f5e0a6cc46e4f74c7ea1bffd0e75d5a6de3a2c70376c4025c01417ecbd2284e4

Resubmissions

22-07-2024 17:44

240722-wa9k2azcrq 6

22-07-2024 17:43

240722-wavrwaygmg 1

Analysis

max time kernel
112s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

webOS.Dev.Manager_1.13.3_x64_en-US.msi
Size

12.6MB
MD5

70fb7e81ddd19dbcdd8e1e03bcff575b
SHA1

5783fd87764a4a4b86f7b74c9c9eee591ceea18c
SHA256

f5e0a6cc46e4f74c7ea1bffd0e75d5a6de3a2c70376c4025c01417ecbd2284e4
SHA512

dc341ecfe79e88b8e07542689db8c74219ada7f513feb2cf8c7f2cf574aee42f4afeb8ba59dd1164fb3bca71041b9651f4ffacbb241a386fdd59141ba8a4259b
SSDEEP

196608:KGvCh4ABp7gi3gLZRwT9qmNkxierM1Otkfmwgf3Y3SYwi22BvzVEIR:zvC2Aj7gHZsqOk8v+wcI3S8Zz

Score

6^/10

persistence privilege_escalation

Malware Config

Signatures

Downloads MZ/PE file

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	MicrosoftEdgeUpdate.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Checks system information in the registry 2 TTPs 8 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_cs.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_ja.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\MicrosoftEdgeUpdate.exe	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_da.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_is.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_af.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_fr-CA.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\psuser.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_es.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_it.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_ro.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_en.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_sv.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_as.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_nn.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_fi.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_hr.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_pt-PT.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_ru.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_th.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_uk.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_fil.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_tr.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_bn-IN.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_bg.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_iw.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_nb.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_ta.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_zh-CN.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_pa.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_bn.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_mr.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_tt.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_mi.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_or.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\MicrosoftEdgeUpdateBroker.exe	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_de.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_pt-BR.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_sk.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_zh-TW.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_kk.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_ka.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_lo.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_sq.dll	MSI2CB.tmp
File created	C:\Program Files\webOS Dev Manager\webOS Dev Manager.exe	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_fa.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_km.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_ug.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\EdgeUpdate.dat	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_ko.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_ml.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_et.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_sl.dll	MSI2CB.tmp
File created	C:\Program Files\webOS Dev Manager\app_lib.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_ca-Es-VALENCIA.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_hu.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_pl.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_te.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_ur.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_mk.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdate.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_en-GB.dll	MSI2CB.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_vi.dll	MSI2CB.tmp

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e57f9c1.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{BB9B508F-6C9C-4F28-9534-499BA22B632F}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFB19.tmp	msiexec.exe
File created	C:\Windows\Installer\{BB9B508F-6C9C-4F28-9534-499BA22B632F}\ProductIcon	msiexec.exe
File created	C:\Windows\Installer\e57f9c1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\{BB9B508F-6C9C-4F28-9534-499BA22B632F}\ProductIcon	msiexec.exe
File created	C:\Windows\Installer\e57f9c3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2CB.tmp	msiexec.exe

Executes dropped EXE 11 IoCs

pid	Process
2040	MSI2CB.tmp
5108	MicrosoftEdgeUpdate.exe
1456	MicrosoftEdgeUpdate.exe
1384	MicrosoftEdgeUpdate.exe
1812	MicrosoftEdgeUpdateComRegisterShell64.exe
2360	MicrosoftEdgeUpdateComRegisterShell64.exe
1040	MicrosoftEdgeUpdateComRegisterShell64.exe
1304	MicrosoftEdgeUpdate.exe
1832	MicrosoftEdgeUpdate.exe
4496	MicrosoftEdgeUpdate.exe
3724	MicrosoftEdgeUpdate.exe

Loads dropped DLL 16 IoCs

pid	Process
2548	MsiExec.exe
5108	MicrosoftEdgeUpdate.exe
1456	MicrosoftEdgeUpdate.exe
1384	MicrosoftEdgeUpdate.exe
1812	MicrosoftEdgeUpdateComRegisterShell64.exe
1384	MicrosoftEdgeUpdate.exe
2360	MicrosoftEdgeUpdateComRegisterShell64.exe
1384	MicrosoftEdgeUpdate.exe
1040	MicrosoftEdgeUpdateComRegisterShell64.exe
1384	MicrosoftEdgeUpdate.exe
1304	MicrosoftEdgeUpdate.exe
1832	MicrosoftEdgeUpdate.exe
4496	MicrosoftEdgeUpdate.exe
4496	MicrosoftEdgeUpdate.exe
1832	MicrosoftEdgeUpdate.exe
3724	MicrosoftEdgeUpdate.exe

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral2/files/0x000700000002345f-34.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

