW1lX21zPSI1NzkiLz48L2FwcD48L3JlcXVlc3Q-
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks system information in the registry
      PID:4716
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource taggedmi /sessionid "{F3A6F506-DBE5-41EF-98E1-582BDCCCE7DC}"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3124
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\msedgewebview2.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=loaderV6.exe --user-data-dir="C:\Users\Admin\AppData\Roaming\loaderV6.exe\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --disable-features=msSmartScreenProtection --enable-features=MojoIpcz --mojo-named-platform-channel-pipe=3940.4372.8638868118447614030
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - System policy modification
  PID:4804
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\loaderV6.exe\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\loaderV6.exe\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=126.0.6478.183 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=126.0.2592.113 --initial-client-data=0x17c,0x180,0x184,0x158,0x18c,0x7ff833090148,0x7ff833090154,0x7ff833090160
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1852
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\loaderV6.exe\EBWebView" --webview-exe-name=loaderV6.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1744,i,10604830519041799390,10895266473631185199,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=1740 /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1356
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\loaderV6.exe\EBWebView" --webview-exe-name=loaderV6.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --field-trial-handle=2020,i,10604830519041799390,10895266473631185199,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=2028 /prefetch:11
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5032
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\loaderV6.exe\EBWebView" --webview-exe-name=loaderV6.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --field-trial-handle=2196,i,10604830519041799390,10895266473631185199,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=2200 /prefetch:13
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2880
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\loaderV6.exe\EBWebView" --webview-exe-name=loaderV6.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --field-trial-handle=3632,i,10604830519041799390,10895266473631185199,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=3648 /prefetch:1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2312
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\loaderV6.exe\EBWebView" --webview-exe-name=loaderV6.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --field-trial-handle=4664,i,10604830519041799390,10895266473631185199,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=4632 /prefetch:1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3772
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\loaderV6.exe\EBWebView" --webview-exe-name=loaderV6.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --field-trial-handle=4652,i,10604830519041799390,10895266473631185199,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=4800 /prefetch:1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2528
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:4980
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  PID:3060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\";" powershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\Desktop\LoaderV6\loaderV6.exe\""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:728
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users\Admin\Desktop\LoaderV6\loaderV6.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2964
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:4612
- C:\ProgramData\driver1.exe
  C:\ProgramData\driver1.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2252
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious behavior: EnumeratesProcesses
    PID:3644
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 484
      4⤵
      Program crash
      PID:2840
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 480
      4⤵
      Program crash
      PID:3868

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Modifies data under HKEY_USERS
PID:2324
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTMuNSIgc2hlbGxfdmVyc2lvbj0iMS4zLjE5My41IiBpc21hY2hpbmU9IjEiIHNlc3Npb25pZD0ie0YzQTZGNTA2LURCRTUtNDFFRi05OEUxLTU4MkJEQ0NDRTdEQ30iIHVzZXJpZD0iezA0MTI1MzQzLTRCNTAtNDRFQS04RUNCLTE5MTMxQUI3Q0M4Nn0iIGluc3RhbGxzb3VyY2U9ImxpbWl0ZWQiIHJlcXVlc3RpZD0iezU1MUEyNUVBLURGNzctNDJCOC1BMEI1LUIwNkNGRTNENzQ3MH0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSI4IiBwaHlzbWVtb3J5PSI4IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMjIwMDAuNDkzIiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEwNiIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iOSIgaW5zdGFsbGRhdGV0aW1lPSIxNzIwNTQ0NjEyIiBvb2JlX2luc3RhbGxfdGltZT0iMTMzNjUwMTcyOTI2MzY3Mzk1Ij48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjExNDMyNSIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTU3OTY2MzMwMyIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  PID:4820
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{70E246C6-12E4-4EC7-9C8B-C52D21AB0F4E}\MicrosoftEdge_X64_126.0.2592.113.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{70E246C6-12E4-4EC7-9C8B-C52D21AB0F4E}\MicrosoftEdge_X64_126.0.2592.113.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  PID:3008
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{70E246C6-12E4-4EC7-9C8B-C52D21AB0F4E}\EDGEMITMP_0656E.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{70E246C6-12E4-4EC7-9C8B-C52D21AB0F4E}\EDGEMITMP_0656E.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{70E246C6-12E4-4EC7-9C8B-C52D21AB0F4E}\MicrosoftEdge_X64_126.0.2592.113.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:4708
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{70E246C6-12E4-4EC7-9C8B-C52D21AB0F4E}\EDGEMITMP_0656E.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{70E246C6-12E4-4EC7-9C8B-C52D21AB0F4E}\EDGEMITMP_0656E.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=126.0.6478.183 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{70E246C6-12E4-4EC7-9C8B-C52D21AB0F4E}\EDGEMITMP_0656E.tmp\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=126.0.2592.113 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff6e21aaa40,0x7ff6e21aaa4c,0x7ff6e21aaa58
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:256
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTMuNSIgc2hlbGxfdmVyc2lvbj0iMS4zLjE5My41IiBpc21hY2hpbmU9IjEiIHNlc3Npb25pZD0ie0YzQTZGNTA2LURCRTUtNDFFRi05OEUxLTU4MkJEQ0NDRTdEQ30iIHVzZXJpZD0iezA0MTI1MzQzLTRCNTAtNDRFQS04RUNCLTE5MTMxQUI3Q0M4Nn0iIGluc3RhbGxzb3VyY2U9InRhZ2dlZG1pIiByZXF1ZXN0aWQ9Ins2Q0MxQTk3OS0wQjA0LTQ5RjEtQkIwRC1DNTA5RkExMEE4MDl9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxMjYuMC4yNTkyLjExMyIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iOSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTU5MjQ3NTY4MCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU1OTI2MzE4NjciIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2MjM3OTcwNjE0IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuZi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8wMWEwMmQwZS05ZDhkLTQ3YTMtOGMzNi05YmYzOGRhYmUyMWE_UDE9MTcyMTk5Njc0OCZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1XVHp1bmFQMTQ5MGZwOWFzeVdNVHFLQ2RGa0NMMWFPMk9kTEhKcUtEZGNmRDFBa2dTa1lKSUd3czZJandRQktTNlZHbkZMRE9DVEJKRXJSVXF3T1ZLUSUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE3MzE0ODYxNiIgdG90YWw9IjE3MzE0ODYxNiIgZG93bmxvYWRfdGltZV9tcz0iNTgyMDUiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2MjM3OTcwNjE0IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjI1MTI1NTEyNyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5Njc1NyIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjY4Nzg1Nzk1NiIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjgyOCIgZG93bmxvYWRfdGltZV9tcz0iNjQ1MTgiIGRvd25sb2FkZWQ9IjE3MzE0ODYxNiIgdG90YWw9IjE3MzE0ODYxNiIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNDM2NjAiLz48L2FwcD48L3JlcXVlc3Q-
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  PID:3508

