c3ff654a5d646b05b0f2bbd561c9755523da906faf5159fa681beddce2a5edab

Analysis

max time kernel
148s
max time network
154s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
29-08-2023 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

The+BPR.msi
Size

11.8MB
MD5

6c18d2ef58254ef7ed313615a4d22313
SHA1

b3378cd5fdb3e39ec2efa56f8f734528dd60edc0
SHA256

c3ff654a5d646b05b0f2bbd561c9755523da906faf5159fa681beddce2a5edab
SHA512

fe211b2ed86e3c8d5503ffe182b904707b4885e7af3b98df50d78d65b98b6aa1d976e9949b80e583746baf9b96e186740fab569888888bec61822cbfb6e22e2f
SSDEEP

196608:2lXHnh3zskdvgnaF9Rhc0kvOvscawFA6pwi26tJYtli52uwp37kEsKt:2lXB31d8mRhcYkNepxrtylxdz

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	2080	msiexec.exe
5	2080	msiexec.exe
7	2080	msiexec.exe
9	2080	msiexec.exe

Downloads MZ/PE file

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

Executes dropped EXE 23 IoCs

pid	Process
1564	TheBPRService.exe
3020	MSIFCF.tmp
1860	MicrosoftEdgeUpdate.exe
1284	MicrosoftEdgeUpdate.exe
2872	MicrosoftEdgeUpdate.exe
2952	MicrosoftEdgeUpdateComRegisterShell64.exe
2784	MicrosoftEdgeUpdateComRegisterShell64.exe
2108	MicrosoftEdgeUpdateComRegisterShell64.exe
2520	MicrosoftEdgeUpdate.exe
2824	MicrosoftEdgeUpdate.exe
304	MicrosoftEdgeUpdate.exe
1384	MicrosoftEdgeUpdate.exe
1920	MicrosoftEdge_X64_109.0.1518.115.exe
740	setup.exe
2700	MicrosoftEdgeUpdate.exe
2264	The BPR.exe
904	msedgewebview2.exe
2256	msedgewebview2.exe
1688	msedgewebview2.exe
3004	msedgewebview2.exe
2440	msedgewebview2.exe
2296	msedgewebview2.exe
2656	msedgewebview2.exe

Loads dropped DLL 64 IoCs

pid	Process
744	MsiExec.exe
744	MsiExec.exe
1564	TheBPRService.exe
1564	TheBPRService.exe
1564	TheBPRService.exe
1564	TheBPRService.exe
1564	TheBPRService.exe
1564	TheBPRService.exe
3020	MSIFCF.tmp
1860	MicrosoftEdgeUpdate.exe
1860	MicrosoftEdgeUpdate.exe
1860	MicrosoftEdgeUpdate.exe
1860	MicrosoftEdgeUpdate.exe
1860	MicrosoftEdgeUpdate.exe
2872	MicrosoftEdgeUpdate.exe
2872	MicrosoftEdgeUpdate.exe
2952	MicrosoftEdgeUpdateComRegisterShell64.exe
2872	MicrosoftEdgeUpdate.exe
2872	MicrosoftEdgeUpdate.exe
2784	MicrosoftEdgeUpdateComRegisterShell64.exe
2872	MicrosoftEdgeUpdate.exe
2872	MicrosoftEdgeUpdate.exe
2108	MicrosoftEdgeUpdateComRegisterShell64.exe
2872	MicrosoftEdgeUpdate.exe
1860	MicrosoftEdgeUpdate.exe
1860	MicrosoftEdgeUpdate.exe
1860	MicrosoftEdgeUpdate.exe
1860	MicrosoftEdgeUpdate.exe
304	MicrosoftEdgeUpdate.exe
2824	MicrosoftEdgeUpdate.exe
304	MicrosoftEdgeUpdate.exe
304	MicrosoftEdgeUpdate.exe
1920	MicrosoftEdge_X64_109.0.1518.115.exe
740	setup.exe
304	MicrosoftEdgeUpdate.exe
744	MsiExec.exe
2264	The BPR.exe
2264	The BPR.exe
2264	The BPR.exe
2264	The BPR.exe
2264	The BPR.exe
2264	The BPR.exe
2264	The BPR.exe
2264	The BPR.exe
2264	The BPR.exe
2264	The BPR.exe
2264	The BPR.exe
2264	The BPR.exe
2264	The BPR.exe
2264	The BPR.exe
2264	The BPR.exe
2264	The BPR.exe
2264	The BPR.exe
2264	The BPR.exe
2264	The BPR.exe
2264	The BPR.exe
2264	The BPR.exe
2264	The BPR.exe
2264	The BPR.exe
904	msedgewebview2.exe
904	msedgewebview2.exe
2256	msedgewebview2.exe
904	msedgewebview2.exe
904	msedgewebview2.exe