pid	Process
3932	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000e2797196c4e56540000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000e2797190000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809000e279719000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d0e279719000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000e27971900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\AppID = "{A6B716CB-028B-404D-B72C-50E153DD68DA}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F09CD6C-5964-4573-82E3-EBFF7702865B}\ = "Microsoft Edge Update Core Class"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C54F392B-CBA7-4F57-AE2E-DDCE3A1A801F}\InProcServer32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachine.1.0\CLSID\ = "{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ = "ICoCreateAsyncStatus"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\LocalizedString = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.185.27\\msedgeupdate.dll,-3000"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.185.27\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\NumMethods	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\NumMethods\ = "10"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ProxyStubClsid32\ = "{C54F392B-CBA7-4F57-AE2E-DDCE3A1A801F}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ProxyStubClsid32\ = "{C54F392B-CBA7-4F57-AE2E-DDCE3A1A801F}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ProxyStubClsid32\ = "{C54F392B-CBA7-4F57-AE2E-DDCE3A1A801F}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EBA46DC7-84D0-4C3B-BE4A-308C78349304}\InprocHandler32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.185.27\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ProxyStubClsid32\ = "{C54F392B-CBA7-4F57-AE2E-DDCE3A1A801F}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C54F392B-CBA7-4F57-AE2E-DDCE3A1A801F}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.185.27\\psmachine.dll"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ = "IAppVersionWeb"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreClass.1\ = "Microsoft Edge Update Core Class"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods\ = "6"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ProxyStubClsid32\ = "{C54F392B-CBA7-4F57-AE2E-DDCE3A1A801F}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\ProgID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachineFallback\ = "Microsoft Edge Update Legacy On Demand"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.ProcessLauncher\CurVer\ = "MicrosoftEdgeUpdate.ProcessLauncher.1.0"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassSvc\CurVer\ = "MicrosoftEdgeUpdate.OnDemandCOMClassSvc.1.0"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\NumMethods\ = "24"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ = "IGoogleUpdate3Web"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreMachineClass.1\CLSID\ = "{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachineFallback.1.0\CLSID\ = "{77857D02-7A25-4B67-9266-3E122A8F39E4}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CredentialDialogMachine\ = "Microsoft Edge Update CredentialDialog"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ = "IAppVersion"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ProxyStubClsid32\ = "{C54F392B-CBA7-4F57-AE2E-DDCE3A1A801F}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\ = "Microsoft Edge Update Broker Class Factory"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32\ = "{C54F392B-CBA7-4F57-AE2E-DDCE3A1A801F}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\ELEVATION	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\Elevation\IconReference = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.185.27\\msedgeupdate.dll,-1004"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\74A43579A512E1E5BA154314E211406B	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\ProgID\ = "MicrosoftEdgeUpdate.OnDemandCOMClassMachine.1.0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.PolicyStatusMachine"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.ProcessLauncher.1.0\ = "Microsoft Edge Update Process Launcher Class"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\ProgID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusSvc\CurVer\ = "MicrosoftEdgeUpdate.PolicyStatusSvc.1.0"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ = "IProcessLauncher2"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EBA46DC7-84D0-4C3B-BE4A-308C78349304}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4852	msiexec.exe
4852	msiexec.exe
5108	MicrosoftEdgeUpdate.exe
5108	MicrosoftEdgeUpdate.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3932	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3932	msiexec.exe
Token: SeSecurityPrivilege	4852	msiexec.exe
Token: SeCreateTokenPrivilege	3932	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3932	msiexec.exe
Token: SeLockMemoryPrivilege	3932	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3932	msiexec.exe
Token: SeMachineAccountPrivilege	3932	msiexec.exe
Token: SeTcbPrivilege	3932	msiexec.exe
Token: SeSecurityPrivilege	3932	msiexec.exe
Token: SeTakeOwnershipPrivilege	3932	msiexec.exe
Token: SeLoadDriverPrivilege	3932	msiexec.exe
Token: SeSystemProfilePrivilege	3932	msiexec.exe
Token: SeSystemtimePrivilege	3932	msiexec.exe
Token: SeProfSingleProcessPrivilege	3932	msiexec.exe
Token: SeIncBasePriorityPrivilege	3932	msiexec.exe
Token: SeCreatePagefilePrivilege	3932	msiexec.exe
Token: SeCreatePermanentPrivilege	3932	msiexec.exe
Token: SeBackupPrivilege	3932	msiexec.exe
Token: SeRestorePrivilege	3932	msiexec.exe
Token: SeShutdownPrivilege	3932	msiexec.exe
Token: SeDebugPrivilege	3932	msiexec.exe
Token: SeAuditPrivilege	3932	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3932	msiexec.exe
Token: SeChangeNotifyPrivilege	3932	msiexec.exe
Token: SeRemoteShutdownPrivilege	3932	msiexec.exe
Token: SeUndockPrivilege	3932	msiexec.exe
Token: SeSyncAgentPrivilege	3932	msiexec.exe
Token: SeEnableDelegationPrivilege	3932	msiexec.exe
Token: SeManageVolumePrivilege	3932	msiexec.exe
Token: SeImpersonatePrivilege	3932	msiexec.exe
Token: SeCreateGlobalPrivilege	3932	msiexec.exe
Token: SeCreateTokenPrivilege	3932	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3932	msiexec.exe
Token: SeLockMemoryPrivilege	3932	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3932	msiexec.exe
Token: SeMachineAccountPrivilege	3932	msiexec.exe
Token: SeTcbPrivilege	3932	msiexec.exe
Token: SeSecurityPrivilege	3932	msiexec.exe
Token: SeTakeOwnershipPrivilege	3932	msiexec.exe
Token: SeLoadDriverPrivilege	3932	msiexec.exe
Token: SeSystemProfilePrivilege	3932	msiexec.exe
Token: SeSystemtimePrivilege	3932	msiexec.exe
Token: SeProfSingleProcessPrivilege	3932	msiexec.exe
Token: SeIncBasePriorityPrivilege	3932	msiexec.exe
Token: SeCreatePagefilePrivilege	3932	msiexec.exe
Token: SeCreatePermanentPrivilege	3932	msiexec.exe
Token: SeBackupPrivilege	3932	msiexec.exe
Token: SeRestorePrivilege	3932	msiexec.exe
Token: SeShutdownPrivilege	3932	msiexec.exe
Token: SeDebugPrivilege	3932	msiexec.exe
Token: SeAuditPrivilege	3932	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3932	msiexec.exe
Token: SeChangeNotifyPrivilege	3932	msiexec.exe
Token: SeRemoteShutdownPrivilege	3932	msiexec.exe
Token: SeUndockPrivilege	3932	msiexec.exe
Token: SeSyncAgentPrivilege	3932	msiexec.exe
Token: SeEnableDelegationPrivilege	3932	msiexec.exe
Token: SeManageVolumePrivilege	3932	msiexec.exe
Token: SeImpersonatePrivilege	3932	msiexec.exe
Token: SeCreateGlobalPrivilege	3932	msiexec.exe
Token: SeCreateTokenPrivilege	3932	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3932	msiexec.exe
Token: SeLockMemoryPrivilege	3932	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3932	msiexec.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 2548	4852	msiexec.exe	99
PID 4852 wrote to memory of 2548	4852	msiexec.exe	99
PID 4852 wrote to memory of 2548	4852	msiexec.exe	99
PID 4852 wrote to memory of 516	4852	msiexec.exe	104
PID 4852 wrote to memory of 516	4852	msiexec.exe	104
PID 4852 wrote to memory of 2040	4852	msiexec.exe	108
PID 4852 wrote to memory of 2040	4852	msiexec.exe	108
PID 4852 wrote to memory of 2040	4852	msiexec.exe	108
PID 2040 wrote to memory of 5108	2040	MSI2CB.tmp	110
PID 2040 wrote to memory of 5108	2040	MSI2CB.tmp	110
PID 2040 wrote to memory of 5108	2040	MSI2CB.tmp	110
PID 5108 wrote to memory of 1456	5108	MicrosoftEdgeUpdate.exe	111
PID 5108 wrote to memory of 1456	5108	MicrosoftEdgeUpdate.exe	111
PID 5108 wrote to memory of 1456	5108	MicrosoftEdgeUpdate.exe	111
PID 5108 wrote to memory of 1384	5108	MicrosoftEdgeUpdate.exe	112
PID 5108 wrote to memory of 1384	5108	MicrosoftEdgeUpdate.exe	112
PID 5108 wrote to memory of 1384	5108	MicrosoftEdgeUpdate.exe	112
PID 1384 wrote to memory of 1812	1384	MicrosoftEdgeUpdate.exe	114
PID 1384 wrote to memory of 1812	1384	MicrosoftEdgeUpdate.exe	114
PID 1384 wrote to memory of 2360	1384	MicrosoftEdgeUpdate.exe	115
PID 1384 wrote to memory of 2360	1384	MicrosoftEdgeUpdate.exe	115
PID 1384 wrote to memory of 1040	1384	MicrosoftEdgeUpdate.exe	116
PID 1384 wrote to memory of 1040	1384	MicrosoftEdgeUpdate.exe	116
PID 5108 wrote to memory of 1304	5108	MicrosoftEdgeUpdate.exe	117
PID 5108 wrote to memory of 1304	5108	MicrosoftEdgeUpdate.exe	117
PID 5108 wrote to memory of 1304	5108	MicrosoftEdgeUpdate.exe	117
PID 5108 wrote to memory of 1832	5108	MicrosoftEdgeUpdate.exe	118
PID 5108 wrote to memory of 1832	5108	MicrosoftEdgeUpdate.exe	118
PID 5108 wrote to memory of 1832	5108	MicrosoftEdgeUpdate.exe	118
PID 4496 wrote to memory of 3724	4496	MicrosoftEdgeUpdate.exe	120
PID 4496 wrote to memory of 3724	4496	MicrosoftEdgeUpdate.exe	120
PID 4496 wrote to memory of 3724	4496	MicrosoftEdgeUpdate.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\webOS.Dev.Manager_1.13.3_x64_en-US.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3932