C:\Users\Admin\Desktop\LoaderV6\loaderV6.exe
"C:\Users\Admin\Desktop\LoaderV6\loaderV6.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2580
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\msedgewebview2.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=loaderV6.exe --user-data-dir="C:\Users\Admin\AppData\Roaming\loaderV6.exe\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --disable-features=msSmartScreenProtection --enable-features=MojoIpcz --mojo-named-platform-channel-pipe=2580.3576.12640272707593964012
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4936
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\loaderV6.exe\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\loaderV6.exe\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=126.0.6478.183 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=126.0.2592.113 --initial-client-data=0x164,0x168,0x16c,0x140,0x178,0x7ff833090148,0x7ff833090154,0x7ff833090160
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3604

C:\Users\Admin\Desktop\LoaderV6\loaderV6.exe
"C:\Users\Admin\Desktop\LoaderV6\loaderV6.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3288
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\msedgewebview2.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.113\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=loaderV6.exe --user-data-dir="C:\Users\Admin\AppData\Roaming\loaderV6.exe\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --disable-features=msSmartScreenProtection --enable-features=MojoIpcz --mojo-named-platform-channel-pipe=3288.2708.16775048207170592175
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3644 -ip 3644
1⤵
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3644 -ip 3644
1⤵
PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.113\Installer\setup.exe

Filesize
6.5MB

MD5
4dda37fd043902a07a4d46dd8b5bc4aa

SHA1
aeecafae4cca3b4a1e592d93b045de19d09a328e

SHA256
806500bb5e7a3e4a2a84d4d08e97d1872dc7ee8f8c255e3c6c2d39437c9779ac

SHA512
903280cf47888fcd491b5aa70ffc4de60458fe8fce6e164a02118308cbd36ef0d2e6ecd418d19242d605f9c516598fe723908e28baf702c4c65a284fabc60111

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\EdgeUpdate.dat

Filesize
12KB

MD5
369bbc37cff290adb8963dc5e518b9b8

SHA1
de0ef569f7ef55032e4b18d3a03542cc2bbac191

SHA256
3d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3

SHA512
4f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\MicrosoftEdgeComRegisterShellARM64.exe

Filesize
181KB

MD5
5679308b2e276bd371798ac8d579b1f9

SHA1
eb01158489726d54ff605a884d77931df40098e4

SHA256
c9aef2d24f1c77a366b327b869e4103ed8276ea83b2b40942718cc134a1e122f

SHA512
9eb5ef48b47444909b10bf7d96d55c47c02814524df6a479e448e9ff50b9a462ac03c99f57258d0ed8fe3665fb286dde0d9be5a47019fb4d9c68da2b2589e898

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\MicrosoftEdgeUpdate.exe

Filesize
200KB

MD5
090901ebefc233cc46d016af98be6d53

SHA1
3c78e621f9921642dbbd0502b56538d4b037d0cd

SHA256
7864bb95eb14e0ae1c249759cb44ad746e448007563b7430911755cf17ea5a77

SHA512
5e415dc06689f65155a7ea13c013088808a65afff12fef664178b2ea37e48b4736261564d72e02b898ced58bfb5b3a1fcdd2c7136c0d841868ec7f4f1c32e883

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

Filesize
214KB

MD5
8428e306e866fe7972f05b6be814c1cf

SHA1
84ea90405d8d797a6deba68fd6a8efae5a461ce1

SHA256
855e2f2fab4968261704cab9bae294fb7ec8b9c26e4d1708e29e26c454c7b0af

SHA512
bd40fc5fb4eeca9e1671d0a99a7ccd1d1ab3f84abf62e996827a60e471adecf655b5ed146cdaefcb82d29c563e4eeba7c1b2da243218cbca55009064dcad1f21

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\MicrosoftEdgeUpdateCore.exe

Filesize
260KB

MD5
64f7ff56af334d91a50068271bed5043

SHA1
108209fde87705b03d56759fd41486d22a3e24df

SHA256
a98505367c850b6ef6d2df68d24d83643767a6fab8f0dd22cc60509b3363ce51

SHA512
b70c1d2a26f59e94b31beb3151f69d7eb9de8841399b618730d94263cc5402f391cd5cfc6621c8666e5e073e6f8c340d6fd3511f1cb1cbbf6ee75312598f56d7

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\NOTICE.TXT

Filesize
4KB

MD5
6dd5bf0743f2366a0bdd37e302783bcd

SHA1
e5ff6e044c40c02b1fc78304804fe1f993fed2e6

SHA256
91d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5

SHA512
f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdate.dll

Filesize
2.1MB

MD5
d1175f877ab160902113b3a2250d0d78

SHA1
7fc668cd9ed31d093f7c88dc4803ce3f3f833796

SHA256
5ccf3eedf6f1f57d386cef188f070c72583d9a96ff674ce91e8776ced8e989b5

SHA512
ba1fa4f61c3ed3766e6bd0ae95e36d7505774c463ff81b989e64acaf878cfd59fa41109c696ed16a122e68edc2e0c9f96afd9cfbe92bd7351583719b028c1604

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_af.dll

Filesize
29KB

MD5
3cd709bc031a8d68c10aaa086406a385

SHA1
673fbf3172ec1cee21688423ad49ec3848639d02

SHA256
54dc23402365407bff46318ac0c8cb60c165988f4159a654b5d6013e289f888e

SHA512
04e51aeed7c535616f1db7f92841bcda2bc22f85eb06a7ffc5b626f9f69be0219a042e8ae4a486a2f753b7f65901a082b81f5ba72113d9df9ef123b32367d7d6

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_am.dll

Filesize
24KB

MD5
15abb596e500038ffdf8a1d7d853d979

SHA1
6f8239859ff806c6ad682639ff43cedb6799e6a6

SHA256
19509364513e1849ddc46824c8b3bbc354bfc4b540158e28e18abb10b8537dda

SHA512
c4642146979700898ad3adeb0160c8e9d7bb56c1e224a778d400764750c9d9cbd7c4ee52bec0853cc0e577884515bd40a1b0fd643cc0b66b56d472e0bbb1c23e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_ar.dll