Registers COM server for autorun 1 TTPs 31 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85503227-BB57-4913-BD2D-B3D43F5C03B6}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.175.29\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.175.29\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.175.29\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85503227-BB57-4913-BD2D-B3D43F5C03B6}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85503227-BB57-4913-BD2D-B3D43F5C03B6}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.175.29\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85503227-BB57-4913-BD2D-B3D43F5C03B6}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.175.29\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85503227-BB57-4913-BD2D-B3D43F5C03B6}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.175.29\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85503227-BB57-4913-BD2D-B3D43F5C03B6}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.175.29\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85503227-BB57-4913-BD2D-B3D43F5C03B6}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85503227-BB57-4913-BD2D-B3D43F5C03B6}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.175.29\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.175.29\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85503227-BB57-4913-BD2D-B3D43F5C03B6}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\The BPR = "C:\\Program Files (x86)\\The BPR\\The BPR.exe /minimise"	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	TheBPRService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416	TheBPRService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	TheBPRService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	TheBPRService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416	TheBPRService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	TheBPRService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	MicrosoftEdgeUpdate.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_nn.dll	MSIFCF.tmp
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source740_1635375532\109.0.1518.115\Locales\hu.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source740_1635375532\109.0.1518.115\msedge_100_percent.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source740_1635375532\109.0.1518.115\Trust Protection Lists\Mu\Other	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\dwritemin.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\resources.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\Trust Protection Lists\Sigma\Staging	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\psuser_arm64.dll	MSIFCF.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_sr-Cyrl-RS.dll	MSIFCF.tmp
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source740_1635375532\109.0.1518.115\Locales\zh-TW.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\MEIPreload\manifest.json	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\Locales\tt.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\VisualElements\LogoDev.png	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_es.dll	MSIFCF.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_az.dll	MSIFCF.tmp
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source740_1635375532\109.0.1518.115\dwritemin.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\Trust Protection Lists\Sigma\LICENSE	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\Trust Protection Lists\Sigma\Cryptomining	setup.exe
File created	C:\Program Files (x86)\The BPR\Xceed.Words.NET.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\psmachine_64.dll	MSIFCF.tmp
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source740_1635375532\109.0.1518.115\icudtl.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source740_1635375532\109.0.1518.115\Locales\km.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source740_1635375532\109.0.1518.115\vcruntime140.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\Trust Protection Lists\Sigma\Content	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_tt.dll	MSIFCF.tmp