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E9C97FAEF4F0A634C85C16A23906B51E C
  2⤵
  - Loads dropped DLL
  PID:2548
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:516
- C:\Windows\Installer\MSI2CB.tmp
  "C:\Windows\Installer\MSI2CB.tmp" /install
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\MicrosoftEdgeUpdate.exe" /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - Checks computer location settings
    - Checks system information in the registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5108
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      PID:1456
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1384
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.27\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.27\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1812
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.27\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.27\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2360
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.27\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.27\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1040
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODUuMjciIHNoZWxsX3ZlcnNpb249IjEuMy4xODUuMjciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NENCNUJGNjItMTdGQS00REFFLUEwMjItMDU2QTA4MEE5NUFBfSIgdXNlcmlkPSJ7M0E1QjdBOUMtNEMwMS00NTJBLTk2N0QtNEU5OTc0NzlFNTczfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InsyMjBDMjFCOC0yMDBELTQ2OTAtODFEMC1DQTlBOTkwNjNFMEJ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7cjQ1MnQxK2syVGdxL0hYemp2Rk5CUmhvcEJXUjlzYmpYeHFlVURIOXVYMD0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE0Ny4zNyIgbmV4dHZlcnNpb249IjEuMy4xODUuMjciIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUwNjE4OTUxNTkiIGluc3RhbGxfdGltZV9tcz0iNzE5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
      4⤵
      Checks system information in the registry
      Executes dropped EXE
      Loads dropped DLL
      PID:1304
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{4CB5BF62-17FA-4DAE-A022-056A080A95AA}"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1832

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3652

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\UnlockUnprotect.vbs"
1⤵
PID:1136

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Checks system information in the registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODUuMjciIHNoZWxsX3ZlcnNpb249IjEuMy4xODUuMjciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NENCNUJGNjItMTdGQS00REFFLUEwMjItMDU2QTA4MEE5NUFBfSIgdXNlcmlkPSJ7M0E1QjdBOUMtNEMwMS00NTJBLTk2N0QtNEU5OTc0NzlFNTczfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QTQ4RDQ2RjAtQjJCRS00ODU1LUJDOEItQ0U1NzYxMDA5NEI1fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTA2IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxMyIgaW5zdGFsbGRhdGV0aW1lPSIxNzIwNTM0ODI5IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzNjUwMzI1NjQ5NDMxMDQ4Ij48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjExNDA2OCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTA2NjI3MDM5MSIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Checks system information in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Installer Packages

T1546.016

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\EdgeUpdate.dat

Filesize
12KB

MD5
369bbc37cff290adb8963dc5e518b9b8

SHA1
de0ef569f7ef55032e4b18d3a03542cc2bbac191

SHA256
3d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3

SHA512
4f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe

Filesize
182KB

MD5
4c97df7d7a1307e2efd68ea7f3cc38a7

SHA1
1cc466df9cf1167623bf0bae971df747e758e7bf

SHA256
976d5dffb2a8ffad46e20606a50b7f7243b7e4f209c2bda93e73acacd7f2a9aa

SHA512
eae5052d10fd306e3660314e132aed59f52b1b1bda0b9af7f3530a30c1dd544f1b58dfb7d546ad8f92765e1f9eb826ebc4696fb3dddcdb904d9e68e789b10a00

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
733adfa5081059a471115660d7c11ebb

SHA1
3b98b65e4942bbcea39389ed9ab1cf63e57630fa

SHA256
f3c7bab6a7652e58719ce96edfeff483316668bd48d912694f1175fb397b86fd

SHA512
9776110b101536ab7406a068d6659ddf437a55d9915dbe0bff9d4677635461a8321d35ff30b1617eccea799448e61b9bdf98bae130c9c7e55d41fb3271f3f9f5

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

Filesize
216KB

MD5
b83de3475be3ab3aacfa50090b818095

SHA1
4c10cc32075213af475e981c856e00a41b7eb824

SHA256
ef1c2d7dbb252b07beeaadd71cb8703105b5778bd69f5103f680bb81fcf8304d

SHA512
f765327820059636932ea57be741432a42f4bd9054906737352aefdeb0ef22e5fc04299b092288474a79c925cf7fad958f2f9c0d7b28f99ba1699cdce18babd9