Filesize
26KB

MD5
61c48f913b2502e56168cdf475d4766a

SHA1
2bf4c5ffbfa6d5c5eaf84de074f3ad7555b56d5d

SHA256
8fd703a50d9cb19e9249cf4a4409da71104c6a16475b9725306cd13c260cefd1

SHA512
d8ba17df865bff6e2785986d9a8310ec7b0e530e389bf7baa719e95b7effa84b58c7102d5f9711fbaebdd2bbcb3cd66760f9eeed92c1aeef06b85d3724028d2f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_as.dll

Filesize
29KB

MD5
2ba6aaea03cf5f98f63a400a9ca127ab

SHA1
807c98ab6fe2f45fa43a8817f0adf8abeec75641

SHA256
509cb950d7f5d8f99adff84e6e381001f14571529571419fd5452b48e24c7291

SHA512
d4b91512b586dbc1cd0c63aaa7bf82900ba80de2b3e265b0200f0a4e2bf0c0a3916675fb72f9bc0b4eaa5d9cc07ade94c8210ad2156fea6d3d2416a5cbf98c24

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_az.dll

Filesize
29KB

MD5
d624c5abfca9e775c6d27b636ca460c4

SHA1
8726c57cf5887367c8aa32a1de5298521d5fe273

SHA256
7023866e9644a1edb50f0f388bc3f2aeaab561822e6b7d75ec5c66b151f126c0

SHA512
92d0d5605336c329359f7c4aa7eeaf972f21877ac61f377e7a2f3c6d66f5d6882be649b765e4122043212381034b4131d44ae996dfc1df4a2e248babcb076c30

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_bg.dll

Filesize
29KB

MD5
6ff52c5cdc434e4513c4d4b8ec23e02d

SHA1
56b7b73e3cf2cf13fa509593f7c5aebb73639b83

SHA256
414269530f9ecb045e2049266ee0b58df99ac37de75e0e127899eb3218371555

SHA512
adc3b5593a69dcd0a894ed6bc1160fdbb0d0e9e96e83ca4430ef28e9115d6023f54f3e3fac3cba1ff4497e486991dc4e7e40c7b75ce7796a5044f1ccc5411371

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_bn-IN.dll

Filesize
29KB

MD5
c52c76a02dbfbadd6d409fcc9df8dd16

SHA1
d406010ac12ed41e6cdc75eaa2daa231a1d6df6a

SHA256
91843e7eb2f1a9e14f51f2b552d8390cf7846b4406b97ca98b105beb40fc461a

SHA512
28b24bbe03f79a7e4ad51e0e15a664cd783b527255ff0952d43086071e494e7e45ae50d8c378f69abb22942eda2e8dcf8421e2922dcff9ff9cb851745750d2ee

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_bn.dll

Filesize
29KB

MD5
eea17b09a2a3420ee57db365d5a7afae

SHA1
dc43580f87f67a28c6fa0b056f41c2c0c98a054e

SHA256
b86d6df0b608cbab18ea53c31a9a17c09c86e90e8592f3269af0517c9756c07d

SHA512
53a199b1bd82ddde65fd6c9bb007867bfa3b2c39e07817a7aff39b7596f00a76bc5dc23687c7fb41b75b00b30ddfdb38a76c740c38bfe41dc21e1fa2d698469f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_bs.dll

Filesize
28KB

MD5
1a3815be8fc2a375042e271da63aaa8d

SHA1
a831ce72e5fe3c9477dee3defc1e8f1d3a11aaa1

SHA256
e753e2315e26bc7b8334077846dc91a85fd89f1e483b305af8aaac5b596585db

SHA512
9642fdc3cb49c6d0e4b1c4e1d636007234b126f48da1fe77f586cb8f9403bdc786b54d4bcdbc6175214b7d06a1879f2c809d3fb7e1b920ab36b29a12afe92fb4

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_ca-Es-VALENCIA.dll

Filesize
30KB

MD5
253afd1816718afa7fd3af5b7ecf430d

SHA1
36e9d69eb57331a676b0cb71492ab35486b68d95

SHA256
53325e46247a616a84442abbc914b8fa08b67800ab55d5625e43a58b19d44767

SHA512
649b292b80dde95c195b968b51dd168f6f5513b179a35832b5e759795f04e6e6f326a34f6f7db37d12b8c322ccae197455565491c2484b8237c82e1bb2e77ad6

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_ca.dll

Filesize
29KB

MD5
7653243e1a6fbb6c643dbc5b32701c74

SHA1
fc537eccc1da0775d145b21db9474ef2996e383d

SHA256
9df1383dfa81c5064acd9130555dbaf2e7413b6e2bc72b1d2340a6013387061c

SHA512
d7834c02a3891afbba040c943ed4255041a6c241d76ac138ad0c04baf589aaa355067395c606e910ef6b91d64042bf9f5c39bd01320d9eaf4ef850a24c17d1d8

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_cs.dll

Filesize
28KB

MD5
a2c7099965d93899ff0373786c8aad20

SHA1
cfb9420e99cc61fb859ccb5d6da9c03332777591

SHA256
1343867f317fe3fc5a2328d427737d41964188aba50a9739fd0ec98319fec192

SHA512
d2d1cd41bc425a1aa4c491d65ba9c4ced9dcb600f1d60af76151216f8eda310049002e5ca360d1df8f59d6334ad87b950c67a20a6d1c7f8a2ea322c9980b6a8f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_cy.dll

Filesize
28KB

MD5
8fc86afdc203086ba9be1286e597881c

SHA1
6515d925fbfb655465061d8ee9d8914cc4f50f63

SHA256
e8dfc22e5a028ad5d423634bf4ed96b90841fda6ff69c35469509f9a988a3269

SHA512
cbfcdea1b4cb5f404553ada87de1240a3746306563f5f200582a21be656b43c0a0e5dcf25cd5ac49bbbe72abcf8147e62aa8a5e0a810bd6fbc7a1eab3e6029eb

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_da.dll

Filesize
29KB

MD5
414adfaec51543500e86dec02ee0f88c

SHA1
0ad5efb3e8b6213a11e71187023193fafc4c3c26

SHA256
32684d2337a351ba37411962710983538341012e6526a9129161507aea0a72bd

SHA512
fddc2123237a9357667bbe6b91f93b5a9ba276533b9c16d98adfa01045fca375a7aef5cf83e175c55382a387a16062661a4797da81f39881ab379c7863e2b054