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source740_1635375532\109.0.1518.115\identity_proxy\canary.identity_helper.exe.manifest	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source740_1635375532\109.0.1518.115\identity_proxy\stable.identity_helper.exe.manifest	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source740_1635375532\109.0.1518.115\Locales\am.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\oneauth.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\Installer\msedge_7z.data	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\Locales\gu.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\SetupMetrics\57ae5e0f-9ab4-4301-b094-ae198e525c8f.tmp	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_ka.dll	MSIFCF.tmp
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source740_1635375532\109.0.1518.115\Locales\sk.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\Locales\mr.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\Locales\tr.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\Locales\ug.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\VisualElements\SmallLogoCanary.png	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_cs.dll	MSIFCF.tmp
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source740_1635375532\109.0.1518.115\Locales\ur.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\msedge.exe	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\Trust Protection Lists\Sigma\Analytics	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\Locales\et.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\identity_proxy\canary.identity_helper.exe.manifest	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_th.dll	MSIFCF.tmp
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source740_1635375532\109.0.1518.115\Locales\et.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source740_1635375532\109.0.1518.115\Locales\lo.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\Trust Protection Lists\Sigma\Content	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\Locales\es-419.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\Locales\kk.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\Locales\es-419.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\Locales\kok.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_zh-CN.dll	MSIFCF.tmp
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source740_1635375532\109.0.1518.115\vk_swiftshader.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\libsmartscreenn.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\Locales\zh-CN.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_fi.dll	MSIFCF.tmp
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source740_1635375532\109.0.1518.115\Locales\de.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source740_1635375532\109.0.1518.115\Notifications\SoftLandingAssetDark.gif	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\msvcp140.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\notification_helper.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\Locales\af.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\BHO\ie_to_edge_bho.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\Trust Protection Lists\Sigma\Advertising	setup.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIE4E7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5CC8.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFCF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE0D1.tmp	msiexec.exe
File created	C:\Windows\Installer\{565AA690-D9DF-43E2-B9D9-C42F6E4D3740}\ProductIcon	msiexec.exe
File created	C:\Windows\Installer\f76de11.ipi	msiexec.exe
File created	C:\Windows\Installer\f76de13.msi	msiexec.exe