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\MicrosoftEdgeUpdateCore.exe

Filesize
261KB

MD5
c1fda26d5eab9b84cccd9e18f7c08639

SHA1
7dd5c136f9c350448741d3d6f821ae8b52207b44

SHA256
b913fb893ba42c781862191ea416d8bf1bba9ada900df07d59e654cd218977e1

SHA512
b23dbb8e5c33d8a36753a10b4f9d2530e5e70c106b4bcc34de40ef86f236a50f79ebdf34462bfb7622fcf461acc9e5417ce00063981879cc47aa80b71cccc207

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\NOTICE.TXT

Filesize
4KB

MD5
6dd5bf0743f2366a0bdd37e302783bcd

SHA1
e5ff6e044c40c02b1fc78304804fe1f993fed2e6

SHA256
91d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5

SHA512
f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdate.dll

Filesize
2.1MB

MD5
438a9e1a79e3984acc61f1729bd1dd13

SHA1
45bf48846184d3ddc2c796451b64cb816ca12daf

SHA256
4353c26bf5f3ba1e8f25051eed6e9b71816ec076f2989d6f9a1c59a3530ff4f4

SHA512
59148ac47f984d5da24aecaf1c13deb672a19661b5426810c2bc87641fefb685e85bc5f1540a9b84ac5928a9427e9ae7201f04ee79e59a82b172a33acd13d486

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_af.dll

Filesize
29KB

MD5
d7f9590aaa054bf5f05772faf6002d8e

SHA1
a1f2cd710af647b66bacd5c8a5a4b48e56a55729

SHA256
b8a805047f7e3d1695a856fde2ee4c58d6de3facfb72c708e86ca40040513f6c

SHA512
c25e70908260ff7128f499444b05a4be4da026c77d5490f673253a58fe6ff3579d0547c785011659432df8169007d8d6169c48a51e86699cf287dad19d66c920

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_am.dll

Filesize
24KB

MD5
b4c43c95ea80273ab76c87b407ec77dd

SHA1
a64c8dd32880727f7834fa1019ea75357621ac03

SHA256
4eef024dd3555b834b80d9fe1ee28cadf4d1121573e78d44ec4a1bc0c121b261

SHA512
68d225271888c7fbcf586273217d46dbdb081af4e21520d2b1e370ae1e6f71eac0ccbbff8d2979fc58d584eb79fcb055d6e10d2c5fb1e20bc2d7b0e133766808

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_ar.dll

Filesize
26KB

MD5
0957b24fb7f5f2b8aeb86024eaaf114f

SHA1
4f7c93fcb455bc5c05b104e92e65fc03bd8e4a7f

SHA256
0a97ce2a85da3debbd2588ac9d73b164fbc771dc9ee2977425a7e08fccac68a8

SHA512
9b204fdebb3352c14830818f2b65cbc1d75054de350f8c2d3085c5110af7b2a434b9a996354a6d06fdb94827acf7ddf681a47781f6603799c4c1a9257fc606ca

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_as.dll

Filesize
29KB

MD5
ee10353b0e3831e07e9f79397003f4cd

SHA1
55f48f4bd348169e5ced75ce4ab8917c21c52095

SHA256
a4bf93b35ca550593e4ff61fb6281216a8f3ad52cf9d106fac8116f870b2fe0a

SHA512
9f8997f654bc717303732ae4e71f6745ee7582cb2b994b4cb20ac16156d6a900440e8d7a9cd4fc877c93abf637fc0bbe84fa87c4371a232893f9decd01a6d3fc

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_az.dll

Filesize
29KB

MD5
378d329969802b2a6c10e351b5719ec3

SHA1
cdfe9445dee808454aeb1ef16da570711bf153ab

SHA256
ece64084d274aafee51aa68109a25c713abadc98a1e244ea01bba4963c4dd74a

SHA512
8fec23def18e5b53b23ac61832be40f741074464767d29bac76db334e6c79f5d87ddb8dc52e01f7392c0f4f4c5fe0ddbb6122bc2ac0e1d354e372c1861c81e64

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_bg.dll

Filesize
29KB

MD5
88b8ed48da3cbb16419458c262045fe5

SHA1
bb160b545ad19a28e7462a52a8f1522efc34d469

SHA256
809934fd4381ec225b515fbc66d2d88bc1653a82cf440473cdac54b140fbb7b7

SHA512
92dda6d887130f7958c7a5ae641d69fb8509a58705a6a22bf7735eb0f0b448642f04e056faa974d5fa8924989cd9e253b288ea6437c1aac11f4db62ae3bfdf23

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_bn-IN.dll

Filesize
29KB

MD5
c61e762e0f0d8fdabb6b9c9a7f2243a5

SHA1
419b883574b7fbc4d12a1357df50fab364427680

SHA256
84f1844b27a3e9fc46f7d043482eb29e57d2946b3b06c3b61156ee8df184e0b5

SHA512
dd6bc869900ca031b7d1a7c6d01e6e2e0c1a39d749d5eded16afd4571b49f0c08104b5fbe9b60d2253b9ee152fc9574308fd428e71fc17a1473e12e4890c61af

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_bn.dll

Filesize
29KB

MD5
460fb053b205c0bef8cbd498772ec102

SHA1
4a9529ed2a92fa100e0ffd5a7945dcc18b1dcb3d

SHA256
9f7b4460b7c4c332be7e4d7fa105a484b5590ee7ab73e0d78aacb182b46db577

SHA512
cf76eac2a4d125f52847945016e207e2e517ab76b92681512227714ba86aad2f9ba665dff3e259f17b36b5a00967749362a98aacef0e028186644b35fddb5e73

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_bs.dll

Filesize
29KB

MD5
c9c347fb075fd11fc58edd9e4d603463

SHA1
f310f60914f29553197232c7d9887b6f3d509548

SHA256
c6e7fd2483362a2af6056b6c71e52ce7cf4f41a5c82959e15d8d0cf790348ae2

SHA512
72c2301281e828fc932715496ec20570e58f193413c5e0346cbf807cfa235fbd436da30d9a8cbf204b2d0a42c03ce89b01c95d6c82d1b3eff8866c16dad4b045