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_de.dll

Filesize
30KB

MD5
d263b293ee07e95487f63e7190fb6125

SHA1
48020bb9e9f49408c1ce280711aa8f7aaa600fe2

SHA256
c4a3198c15489ed873dde5f8a6df708cfc4a6d8722f3f1f63793863098509af3

SHA512
69a851e77124e55f3ee4e3fde169f647731a514dfd16a22013a0ea520b9d6eb9f2aacc9c48a2a812eb8285f46db1a27d196c409587f4549f4e122fdb59ffe1b6

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_el.dll

Filesize
31KB

MD5
8708b47ba556853c927de474534da5d4

SHA1
a60c932bef60bef01e7015d889e325524666aeff

SHA256
720074fb92fc405dc7a5305e802e2ecb7d948de58c814b0ebb2c02a0052a6894

SHA512
58d7f419b26a95c986009af9e235fbaca67bf6b1883d8c586c802262fd9fbeaff56b051bf8de8e26f2e4ddeb803bbd4f87c84b1e02f5a43b6614231c59ab258a

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_en-GB.dll

Filesize
27KB

MD5
511646c2809c41bcea4431e372bc91fb

SHA1
5b83f1c9de6bfa6f18ccfecf3190a80af310d681

SHA256
719a5c47d3452e3dfda300788aafeba963c588cfea31d1fb1021f846bd6742cc

SHA512
0b45cadd82dd534ba9d4556498817c712bd608b645faee74034c8c48cc39c13c0a8530826690a5c5ef42eb36e3f15f3b97e75625eea8902f12c21291df4cd211

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_en.dll

Filesize
27KB

MD5
ec991a4becce773db11c6f4e640abacc

SHA1
298b5289e2712ab77cecfb727c9c8d47740f6fd3

SHA256
800fc7987f7ac32267e84122eb94d8a21b83c481c2a34b03d832d57debc2b930

SHA512
3e6066cb89abafe963337bbdc371b941ac21b69ceaa19f394512c84c0c06ce9d03141a146144d24172ab6e94f5900071b5b3f38c49f3a079c03bec24bd0418ec

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_es-419.dll

Filesize
29KB

MD5
9309baaa10c227af2773000a793a3540

SHA1
55032c43f7a7eafb19bca097e3de430aad3913a4

SHA256
a35fa7145fd3bfbc0d71cfe1bdefcb506cd02f0939dbeca83644978af8f896ac

SHA512
21a05fe75d6115a7a49e779c9156ec25880393b30f69fdb80dc0dbe1c3bb401790c8e62525c0e6625b141cecb970b8d650527d73d2d86afa5056177957c44c24

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_es.dll

Filesize
29KB

MD5
1c48f6a58fabc2b115dab7dccfae763a

SHA1
c60db12b55074013293dd332d2736d251beaeb8e

SHA256
0f6775450c40baea4e72d1eb45cff7c1daf2ac1210006bf7afcc91975467c086

SHA512
a84a0ffba4f389698941a497ca6e63c6c632d2eeca788bcf970ea35f1083076950b59b9baeecab7ae17d06847f4675f748cc25b904b03f679801dfb3e2755c13

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_et.dll

Filesize
28KB

MD5
d591a3987492132f6ccd7968a8176290

SHA1
78a79e0e3935dee509938c9a3b095ef486283793

SHA256
02380099a6a942004b0b0042f071108f4896884d19ec7c4cc1264200a8e0aa6f

SHA512
7487a0e63a17cca85a127c8880e33c30fb192fb83bd05dad67cb4a3b9ad6ba84b594194f7126acbfb22ead2c00d3bb776557a0fa012ee1b7d43d88de2c7eabb1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_eu.dll

Filesize
28KB

MD5
67624d2a8017a9c5fbaa22c02fb6d1b4

SHA1
b39c26cb632d6e9cbdbe6f0490e80c11a94782e4

SHA256
eb0033a91d64a80aaa66bd088692a8d089169524253b6286b5604ea1aaf0bc8f

SHA512
f2fb8edb244d781a77c67ab85c40f0521ee80f0349ce897860542b6f32e134043afdccd50cd17e86c234000493f5c3b1b75950d1eb12e4d088b9fc7e012f06d0

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_fa.dll

Filesize
27KB

MD5
0b3cbfb6bc674960c6da5c47689e45d0

SHA1
f91aa435a0bb4fefa3f7568d8f7b0e2022fc95f4

SHA256
eca2354e58a321a78bcb21c24beefa050758c08e86218c55c12434c8ce715942

SHA512
3a0e819ec96ec05bf0eb7119687be1a408330703a3c888e49a19fc0bb8ee62f45b1c9a9f24d7593e0355177445e566d6cba62d0b7d437b139eb08b274d3bf13e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_fi.dll

Filesize
28KB

MD5
73650ec3b5bf0ac418d06ff2cad961c5

SHA1
5580915cc24402c72c49834cd9bfbd7c845de468

SHA256
6817e994def058448407b6320f325f75dea6e2e561ffc747d0486a716d08384d

SHA512
c08b069993790440f1baed5fbfc07368e9564d9bf0c16007968569b433b0b18ae6e8184f3073d522e92b6a7b4454ac21998b8f4fe80946273710097c659e2639

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_fil.dll

Filesize
29KB

MD5
6f2865bdc505a8216aadea20c0a0c6a6

SHA1
a93b8db9aa8f2b2887ad43fa050f98584e3db06b

SHA256
95b158fd84806d0dadb3d9a90f7b8a78040c1ecee5ff4dd266d407848c9f3a77

SHA512
fc9ccad02d6c04e6d2e76b06d5cd60c486b4a2ffcca1cdc638cbeceabfeaf258c8dbcd5ea7fd3f7e2d288577c90565de7005c88638531ff24bfbaf2fba704c69

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_fr-CA.dll

Filesize
30KB

MD5
93aa56aa0165d137e497c4b77965a6b5

SHA1
5e1396c24c76dcf8dad5d97e57cfed7372e7b8be

SHA256
aaeaff8fae26262cdb2ccf1faf84bd202ff2a90d9fc95575770bc53bccee2c54

SHA512
adb8e9aaf493a62a930398682522b8e9411a645d85493ba4e601d6f4eebd48fba982c6df8c5d01a78cc135d03bd3aa912fb71c3c8e26d1d99feb898e0a422a42

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_fr.dll

Filesize
30KB

MD5
a4aa60f4891441bd2522d577f14164f9

SHA1
19f8a517c449b65967a1ae8b1b6a7f492ad0199e

SHA256
7768c2b03810cdb491986f349992d32717c4c14df6266d5f70fa89aeb01c5a60

SHA512
0a26fc4bddbcb0078f9ad0c5c9417b74f7c30c6a20e1272edbc20a3b0db29ea17dbc3c9224d2f131570444ce4fbf6f20b0b96e720d2b53c882b8735f444091c5