File created	C:\Windows\Installer\f76de10.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76de10.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDF69.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{565AA690-D9DF-43E2-B9D9-C42F6E4D3740}\ProductIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\f76de11.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2144	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	TheBPRService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	TheBPRService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	TheBPRService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-89-f8-2c-45-5f\WpadDecisionTime = c01194887edad901	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3DFD9C22-B512-4F99-9131-4890278E7C7B}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-89-f8-2c-45-5f\WpadDetectedUrl	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3DFD9C22-B512-4F99-9131-4890278E7C7B}\WpadNetworkName = "Network 2"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-89-f8-2c-45-5f	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-89-f8-2c-45-5f\WpadDetectedUrl	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-89-f8-2c-45-5f\WpadDecision = "0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3DFD9C22-B512-4F99-9131-4890278E7C7B}\WpadDecisionTime = c01194887edad901	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-89-f8-2c-45-5f	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3DFD9C22-B512-4F99-9131-4890278E7C7B}\WpadDecisionReason = "1"	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-89-f8-2c-45-5f\WpadDecisionTime = 202731947edad901	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	TheBPRService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3DFD9C22-B512-4F99-9131-4890278E7C7B}\WpadNetworkName = "Network 2"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	TheBPRService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ProxyStubClsid32\ = "{85503227-BB57-4913-BD2D-B3D43F5C03B6}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1BA3C8F8-C960-456B-90E5-9D6468CD1B6C}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ = "IPolicyStatusValue"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ = "ICoCreateAsync"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1BA3C8F8-C960-456B-90E5-9D6468CD1B6C}\InprocHandler32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\ = "IPolicyStatus4"	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\Elevation\Enabled = "1"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\ProgID\ = "MicrosoftEdgeUpdate.Update3WebMachineFallback.1.0"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\ProgID\ = "MicrosoftEdgeUpdate.CredentialDialogMachine.1.0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\LocalServer32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\NumMethods\ = "41"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\ProgID\ = "MicrosoftEdgeUpdate.OnDemandCOMClassMachineFallback.1.0"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA92A799-267E-4DF5-A6ED-6A7E0684BB8A}\ProgID\ = "MicrosoftEdgeUpdate.Update3WebSvc.1.0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ProxyStubClsid32\ = "{85503227-BB57-4913-BD2D-B3D43F5C03B6}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.175.29\\MicrosoftEdgeUpdateOnDemand.exe\""	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ = "IGoogleUpdate3"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1BA3C8F8-C960-456B-90E5-9D6468CD1B6C}\InprocHandler32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.175.29\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassSvc	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\NumMethods\ = "13"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ProxyStubClsid32\ = "{85503227-BB57-4913-BD2D-B3D43F5C03B6}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\NumMethods	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ProxyStubClsid32\ = "{85503227-BB57-4913-BD2D-B3D43F5C03B6}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\Elevation\Enabled = "1"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\096AA565FD9D2E349B9D4CF2E6D47304\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusSvc\CLSID\ = "{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\ProxyStubClsid32\ = "{85503227-BB57-4913-BD2D-B3D43F5C03B6}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\NumMethods\ = "10"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\NumMethods\ = "12"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\NumMethods\ = "16"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A6B716CB-028B-404D-B72C-50E153DD68DA}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85503227-BB57-4913-BD2D-B3D43F5C03B6}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachine\CLSID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\ProgID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}	MicrosoftEdgeUpdate.