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_ca-Es-VALENCIA.dll

Filesize
29KB

MD5
de0fc687b076125d2dff212bd95ca287

SHA1
3af06c7d1041a07a551cf03caddffd2b55dd8e98

SHA256
6a4d3963a9a90e4cf0e84b336aab8ad89f63d81401bfba7090272c8a17502642

SHA512
6aed4251244d3a5935c56c6fdf3510d3d95b51195f5c1f7616db7b4de837da75334e4692c6a165d328e67a8be085e82198152d40a1cd10d7acda73e791c30cf7

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_ca.dll

Filesize
30KB

MD5
bfeb934b1cafff36d7552c74a584232f

SHA1
0cca32a3f80d55e47747802986b752d869b10463

SHA256
3b2905f03bcd49ba91df0748c11a706ef3019b6f93497fc344f5f560338b93f6

SHA512
142d82e547c23262e905465aff804f93d7cfe0f339f2fee7b85b2ab5682f4d947f4f385c12b6c42a03ae6ab39877113a852066dd4ab85d9d55f2814909f6d4c7

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_cs.dll

Filesize
28KB

MD5
60f909fc6927ff3920f4cfbafd953a7b

SHA1
17155d8f7133436885d1ac01845323c699f9f54c

SHA256
fa33552be30673afee65f3bbfdc808f5aef11430caf3af477656f6ce5a68a431

SHA512
622a84e56e3b1b20e579c9a908ba053371f1dd9bf062df5c636a6f61c301825d41bb0d64ddae79b51f65680b33fbbeec89d71e892b355f89435bad0cc049b53e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_cy.dll

Filesize
28KB

MD5
17f643110a4e631d876794729e568216

SHA1
5348717e3008f0f57bf7ee7623ce5cc84fca3972

SHA256
c795648f511e8b311fda82748808bc52270f4a3ec548255ae4027a6472f646b9

SHA512
7ba361e779fa14e6833f013903e4cd34de8d87c4028f9268599e312a898929fe3bb66d37c0f6d238d33497293f49f6580cf8b3d162d5c500f602d1837debdf76

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_da.dll

Filesize
29KB

MD5
a2a25ebc5b16beeea78c2bbde4ac43f7

SHA1
03c68bfd1806f039a49b2eff4eea37e12b947878

SHA256
cdfaad242f66a141aab54034b86d92552368061c30a40e1ac964290812ae4a61

SHA512
5d4e6c958c91df09ea8605cf5956373861d677944019e82389c5467d2626bd62b7c3c223b601f07820abf00d98bc4fb4ac9b67b6ff57b9c8bcfc51d615d7d953

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_de.dll

Filesize
31KB

MD5
7656ec1537e736e77a7bd71d92f9359e

SHA1
25f91dfa2a68499207b1708ca6a49539f65c97de

SHA256
d44d4338086bdc08b3c7000e3190c963d3a7539ad5ad98054a845b0030ad04a5

SHA512
aa2f1e07a1bc3f3b922e7462e0d627bd47f1e240b3c628a7537e32152e62f82c668bc4b8662d9a0745ff3f5ba26e93f74f49ecc6b066d3369301a98e22316067

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_el.dll

Filesize
30KB

MD5
fef913c80dca6cfb74713faa0886fa06

SHA1
6d5b7d858ac628c0cf7ecaaed4e757166b13c9cb

SHA256
f585bddea7338d6386ea298353441717b6f2d850c05bc178e469375fa3016a15

SHA512
3864010faf8a78c6b2d75ea6c82461fb962f5c415b0a1be07e0ea6c1c9614db2543e485da01eefbd03acbf154f06156e77bab52c99e97af18e7d2c57811ba98f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_en-GB.dll

Filesize
27KB

MD5
6546f6a2416057a8cd08062cadbdcdac

SHA1
6e49ea333ef8190a49cf24c2d82609cd0b629278

SHA256
0620fe2d4f4db9f782bc17246b8174f1ff8adc3d22e13eb8ed9eb5aa6caf86fa

SHA512
02a5d7fd96b7d88a5c414120e2697690eeeda9595a635c722515797368f939fb6e030332f73dcc87583cd3caaa6e95907c0bb93e9050cd2bc74ed17f943025c9

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_en.dll

Filesize
27KB

MD5
023ff9098ab2479e7fc66f459c408411

SHA1
03ec37fbd4c580c479847e0828a6a50a9fadbb10

SHA256
a6dda7a3463e04f2422b8faa4129940fbf2490750ec24029eb23e35427c268da

SHA512
09c69d3b84e19a82b36a0073bbef31d8439b26df07374af9eb458fecdbd6c12686748cdc2beb8e1b0516bcc900e421c6628bfe52ab1a79ca77169eabc3fdf09c

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_es-419.dll

Filesize
29KB

MD5
fdc516a3fb562b343e7cbb8783c13af4

SHA1
9950be8368d971d772af18d0326bce1fc421f47f

SHA256
d90f3b6e89b7f4a99ae9be7c27d259e590733a0ff3e2d8103a1f88c498253aef

SHA512
a697b231d72d5a0a4d9cf5ce79b746fb34084e5b4995478a9b6acaff9a07113084f993594d1d05b152a8c6e8a16db7ba649132a6cd7a50be4c552e88d349b059

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_es.dll

Filesize
28KB

MD5
fd37eab29884a711784ffe02beeef4aa

SHA1
7cb2be272832c47589613ea5bd00f7e0bf2bf71d

SHA256
ba968e815a8571129fa6d630debd63a0614d6027dd1da799f8d5d50b74168fbb

SHA512
856e46bf23746d4aa24eeccd4355220c70dbcf7dc5444673fc741b8da1983942a497738d0fd3c80488b9be6f53e78c766642bd96b33435b35f244357cee2ba84

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_et.dll

Filesize
28KB

MD5
636082f4e1114f5b91d9adddfc8e9674

SHA1
f3470f79e484ae7cf2734f63da99467369a4c87f

SHA256
eb56c5a62f0a70cd09a566196daf619b200c2096a322bb59ef7af8e039452186

SHA512
4160b47bec4b1ec1a75ed7560fd5487e22426cebcd3aa1e3d4a97b0a234d7dc2a3dbb5fd15cdbf608407bdbe3264f2edb45292865d38f24e7dbe78638e5b89d8

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_eu.dll

Filesize
28KB

MD5
845321c486c416b6ae7a626b9ea30ff6

SHA1
f3ab38ff46a0b8b97645962d618692c784c798c4

SHA256
7255d1fad7117f3af444588bf5353e3a8743fcefc6c7a118bdda1b60a770a2db

SHA512
128c7742ee71949d4f46dd358a3897097ac7f03ff1d57ec8cb4649eac4835cb04386408442389f4d3a44daa9d3601d073d5fb8b0a78859a074cc5c58619e13ee