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_ga.dll

Filesize
29KB

MD5
302403f155be43251104dadaf07f1c1a

SHA1
2f4a21b1e7aed5792b269ebe7a81dd29c3a6182f

SHA256
3b6dd91cdb5cd4abedff8940c8a9e0f38cb3f8c49084ecbfcd59b788229f3230

SHA512
742c2bd0cd9bc7fb75ee1fea45e434fcb40aed839f2854e17267382278269dcca640b3599823b0e4d04350bef0a0450bfad627586ee49f031d1922d73bc74fd9

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_gd.dll

Filesize
30KB

MD5
47fcec572a8eea3510596c079c431412

SHA1
732395d8698191610bfb751e1466a868bca9b839

SHA256
4a8c39680f188b75691e80ab5938e34aff83639c06a9722e30555c1cb8a927c7

SHA512
1f18528128b6675f51a91c137e328ea06009636ef5c1970a8a4816437f445bdbf96428a3d310b04cfaf61d0a4adea7a4efd4f9bbd4dadb3f320366f39e40fc7e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_gl.dll

Filesize
29KB

MD5
492d2c11ad558129c9c687641bfafb33

SHA1
c713926e13f062106937419975defd7e69228b35

SHA256
0879c36a3c750ac9bdc4d73ed0ffb23d9c67e6d486291d56d3c5bb60073677c4

SHA512
08d0e4664f07f05f3dea2dfa3d64815067b41cd63701b948b43016369a64151ae515f8c877460037b0f5306c8b080756321d2d6195fd392d86d0e9cc61bc1856

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_gu.dll

Filesize
28KB

MD5
fae86d2dc9b09f0d8c0192e2bb53d929

SHA1
e5d0dc95449d533785367d088ef5a357ebb7dc08

SHA256
5d0f9f75e78fa5c0b0bd2406d6c671675492d92d3dc2515314bc79ba3132e540

SHA512
01c7ae01172d98fc6cbc92510b2bafdc56f794f290139e3bf87952bc98b27b338e31899dafcd36f965e7240133183c5dfd6cf6085468fa779813121a27d7cbbe

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_hi.dll

Filesize
28KB

MD5
8d88faed698fbd4895ad6786acdea245

SHA1
88cea6fe82ac4970a2dafd971277d458b5aef61d

SHA256
c1b2203965c8fb10f6faf65d591400a2da7443d0cba36aa8bde147e1ff6aa0a1

SHA512
0a6eacb240a75135a7c651e524888462be350116ec19522c079fccca31a26904266e38add42eec5ef1036dcaa05ccdf9faf9d3b91923018d1aefbe8d63d1a27f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_hr.dll

Filesize
29KB

MD5
d9f0084ca7d58e6cbc12b7111b9f4be1

SHA1
e96bd472daffd3569551f15eb602a7ce66da8935

SHA256
2d45ff287b4dfe4db12cf83a88ddca14b560d991ef28dc6f5078b44d2603fd90

SHA512
ba7e017b6cfb11a7e1f4a22c28ac8b4d4dc571a91c32ab6d63a87ef9dec334fee0062c5c764c662b6f8f89b80758a7dc1781858d0455ab3eba455c8d83134418

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_hu.dll

Filesize
29KB

MD5
aace1b6afd05113ffe736206e32e8544

SHA1
48fe1f61e565f99ecf6365ddc6c2c24b2f38db5d

SHA256
e395b29108a3a93fcf7411311d4f478f847f0d8337d4a2cefd64ae6bbfd21110

SHA512
be7ae77ce69e6ada5a6169a0efb858723428084f9b7818482f2eaf7d5243d24b9c8131ea01e3f94cc9766d7462e5dae0ce5437247907f764ecff011c866bfd81

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_id.dll

Filesize
28KB

MD5
469423bc5ecca0db996ad9fe789fd58e

SHA1
dc68d62d25ed917f836036911efd5067f9062c18

SHA256
a25d798ed22ad51682aa90f66e5cca638ae095f4141eba6ef7ca45eb1ef217f6

SHA512
360717c97b2f582843de19d819a5dda2cb2f8090c6542c0d87ae1a27cbf154cfd0b845d7f816ca236e65ce17013bb8ca640a5af2c9e5fe4fef05e94405491df7

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_is.dll

Filesize
28KB

MD5
5dbbd22cda9cd2e19aae769dc7b083b0

SHA1
53fd1812647e5e413531d8e67e7970d3e22dac03

SHA256
973c96fdecc4a157782414eebb1b17a94b146efe1a97b707043953d0ff1d03aa

SHA512
774a5873117c98096e8826f7b03a8ddfd2cd7a1f815ee855a591f86f68bfd6bdf537ed49c9d4094fe931aa592da3eeefe0ded3625a9b811aa2a55a129dd7d9ec

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_it.dll

Filesize
30KB

MD5
2f7b11cd7db9f173d040519ef0336ac3

SHA1
95e753d8bf61ef56dba6807bf730a42d390da401

SHA256
8f7b44e60f4450655d963cec393fff3fab4f283672a8dbc8109d1ad967671171

SHA512
ea60bff57fd53ab2cad475d753066d108c2108e41e7e4abb6b1bca153d04e07dfbba386ba73efe9b8a84032c9bb4b35b3c655280b43ee93637c5b388d1dd187f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_iw.dll

Filesize
25KB

MD5
54519f24fcf06916c6386f642ebaf8a5

SHA1
2a33c7770c49bb3046a2a78a0457d6dcb3a23f02

SHA256
1b0adf22a09097ce9ac5d102e0f102e6d3f2238c21b6d38fbec3c269bbf87c44

SHA512
704684c706c9a40cdae8a68615a8a9782b29d177bb5c58e8c01e37c139296d6f1d48a446ec211d746aaf341b06a9148e246dd79b0a8a9098de0f66c68ae74eef

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_ja.dll

Filesize
24KB

MD5
12de274382418dd99d1125101d1d63b6

SHA1
4a9b0be76a7136f3b64c7bc53724dc2acc798c23

SHA256
7e4f333b20f272bd86182fb3fa191e8ac6bc84c301e28886edbcb92e6e5e1eb2

SHA512
9b05f97ca079d30560b09ca22efdb314dc7e36cf601d672a260f4c064d7841776891374a18d8ba1fcb4238fb854187b95c2d5643f428277e076b734ff477267c