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	TheBPRService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	TheBPRService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	TheBPRService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	The BPR.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	The BPR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	TheBPRService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	MicrosoftEdgeUpdate.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
744	MsiExec.exe
744	MsiExec.exe
2680	msiexec.exe
2680	msiexec.exe
1860	MicrosoftEdgeUpdate.exe
1860	MicrosoftEdgeUpdate.exe
1860	MicrosoftEdgeUpdate.exe
1860	MicrosoftEdgeUpdate.exe
1860	MicrosoftEdgeUpdate.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2080	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2080	msiexec.exe
Token: SeRestorePrivilege	2680	msiexec.exe
Token: SeTakeOwnershipPrivilege	2680	msiexec.exe
Token: SeSecurityPrivilege	2680	msiexec.exe
Token: SeCreateTokenPrivilege	2080	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2080	msiexec.exe
Token: SeLockMemoryPrivilege	2080	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2080	msiexec.exe
Token: SeMachineAccountPrivilege	2080	msiexec.exe
Token: SeTcbPrivilege	2080	msiexec.exe
Token: SeSecurityPrivilege	2080	msiexec.exe
Token: SeTakeOwnershipPrivilege	2080	msiexec.exe
Token: SeLoadDriverPrivilege	2080	msiexec.exe
Token: SeSystemProfilePrivilege	2080	msiexec.exe
Token: SeSystemtimePrivilege	2080	msiexec.exe
Token: SeProfSingleProcessPrivilege	2080	msiexec.exe
Token: SeIncBasePriorityPrivilege	2080	msiexec.exe
Token: SeCreatePagefilePrivilege	2080	msiexec.exe
Token: SeCreatePermanentPrivilege	2080	msiexec.exe
Token: SeBackupPrivilege	2080	msiexec.exe
Token: SeRestorePrivilege	2080	msiexec.exe
Token: SeShutdownPrivilege	2080	msiexec.exe
Token: SeDebugPrivilege	2080	msiexec.exe
Token: SeAuditPrivilege	2080	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2080	msiexec.exe
Token: SeChangeNotifyPrivilege	2080	msiexec.exe
Token: SeRemoteShutdownPrivilege	2080	msiexec.exe
Token: SeUndockPrivilege	2080	msiexec.exe
Token: SeSyncAgentPrivilege	2080	msiexec.exe
Token: SeEnableDelegationPrivilege	2080	msiexec.exe
Token: SeManageVolumePrivilege	2080	msiexec.exe
Token: SeImpersonatePrivilege	2080	msiexec.exe
Token: SeCreateGlobalPrivilege	2080	msiexec.exe
Token: SeBackupPrivilege	2400	vssvc.exe
Token: SeRestorePrivilege	2400	vssvc.exe
Token: SeAuditPrivilege	2400	vssvc.exe
Token: SeBackupPrivilege	2680	msiexec.exe
Token: SeRestorePrivilege	2680	msiexec.exe
Token: SeRestorePrivilege	1720	DrvInst.exe
Token: SeRestorePrivilege	1720	DrvInst.exe
Token: SeRestorePrivilege	1720	DrvInst.exe
Token: SeRestorePrivilege	1720	DrvInst.exe
Token: SeRestorePrivilege	1720	DrvInst.exe
Token: SeRestorePrivilege	1720	DrvInst.exe
Token: SeRestorePrivilege	1720	DrvInst.exe
Token: SeLoadDriverPrivilege	1720	DrvInst.exe
Token: SeLoadDriverPrivilege	1720	DrvInst.exe
Token: SeLoadDriverPrivilege	1720	DrvInst.exe
Token: SeRestorePrivilege	2680	msiexec.exe
Token: SeTakeOwnershipPrivilege	2680	msiexec.exe
Token: SeRestorePrivilege	2680	msiexec.exe
Token: SeTakeOwnershipPrivilege	2680	msiexec.exe
Token: SeRestorePrivilege	2680	msiexec.exe
Token: SeTakeOwnershipPrivilege	2680	msiexec.exe
Token: SeDebugPrivilege	2144	taskkill.exe
Token: SeRestorePrivilege	2680	msiexec.exe
Token: SeTakeOwnershipPrivilege	2680	msiexec.exe
Token: SeRestorePrivilege	2680	msiexec.exe
Token: SeTakeOwnershipPrivilege	2680	msiexec.exe
Token: SeDebugPrivilege	1564	TheBPRService.exe
Token: SeRestorePrivilege	2680	msiexec.exe
Token: SeTakeOwnershipPrivilege	2680	msiexec.exe
Token: SeRestorePrivilege	2680	msiexec.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2080	msiexec.exe
2080	msiexec.exe
2264	The BPR.exe
2264	The BPR.exe
2264	The BPR.exe
2264	The BPR.exe
2264	The BPR.exe
904	msedgewebview2.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2264	The BPR.exe
2264	The BPR.exe