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_fa.dll

Filesize
27KB

MD5
4238ed287f999c39e30bcf3999c5641b

SHA1
546e0e4f4f1ca7edb58311c9e14fc090668238aa

SHA256
c454384e1bc16c63dc0d2744bc1fca758488feaea2c8ceac430567ca47fc90f9

SHA512
c3497569a6b2a8c6586c25ba8c95a60e0f5686ee2fe5e1a1908ef161bdf7cf946c13759c4ef16496f0282ee6d8cc1225b18d3ec60c2214d50b28ee5308bcc3a9

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_fi.dll

Filesize
28KB

MD5
77f858262118f058c7eea5283a92d0cf

SHA1
4fc3d458ef1909a18171e94be0989d9248f643ec

SHA256
db6a7e1d7779485647354a4ceb3cc969b12569c7fe1a681285e1b0e655343217

SHA512
96b31997129bfc27a16f58e971da81c8295b5d61dd3d8b33758127334e038a0b985c875850014931d81170d22c8b8f73d18307ee7cd2009ce558141c1f3c8565

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_fil.dll

Filesize
29KB

MD5
7460b95cf48e93379ca9d9136b282488

SHA1
54437c2b4ce4bdf71851719f2e0014e82374b075

SHA256
2b97794e4bf8bcbce2ae01cea686bb55663a744c24f7d003857c08565662cdea

SHA512
477b3b3cba84e76ea22e0fb4aac7cccb6c60bad0ade445f30f8eec2aa6f332506dcfb25a2be3c2a4edf9e593b09f37574a5f173118e1a2bbacaaa63d589fe325

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_fr-CA.dll

Filesize
30KB

MD5
a8f5b91b02be5c4a329ea24df1811f26

SHA1
a5ea34d9424399fbc20e74f82e755dbdbe52b319

SHA256
28650df1d3f3629e6db093150fbc6dc310b8c6a36dc774e832fdd59210f1d57f

SHA512
235cf59516db66d18f680fc8b30f41a0a2773aab57373b2516ddb5697b78afca6259b230ab24758ddb3a2f30d7050e2666d066d585fde74ab18e218e67834a68

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_fr.dll

Filesize
30KB

MD5
16322e91a99b63b6feb82b43b73efa02

SHA1
313a3998d1c1654ea4a218a8ea86bcccf99706ce

SHA256
6c51c6e4c6409b40cd4ffc202f45d1ba00e7dfd11059945d07deaa8aa0655b47

SHA512
d7a19a89685b629b77060c4a32d3598860c1d176a72d800512d253e5127c5089328280cb7864f8b64617f491e0dc9bd7c886d01704aaa563fbd69b90c3168aa4

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_ga.dll

Filesize
28KB

MD5
06ea22a039c39c94acc10f6f2237e11c

SHA1
9191c77d5e5836b1c628c0ee7aaf232670585e8a

SHA256
661c310090ef2b1dc54f585183929eda5c3106c645e491a8674c5975a19df410

SHA512
832b42770ed98a7cc5bfd33ccddf1ccaf38942fec9bed49c9de50242e1b4e277bfbfcb98832156b62b3a1d8512aded4fcc4a56aabe14e2962dbacbd275b8f29c

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_gd.dll

Filesize
30KB

MD5
81d1960e9b440f3f9f52bf41b5117ae3

SHA1
7d09aba15f1a9a49affe0461f24fa6a9e05bd885

SHA256
aacb9d317b7cb99177a0b79f8f0e7b866368c6c61d20bd6b1b0842efdb8e333b

SHA512
d5d211546a1c3698672382d28def2b39336d3f0f6a95af2919e4a6ae4fe6bb83b48e2b928281c9e74d812d4cf653d91326e7cd5dbba741dbaeca33560e2c092a

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_gl.dll

Filesize
28KB

MD5
e1ad026ea56faeb73d57848de553caa3

SHA1
f6c819a9ff692fb2da6e465702386e61d56be8b7

SHA256
38931ab01563e4c87ace23c05c2d580c49f2d17bb4b20d2e02773817164cc812

SHA512
749a9e28613edc84f9a61c8579de58c87b2fee2ed7695f6206f1e3c6a1a4d44319385d8693d4eff95280774fb7ebc6799d588bbdffaeaeb7adfcf844e039e732

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_gu.dll

Filesize
28KB

MD5
0a08bf5c3ed4e2cb75910b99bbd92ee6

SHA1
ca5fecb458562eed2b08741877ece35440904375

SHA256
50fc1c9b17b1b67ecc0da2b3caa9225a45e375b5c23b01d32bc556cd21c33d23

SHA512
213072553e9ab2d439d59763701b1511c8f164566da1d4e573bf4456dc8dece14ba42bc60eba02c3cfda7ebca20a24301fd922b964dbcfe8da8cc59fa429a693

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_hi.dll

Filesize
29KB

MD5
70ebbcb44c24a5c524d7c5095ad9fcb4

SHA1
d472751d592abb16bb4792dd8c984be79c51776f

SHA256
011af8d243817adee346e2e04fcf344b3007eb55dadba0bffe5811e9be57c797

SHA512
e08912915ec9542d14883e3baa42335ad6cb1009d2d88969126f4b2ac1a7d055cdf1b4bbc406307fd2db95f70955bd1a9aa2f274f3b404e674b2050b868a7b86

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_hr.dll

Filesize
29KB

MD5
ca98c3ddbd3bce71e184f93fb9d178dc

SHA1
3b69d7dc0c93c5c19b6760107603e005a9ce004a

SHA256
b607cc587a72122082f791d1dcd87764e304e9469a62d574f33b993e5ec861ed

SHA512
30988b9472186a288d1192173c63e88f5b08a492b2925444d8dcd8c58a35d5dcb0aaa267eae818c5c2857af6dc9d0fcba545faa0ba03236b17d90f80cbdb263e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_hu.dll

Filesize
29KB

MD5
25cb225c8460fc845689665cb24bb941

SHA1
09c90801ae08d5ec4f3ab6974e200a901264bb0f

SHA256
97f81671b773ade113e322a71e11017b8995f52fc8d2caa44a1f5808eccc7e3d

SHA512
6c5adf5d97625d96825eb78868602cbed0b0b908560aa60ad6082970bc75b1f26d17c70d0e26feb8f8e1ac367640b66bc6c5c2a99d4b92563571ce85054c8070