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_ka.dll

Filesize
29KB

MD5
e0eacb57da5404523e0351b0cc24c648

SHA1
49ce11a94c2751b7c44914ceda1627fb63651199

SHA256
1a269d41990cc81b01b77f0981ff4e9ee31fab50cbe9f0ef437044b40ff72c79

SHA512
735c37d267091491f55d80837bc4879a7a2d6dfaec6c3d2873770cd7706a39f29672eefa2f8a27c6038f84069517a8172cf929f48e637a9c65803e5f49525d54

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE049.tmp\msedgeupdateres_kk.dll

Filesize
28KB

MD5
f1c5f5604f5c2c0cfdc696866f60c6c3

SHA1
25643fc3eef898f4288205c711b693daaf8e78ee

SHA256
e46eb23160f9e87a0d5aab8fee0e1d1aafe7299964864a2c59e9b9f718105406

SHA512
0b562af8b178af10af225649e6c043bb848cfff81a5fa19cac9614eb8f793a97de25aab302bba69c7c35353dfd62baa0cadcc3635c773be1fc10d180241dab44

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
15KB

MD5
98c98a29f93a46eea8e1bb8c1f02053d

SHA1
ce58c36774e50ff49c52485c0f4aa4e719a39c6b

SHA256
380faf7f2d0fd45ff4d1bdffc3f56a24fc1ba029a9f271803e878b3841e2b1ac

SHA512
e303ecafffe1b5a859ee0cbd32abb20a0b9d636c4802eaeb4d691348aa7c48c23b72626afe91a4ab504cc85a08008a2a4a71886613b97006ae9573358e770036

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
0b0240381d9ae5f9591e2e5fee3bdb15

SHA1
28a5950c01979e6c82738bf7140a5c02b8d9a85f

SHA256
ce7dedcc6c56ceb3fcd4a67a6bb85077d3f8cabebf50ff08c804c059dc37d087

SHA512
83bdfb3c94bb89b6bfe3d562e72d60bb148785d6c70c081dd9531f772ec62c72b898a13212c081e6e100b30b4553e5629de0f331d4847d993292d48a440201fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
cb6656376b346a86b9dc5a6e1f27ad69

SHA1
8dc680377adf240e2671dac3da21561fc8dce5de

SHA256
f04d186e593dc51fcbdf4ef705c5fd9c624a818ff2bb0ef11930b93f2ec61cba

SHA512
f13b0496627bf8e7674a2724682b68198a7a429b96de0c9694097bb8509e6bc3b331ed62d1435d4e38ca35cd36b99b8bb5c3d10e2d492eb2678f32f397ae9a2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
794e1d3d64fe00139ee69b4452f34551

SHA1
2fd3e55524cebf76899f7dd64828186ebe94b508

SHA256
7bc69311f3d70338c43986b026527fa9fe18823e5750c46ea9a9703f408a220e

SHA512
cb4ea5a8d1efb1aa3055a5394f82b2194e68df94bc64154283da52895e8072617b09c2e6e3aa86875cb7eacd720c21ba23602cfc90c88b88a46747c6ef33190e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
180b43f5254671ef1f6138d465912822

SHA1
14815f6f1c806f85e81e5a5853bef1a854d58363

SHA256
7baf796150e0ac0a53468c75574a52809e0962cf47b8805a080d452ef4cc344e

SHA512
f2a054d5d33b8460c755bde5053dc4016cbc0441f9e3df68e2df8c3edff7039eec29c445c740cb9de9c50ef33b45f45dbaf850c8ee94a8bdf76494277bdcd5a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a77f61b2e5964173c3ea06ab084ccb42

SHA1
b99f7b47135ffe460d0225183d6fe42b04f7f418

SHA256
47055aa511e5be110dbea13aeef051a3d364ebd3274363b65e013423c399ca06

SHA512
17b69b34f5fad338f7687194162c784b00319e9c079cc19d9a4b3172f4d243b31b40be83b12af51d4e15682394967ed506502cb0ab6da42431a4adca379d4fc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
202a985d2fee34b284b93f6d6187e12e

SHA1
f9e473963cc6d6981a04952ac8c922d88346e5f5

SHA256
947bc5900d9ba96b7a1a4c3ba2823e32536f5786e1962b9ec01e1f2f75306351

SHA512
d3c780ed0d39cc80668e031268e2f053de3a869cdc5ae946dd91b995c8af9f9c4fa7098c4be479a36b698f48d7baf28a6919ff0aa6ea3e2baa9a3ce648bac019

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c9aa2dc633004184b05ba9ef6dd4a0fd

SHA1
3849a9e586f78e9cda7c2d83f96f2937451d1e28

SHA256
c0ae8063697a551112cb26c9a5810919516d9762d63e71da08c32c3a35659e85

SHA512
c2363368bec006f959c82b041c71555689279afd948563373518717874305886923bb9353af1fda9a5dcfc72ed556d021f25f1fd84a67edd62921c2465cccabb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
700bef7d5bbe1b03fc596dc21cc880d1

SHA1
982b98456c02b394fdff9375ad3e3d07da577c5b

SHA256
a3811251e90a40425b77ff0324447bed04339ede348f3623ee93ac53a8affd71

SHA512
ce98b4e32a883c49a46bb6533bab03809bb2717df1618dab1e9a405c66e0555f72308c00117e569a733998fb1dfd86bed7e905f2aadfbc0321788bfa86bf2ab7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1bc3f953c1c5adda5b19ff6e89020bc5

SHA1
ac166e4b2bf9f3187af54db0cc817d10c7ffec87

SHA256
306d76e164c863b9e1e1cbbaa49f7d98affc8562fcafe0a977a4b198e467bee0

SHA512
04e2b2473e05762cef1b09f1ff09bca460f8342a61ab6f666ed6075264c998265e5b4056c2a0f92d35fda8babf990a0781c270d45ad16da96dc4746f440a97f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a065d9a4c4af8ced29f57eecbc56b8d6

SHA1
6c6a646f5d01d3f166578801e47b03cfd525114a

SHA256
5b5954c413e6340784e5a54ad9f04120a9ece45e63b5e42d5c56e4ad24164577

SHA512
0ffc7afaf3ff151230ff739448b90416ae806fdec9a39bf9c5d9577d88fbf7c7eccf570d2aca1976178c76bb495988e8983c037fb8f98faf364743440073d6e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c8c417cae4c2c3830b7a0c0170404fc2

SHA1
531ac3dc3fbed0291b685da1e9e8e10ec7b3ce36

SHA256
f965300f305bf9e423b99d44666672e95bacb2d093e42f4fab29fcdf07a169cf

SHA512
aa0330621bd75d00e6977ae8160860be170f4f4ce9b759529a26293eb0b5aac9717ffeba2095b58225c1ea058031edc6bcf32724e19334c617d514d41ba02254