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_id.dll

Filesize
27KB

MD5
b65adf4da9017fa51d617ba97a4aa87d

SHA1
d5271cc6bd6467046e9cae0c8b176d4c558cee7f

SHA256
1f33735e764ee80b64484f05e26bfc641ed3a676f1d2a77a597bcee9ccfc88da

SHA512
63fcd992103307cf7d8cd48858a198030fc4ccb111381abac7e32b5ebfe62216a392cf86643ed223bb80b941d03c631c57b712edb4f3c735b91735d825b03e27

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_is.dll

Filesize
28KB

MD5
049284581467619517c2121295b5773a

SHA1
c1a27fb98776e833d86b6141e1239c297dfb8140

SHA256
6cb91b4bd6403fa791c9206a89618bb2e92b7b16a3916a31476eb802108aea56

SHA512
d78a5272d18f0df162da183a4a658fe90b2ac66ca433b2aa3ed207315866fc50cc4ab7e0048f385a5cc7616749ac4b0d4a73e65182677debfa5f90f5162bcfe2

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_it.dll

Filesize
30KB

MD5
e262152f3073a8844a91b96d9e2d3654

SHA1
cbbc63c83d7e64decb0051003df2302bddef8d74

SHA256
0a6456fdd7a478601ddf5023a7cd1ac4cb60625cd923ec2cde0ebe27df5580e0

SHA512
eb97435cfc05dcf6dd4befc4f26a04afeb6c325b31bfbb28458dae93c364e4b9843acc6e3af4288b9b73b29c580c879cbfe2c2072a2b1a195209a3eee0107bff

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_iw.dll

Filesize
25KB

MD5
efab4c3443667ad03b0691b64ca59c06

SHA1
cb3a8aeda638487457190aba6ea6b9f192a74b79

SHA256
f891f1582db23b15c41c73d275da18d7cc2e19f5b5c203296a3b600d515a112f

SHA512
c789511347695ba46dbd278318178f8a8bd0ded085be30d5af31159311f59ea4d5f50512bfe101811b9147e75266793c3c368252f03317543340688d2c2ed65b

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_ja.dll

Filesize
24KB

MD5
73ee1027ca9e65f183b6f57af002a1d5

SHA1
fa61e32fd684c80e6bb6bcc4f6673de859045294

SHA256
11922a03742dc6669397f637db7fe5d114ea02f869c0468325ed1e73d8b00eee

SHA512
9c1d9424bac323fe363d73b916a1a53e876add0e99ff9bc846e200514c1ca4bd50f12977eac9351da7f5131cb29a414ca8864f5dbcefb8d6ab8ede17afad88eb

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_ka.dll

Filesize
29KB

MD5
a08d23d8b93aa7b42472782ad0270bde

SHA1
c69da87d51a274889b0d0793a11d5efc225aa7fc

SHA256
a2a2c462ac972a1a51812c9afbec222e86c35ae7ff3f84d5ca5bcf1ba5b92afb

SHA512
6312e31d98fef0cbb15decf242c94f1fff437405dd88b3db0a558ca4fd7c05924a9f6984328d4685093cd7e6a5586cad1f6538d4fcc5c49ecc2ceaed1ae8a177

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_kk.dll

Filesize
28KB

MD5
8d94e8e623d0c312746c87bc89e31884

SHA1
eb8aa84e019f33c2d9a5c8586cb30ba623080eca

SHA256
29e0e2518cdce459307d5cbc005661cbda90f50d2bd38a8bbc2a765ab66571e0

SHA512
1cf51112f791bfcf8237999e13ab02abbf0c1388f7fa72af9c875ff35ba1c43f06a5a6a700717c91a9429cd733717084b7c9c58ef1006637c8a93bf9ec28846f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_km.dll

Filesize
27KB

MD5
8bf548d0c7b7f2b3d3ae095dfc20f92e

SHA1
97a1bfb2cba2042fa30a8971435c353223c8e5fa

SHA256
9390c7badb2d78ef8332f26a8666c305de8b689d668825b6e46871429f04be92

SHA512
3c47fd94057e92b4676fbef481f7a69845f63a1ee037824d60d21deb8d9ee3c7f17d762ac772954f9c56271cea09a75055a4526d86bf4a2bed7b9501bfd2ca7f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_kn.dll

Filesize
29KB

MD5
837b7169fe2f32442747e2536260cafb

SHA1
5d54a018b0f89b93e9b0fb7d2a7cf148c506fbfd

SHA256
76f132578c780716e41199d3f7920ce082673ae2017cd707532ced626cc73ad7

SHA512
858ef0b9051db270c52df18e067befde02cb4bdb457eee21b1070bd3fcf9bac1308934427f77904ca218bfbf81e8f4e1c9a3b8d5fe41b760c3d0c7043a91718a

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_ko.dll

Filesize
23KB

MD5
301c1f5614829a6f882cedd9f94c1a6e

SHA1
9a15f36d9bfc3e9341f90016cc29e81ed1d5ebc2

SHA256
22e81ab48a43c77de22f245e0bea8166c223e028305be297ef544930e6619ad7

SHA512
3f19154c10bfdcf467d990f454fdfc164cb80cb1546fad9137027fd24815067a52319f6b57a1d51b6dce02fad836a8432c6aef135634598a52ce53bd31b72dc2

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_kok.dll

Filesize
28KB

MD5
e482c6c8db13616229ad80f037418ded

SHA1
e287258d74473d914d1d96180d8b688623df2f11

SHA256
6a2c4e0f35f460c6c1c16693f02ad296acc5d39873017541d05bb1b8809678e3

SHA512
a6f0aed1701a5bb33be50a46fb2dee9f48891d647c0be5ba0fc9ef18ccc6fb8dae89502c7523369d0d5c9137027a90871ae7c7abd1c90fe487b92652ad138f7e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_lb.dll

Filesize
30KB

MD5
d00d168fb7744da10ee335734e96fac2

SHA1
e0a7c71c03f3783c5a2396b9459db95495301c2f

SHA256
f401921994f6a6e1fefde9b67689d190edd27b266411d8a894f4c5d97c185cc2

SHA512
3ee7a02a1a842ed269aa71a3bd1de4c8e7f1c730927729237de486bfeb29b568730860e48496551e33f5b912f11d42819bc130d50cfb7b117b41459bb4a7215b

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_lo.dll

Filesize
27KB

MD5
ae38f2374755edee25322c17acd6fb81

SHA1
584ec2c13caf593ce41e39c6fd1b0b76c8e85db6

SHA256
126a8c5ca01032e9b16125fbf456ddb0759d410d0af13d6ff9f6bda5e6a4a811

SHA512
0e56d03c6754513a7a988a7a4fc30dc72bd4cbceb593a17037c7c164d4f1acbf2a37863b4063c4988153c24e0bf78f3a7858105bedc612b6caf63217dd6ebf5b

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_lt.dll

Filesize
27KB

MD5
09fe35edf45974f6ac4de39860b11b7d

SHA1
198e38407cb6dd8e088a997b715f143a099364d3

SHA256
15ec76b9cd076cd13aa5b146fa96c2d4100312f5350c9fa0a2ef806a6140d6df

SHA512
2ac5a6f09824af75f03d418026f16df75c943e1b8b253f8a9513dc266f6478e3f21048660b4ad8970372db877a037e39bb6a7a439d2ef91672b6cb167a4a798a

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A5.tmp\msedgeupdateres_lv.dll

Filesize
28KB

MD5
edcd3418e5b28f7cc32daca004ee11c3

SHA1
ca708333370cefe3a5d2a37cbbf1479ee1d26442

SHA256
617f7d2674b0f3768a6828b6c98cfa834f2ddadfe65d2069f14398ae11e38fe5

SHA512
98e525818960a7cfed3050c986faa72bc04408e706631fae510a0724da644c683af48afd8a1a8b10837cea1072c70fea19db39f81174258394bea89cdc2eca61

Download Submit
C:\Program Files\webOS Dev Manager\webOS Dev Manager.exe

Filesize
27.7MB

MD5
2c4d64be60aaf63c93a8fa611340bb94

SHA1
cc9a7071c49a03b318e06184d5a466ca635bd45c

SHA256
f767ecd6c366a0461e73b549bb3c43e9c841c3fc667f5eb099e918c4ea0d23e1

SHA512
083ba780913da012c8a82538bda6fbe7c959f3b423d13f06465d5508453d00a596878ccdcb6826f6c1677cc1ffd07fba063895427ef25f6d730df725e05bc84c

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
61KB

MD5
9b324c88dbcc6174a962eca0cf5a1fe4

SHA1
94c16b72a485cb19c3190df0a7124ede4b9de461

SHA256
f981cfb037326b0a412a06d8ec12805de19b3909c3cbf0346d89a671d634b1e6

SHA512
cbfb97f2be10b197c7fbb74c4e38a9f489548375c34267f9211bac67d164770421141ee46ec48617cf3e16cb59aa47b9eda6020474ee09495bdbaea1c1e7e14e

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\webOS Dev Manager\webOS Dev Manager.lnk

Filesize
2KB

MD5
a1986b7dd68159a9b0ae5fa5bbde8a7e

SHA1
23c2cb5515646aad6de946fc50ab634b16428a57

SHA256
ea3d46beb44e4bc782a30533c20ed5bde7b2f1650520e771f86890c56d39c216

SHA512
dffae6142260a784da0510211aeb9f8aa1fff3220486d10e6734492b8aca59829ce32afe0408579499636b222fea3828cc02789491de82e657782f0b763b6629

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\webOS Dev Manager\webOS Dev Manager.lnk~RFe57fe55.TMP

Filesize
2KB

MD5
09eed8bc1a76a5e58a7ee9377edfe538

SHA1
707dddaea2931a5cec9e41a65f045a5243af0b21

SHA256
99a6fb01e2270b258a3b8402acc02fb3d6da4b27c69e612d6f75d42cb73f4812

SHA512
91d9c6508310e88ffe48b9174bed3d8bb1ec4e09568ad3d0e543f8ece793b3a631a155637e085b09d5a915706fe9c86d2ad1d8a797bb478012c025e4b326133e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBF68.tmp

Filesize
113KB

MD5
4fdd16752561cf585fed1506914d73e0

SHA1
f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424

SHA256
aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7

SHA512
3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

Download Submit
C:\Windows\Installer\MSI2CB.tmp

Filesize
1.5MB

MD5
5dea9c2817f371ab099207dfeb44de3f

SHA1
65c0c878e6788cd97421b7b0efed92eeff38fff3

SHA256
d652ace87dc6b2b4bcf85e17e099a6928414134a71e4f5e45e580148c759a685

SHA512
0e954612cbd90a04cc22579b2864e61f7be77f50b054482b53b0de7880d98ef1e80250f446a7be45fb5e9d3f2cbf409bb6b2f164c81dd86fb616142d420aeecf

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
ce8bd6d00343b82e5f447a53d99d51aa

SHA1
59ee130203726f7eddc799f39aa63672378cc4db

SHA256
a21f35130b0aa953f004dd1731adad1a4a35db9275b1992f7606e7fc0b69e6cd

SHA512
735cfca5b11adf047f4ef480f7ae8136dbf7c0a43b247d40762c0f80c17842bc2df984dbc0f651a92348ae37ddf16016cea8d5d244a1d36736bc1e2addcbaf94

Download Submit
\??\Volume{1997270e-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3e5ad0c5-90a4-403f-9888-a70cc6a00fe7}_OnDiskSnapshotProp

Filesize
6KB

MD5
4d548e96c0f2cb0c26c806d21abcf455

SHA1
5b54ac8832f84d5c0d10b21c85f8c053e567421a

SHA256
99764fd0284c03f98c6de2bde0cfab53481dc9d942efb1f8042e8397ca6e8a9c

SHA512
a030779a397b3d479d6b63feb7cde9d52b7c95078560b850d8b75bb271ee2bdfa11dd97189db5aa81b8c1108ad6a810c81c5d3784bf656791efc0c83777c36a2

Download Submit
memory/5108-241-0x0000000074360000-0x0000000074582000-memory.dmp

Filesize
2.1MB

Download
memory/5108-230-0x0000000074360000-0x0000000074582000-memory.dmp

Filesize
2.1MB

Download
memory/5108-229-0x00000000008C0000-0x00000000008F5000-memory.dmp

Filesize
212KB

Download