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
78ea6ce92ac3413682f55bec936b42ba

SHA1
d560c248138cadbe5e7fd64c3793273251597bd4

SHA256
36fd7522bb258894cf2862b5e5747be7f4a2ee0e8f591b8c475aca97bdd604af

SHA512
15762f68483af569004559a6c706cf573b94e38059a0714534020e40a15378bb2cc076dc538fba148356072cc7aa802a3827fa79a804c05c3857756ea370852d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
185KB

MD5
164eee167fbd6774a09474b70bc81a11

SHA1
7d4c1a1772d2b2259c86e9a0b182e25b4f46fc16

SHA256
27b0dde3b9a0d66db8c433f7f25c66f13b194215c2c23df9acfd80785bc914ba

SHA512
7bdaeb5b39ca8d294e79f4a54748f3017f5a21433396b25fb545a816809b9d4a373d61d54d2f0c711e49494e86179edb859fc27182a8c0f09af1990419c28bd4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
185KB

MD5
58ab6fa5c392f5b8d085b2d49f9e2004

SHA1
3b89161ed64bb68aac96aa471d220ff94b1ced8c

SHA256
5ce3b4f34697a1cdc05080d970ec97810de8b3d62f7e3993ea9e420efc778ff5

SHA512
1a93aa5eb67e72da79b17b8957f33133f63bd54798d4974e5de647ae128002492f57ca4eb59482255aba4e20b9a2200893991bce8a3a4bc5e32f1045aaabbb82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\de270768-1902-4734-afae-542f051e32e1.tmp

Filesize
185KB

MD5
e1810c79c2ef26de0732755a1e170148

SHA1
a6e428b647d671863cd0ac67dbe5f342d2db635b

SHA256
4b0ea1f5a26deb53acd3630634d61e1e2154a46ee92e8d28e7e46106ecff00bf

SHA512
96d5bd00896b93719d2b487bb85f2738dfcfb0a398893d0393a76c84930f6eeff5aaafc0f3cbea8524d7a49c44c0d54f63597318967358c2742877896d93c178

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe

Filesize
1.6MB

MD5
2aeb55b75f68b4ea3f949cae0ceba066

SHA1
daf6fe3b0cb87b4e0ad28d650fc9a190ad192b1c

SHA256
22484fdf3008a593e7ca188863d423b8b2a345391120ed296ce8b156cfa983ab

SHA512
3b6a6d6c87b8d9ab06fac72fa38067df4c7d4385d37d391d7ad58a623215681fc0366621ce3ce5c08af25e11cc468b18844ea5f7c8ccb71473c956c29d20188c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l51p15se.raj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\loaderV6.exe\EBWebView\Crashpad\settings.dat

Filesize
280B

MD5
eff9b340f356cbf20bf04baea53f3424

SHA1
7055f467c8d15f94bf21bd738d067e84b0f3ddf0

SHA256
6a50260a423bd465cdc3fa221b02f0527eff396851587cb9dafc37619d53bb94

SHA512
13e8ef0a9199529ea7576ed8959726f7b7fec0eeac1446678d9ec35597813346e003b6754b1f41bd16b69ac5940dde854bc8e5a4f930568b19330f5c7acff4c1

Download Submit
C:\Users\Admin\AppData\Roaming\loaderV6.exe\EBWebView\Default\71e74714-ca08-4af1-bc44-edbf8d73a16c.tmp

Filesize
6KB

MD5
943ce11982abcab4996fd70795531176

SHA1
24bcec826f0f2b105a64fc963f046ae1e8becdfc

SHA256
633a697c06e9552f1f418030b0709ab3697f28016ba748e2bad22de44e4cf21d

SHA512
476917dc0742ad04c4ce37a4cd78ac353c3d08a4294bd4163143e259b45363ebab621bc9b56d0bd4a1a0df2218c73a49a408f1ba238025ea2949552cdc7af67a

Download Submit
C:\Users\Admin\AppData\Roaming\loaderV6.exe\EBWebView\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
6ba9b0fab1add89879806636c3f7cdf5

SHA1
3aa05c155a1a996dd847bd4fd17ef3abfc1ee45a

SHA256
177f568d5f31747a4a720ec39d955b393a8d899260b4734c1bded56df28e9540

SHA512
69b7e86579af3c7e8ddf15a7575ec3b563103cd6e0d710e61e3812ec394a02d090c831c93f9fc4759a195c0cc321b8f1e224413ea8fad8d31b0e2ea6fc2147ab

Download Submit
C:\Users\Admin\AppData\Roaming\loaderV6.exe\EBWebView\Default\Code Cache\js\index-dir\the-real-index~RFe5aeaee.TMP

Filesize
48B

MD5
e5a91f88746164eac4f199909d021f0d

SHA1
1a2ff3bc081aa569177cc29506bb41440ae4e325

SHA256
0e47a8b8c5f60274a962b6f31ee296ce7f1f811044664f7d3d2c771964603ceb

SHA512
3c3abd495a0ae68d2bd3f44659f59e06d2cc7641a623ec91bcad2f133432c67c1c86b03b7cf72cfef0507a8ee8e62d4c31bb442c96b65c8afc1ded419059ef92

Download Submit
C:\Users\Admin\AppData\Roaming\loaderV6.exe\EBWebView\Default\DawnWebGPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\loaderV6.exe\EBWebView\Default\DawnWebGPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\loaderV6.exe\EBWebView\Default\DawnWebGPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\loaderV6.exe\EBWebView\Default\Extension Rules\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\loaderV6.exe\EBWebView\Default\shared_proto_db\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\loaderV6.exe\EBWebView\Local State

Filesize
3KB

MD5
292a5cae4b4c6182e4b1d924e40b000b

SHA1
ddc0d03a14665b478ee87002e2ae6b6eb5c2dd7d

SHA256
3ea0c34db58bfeff0662afa49a4a44119f4c867681a1d82545b94598fa278d07

SHA512
f9613e69eb0ccfb0b1e3cff0558681bfa4d84aecb826f32fb83bbfb9508fc498d25f1cfdc3423bd8805d5faa821bfdcacccef7f4fd3f626870e5ee64eeb4dad8

Download Submit
C:\Users\Admin\AppData\Roaming\loaderV6.exe\EBWebView\Local State

Filesize
1KB

MD5
c0fc8a84f68f693e3f7edb82c68d5ea0

SHA1
d50ceb2605b72b89f9ead7bc1297de49b88dd87d

SHA256
254d03b2583410c8ef29a7e4de000a87d62c0619b84f194f84022bbde009f968

SHA512
de8a214bafe7b532e5bb57cce088759c8588c819cb072126c2e28eeafd19fe5c27cb38ccf225cd3c5c6c577afbdd008b40286af64ee368d15471bc3ca1c298ed

Download Submit
C:\Users\Admin\AppData\Roaming\loaderV6.exe\EBWebView\Local State

Filesize
2KB

MD5
4b75e9398a452669aa3be57f6da15f2f

SHA1
97c9576be9558ffb356c8ba4692473a31a055328

SHA256
115590c4c3dbb846c930ef88e09fdb3f2b77eea6df85a167281b3137d3fa345d

SHA512
9b06c98a056222b7ecb8a71cf1bb15612a4f87f109b28ae8c93a33dc895fe1f8ee7ee25f215e6b0cadd93df644e444e1f0476ea5c63567e4aa8ae8ccba4cb610

Download Submit
C:\Users\Admin\AppData\Roaming\loaderV6.exe\EBWebView\Local State

Filesize
16KB

MD5
dc34f97ecf3af7bd1662a8b7d41dc557

SHA1
dcd404e000dcdd9ec31eb9258e2f8c5976d0a7ad

SHA256
47f1e24f2376b19bd118840653fe50f112f637e319a5fad417697e0572fd269d

SHA512
a40f1454d19d699a38d5dfd309c9e060ce40332381b6247cfd5c4f394ad4c185818a18c1c1d54e92b874070400c788598dd289d16e1afb57e400330349d34afa

Download Submit
C:\Users\Admin\AppData\Roaming\loaderV6.exe\EBWebView\Local State

Filesize
17KB

MD5
d907261a82ada7655146766a696ad917

SHA1
2af613258d9a11a058d822fdb9ab8dd8070c8c5f

SHA256
644a378e0ce6cd8246f042a3e5a06f874322a19cad9945b310868b4192253b8f

SHA512
89d94e48716a7683af8f6f6f4b5877f66343b4c05957232c1fe3b028e805bb37f0ed33a5042abdcec4256277e101b55adcd4b118427ea74a89ff454c6f1e6531

Download Submit
C:\Users\Admin\AppData\Roaming\loaderV6.exe\EBWebView\Local State~RFe5a9b28.TMP

Filesize
1KB

MD5
d89086938228008045850bdf626a0340

SHA1
6a20aafeed7e2d1d5c5dfc3406c2f45db07d3c10

SHA256
ab3139261d0b4592ffd94b69f501b89a83660bed7bbb9137f19f6bf0cc8f231d

SHA512
59c8d2704c72851faf0492277266420fbef0f6ef19c82d28f652c4e42f3f18ebe45ef5ef85e1cfdc39f6014b234c5928303e8bfd77ba7afa6dbd9953628c5c07

Download Submit
C:\Users\Admin\Downloads\LoaderV6.zip.crdownload

Filesize
15.2MB

MD5
273e74c7c8e4fefcafca7ab2c634fef7

SHA1
9a01e91e93cef5c77de8c70b8ae80da15a540fff

SHA256
18b7e51b0f80744208e78cdbdc707e5b8467991af8bdea3c47f3ee25ad864277

SHA512
d3f788e51d165b72ebf9c46a3463dd594df308bc199a8f70db25945450ab0c5da3cb1aeffeb6cf9f46f323150bd4d5d660fefd054fed956a5b491dd21e228277

Download Submit
C:\Users\Admin\Downloads\LoaderV6.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat

Filesize
280B

MD5
5652e061e1db5acd4d3ac5f329b0288c

SHA1
ad263dd11b428a749ccf7cd261178b7fc3f26e14

SHA256
c90502cfdbcc4b65c4915594e3db11bd9b97e394042ee65a3f5b8275fcc97aa8

SHA512
e7b7acd623f45d3393146b74d4c2410afb2da13c9e037ba76a2b41cbab17c341aef2c448b5b8421d6afc7053477c7e374d37aff58543f66ddf3a8090b3fb8e7a

Download Submit
memory/728-913-0x0000027EF78F0000-0x0000027EF7912000-memory.dmp

Filesize
136KB

Download
memory/1072-1014-0x0000000002240000-0x0000000002640000-memory.dmp

Filesize
4.0MB

Download
memory/1072-1017-0x0000000077880000-0x0000000077AD2000-memory.dmp

Filesize
2.3MB

Download
memory/1072-1015-0x00007FF853FA0000-0x00007FF8541A9000-memory.dmp

Filesize
2.0MB

Download
memory/1072-1012-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download
memory/1356-956-0x000002AB8EB40000-0x000002AB8EBEE000-memory.dmp

Filesize
696KB

Download
memory/1356-757-0x00007FF853390000-0x00007FF853391000-memory.dmp

Filesize
4KB

Download
memory/2252-1001-0x00007FF61AF80000-0x00007FF61BADD000-memory.dmp

Filesize
11.4MB

Download
memory/2312-957-0x00000221C2A90000-0x00000221C2B3E000-memory.dmp

Filesize
696KB

Download
memory/2312-874-0x00007FF853390000-0x00007FF853391000-memory.dmp

Filesize
4KB

Download
memory/2528-1002-0x0000025144210000-0x00000251442BE000-memory.dmp

Filesize
696KB

Download
memory/3644-1009-0x00007FF853FA0000-0x00007FF8541A9000-memory.dmp

Filesize
2.0MB

Download
memory/3644-1007-0x0000000003910000-0x0000000003D10000-memory.dmp

Filesize
4.0MB

Download
memory/3644-1008-0x0000000003910000-0x0000000003D10000-memory.dmp

Filesize
4.0MB

Download
memory/3644-1000-0x00000000009D0000-0x0000000000A4E000-memory.dmp

Filesize
504KB

Download
memory/3644-999-0x00000000009D0000-0x0000000000A4E000-memory.dmp

Filesize
504KB

Download
memory/3644-1011-0x0000000077880000-0x0000000077AD2000-memory.dmp

Filesize
2.3MB

Download
memory/3772-945-0x0000017DA8E10000-0x0000017DA8EBE000-memory.dmp

Filesize
696KB

Download
memory/4456-678-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download
memory/4456-679-0x0000000074D30000-0x0000000074F55000-memory.dmp

Filesize
2.1MB

Download
memory/4456-683-0x0000000074D30000-0x0000000074F55000-memory.dmp

Filesize
2.1MB

Download
memory/4456-739-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download