2264	The BPR.exe
2264	The BPR.exe
2264	The BPR.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 744	2680	msiexec.exe	33
PID 2680 wrote to memory of 744	2680	msiexec.exe	33
PID 2680 wrote to memory of 744	2680	msiexec.exe	33
PID 2680 wrote to memory of 744	2680	msiexec.exe	33
PID 2680 wrote to memory of 744	2680	msiexec.exe	33
PID 2680 wrote to memory of 744	2680	msiexec.exe	33
PID 2680 wrote to memory of 744	2680	msiexec.exe	33
PID 744 wrote to memory of 2144	744	MsiExec.exe	35
PID 744 wrote to memory of 2144	744	MsiExec.exe	35
PID 744 wrote to memory of 2144	744	MsiExec.exe	35
PID 744 wrote to memory of 2144	744	MsiExec.exe	35
PID 2680 wrote to memory of 3020	2680	msiexec.exe	40
PID 2680 wrote to memory of 3020	2680	msiexec.exe	40
PID 2680 wrote to memory of 3020	2680	msiexec.exe	40
PID 2680 wrote to memory of 3020	2680	msiexec.exe	40
PID 2680 wrote to memory of 3020	2680	msiexec.exe	40
PID 2680 wrote to memory of 3020	2680	msiexec.exe	40
PID 2680 wrote to memory of 3020	2680	msiexec.exe	40
PID 3020 wrote to memory of 1860	3020	MSIFCF.tmp	41
PID 3020 wrote to memory of 1860	3020	MSIFCF.tmp	41
PID 3020 wrote to memory of 1860	3020	MSIFCF.tmp	41
PID 3020 wrote to memory of 1860	3020	MSIFCF.tmp	41
PID 3020 wrote to memory of 1860	3020	MSIFCF.tmp	41
PID 3020 wrote to memory of 1860	3020	MSIFCF.tmp	41
PID 3020 wrote to memory of 1860	3020	MSIFCF.tmp	41
PID 1860 wrote to memory of 1284	1860	MicrosoftEdgeUpdate.exe	42
PID 1860 wrote to memory of 1284	1860	MicrosoftEdgeUpdate.exe	42
PID 1860 wrote to memory of 1284	1860	MicrosoftEdgeUpdate.exe	42
PID 1860 wrote to memory of 1284	1860	MicrosoftEdgeUpdate.exe	42
PID 1860 wrote to memory of 1284	1860	MicrosoftEdgeUpdate.exe	42
PID 1860 wrote to memory of 1284	1860	MicrosoftEdgeUpdate.exe	42
PID 1860 wrote to memory of 1284	1860	MicrosoftEdgeUpdate.exe	42
PID 1860 wrote to memory of 2872	1860	MicrosoftEdgeUpdate.exe	43
PID 1860 wrote to memory of 2872	1860	MicrosoftEdgeUpdate.exe	43
PID 1860 wrote to memory of 2872	1860	MicrosoftEdgeUpdate.exe	43
PID 1860 wrote to memory of 2872	1860	MicrosoftEdgeUpdate.exe	43
PID 1860 wrote to memory of 2872	1860	MicrosoftEdgeUpdate.exe	43
PID 1860 wrote to memory of 2872	1860	MicrosoftEdgeUpdate.exe	43
PID 1860 wrote to memory of 2872	1860	MicrosoftEdgeUpdate.exe	43
PID 2872 wrote to memory of 2952	2872	MicrosoftEdgeUpdate.exe	44
PID 2872 wrote to memory of 2952	2872	MicrosoftEdgeUpdate.exe	44
PID 2872 wrote to memory of 2952	2872	MicrosoftEdgeUpdate.exe	44
PID 2872 wrote to memory of 2952	2872	MicrosoftEdgeUpdate.exe	44
PID 2872 wrote to memory of 2784	2872	MicrosoftEdgeUpdate.exe	45
PID 2872 wrote to memory of 2784	2872	MicrosoftEdgeUpdate.exe	45
PID 2872 wrote to memory of 2784	2872	MicrosoftEdgeUpdate.exe	45
PID 2872 wrote to memory of 2784	2872	MicrosoftEdgeUpdate.exe	45
PID 2872 wrote to memory of 2108	2872	MicrosoftEdgeUpdate.exe	46
PID 2872 wrote to memory of 2108	2872	MicrosoftEdgeUpdate.exe	46
PID 2872 wrote to memory of 2108	2872	MicrosoftEdgeUpdate.exe	46
PID 2872 wrote to memory of 2108	2872	MicrosoftEdgeUpdate.exe	46
PID 1860 wrote to memory of 2520	1860	MicrosoftEdgeUpdate.exe	47
PID 1860 wrote to memory of 2520	1860	MicrosoftEdgeUpdate.exe	47
PID 1860 wrote to memory of 2520	1860	MicrosoftEdgeUpdate.exe	47
PID 1860 wrote to memory of 2520	1860	MicrosoftEdgeUpdate.exe	47
PID 1860 wrote to memory of 2520	1860	MicrosoftEdgeUpdate.exe	47
PID 1860 wrote to memory of 2520	1860	MicrosoftEdgeUpdate.exe	47
PID 1860 wrote to memory of 2520	1860	MicrosoftEdgeUpdate.exe	47
PID 1860 wrote to memory of 2824	1860	MicrosoftEdgeUpdate.exe	48
PID 1860 wrote to memory of 2824	1860	MicrosoftEdgeUpdate.exe	48
PID 1860 wrote to memory of 2824	1860	MicrosoftEdgeUpdate.exe	48
PID 1860 wrote to memory of 2824	1860	MicrosoftEdgeUpdate.exe	48
PID 1860 wrote to memory of 2824	1860	MicrosoftEdgeUpdate.exe	48
PID 1860 wrote to memory of 2824	1860	MicrosoftEdgeUpdate.exe	48

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\The+BPR.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2080

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 89C0BA59D0330ED732FC0348CEDC85CF
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\\System32\taskkill.exe" /F /IM "The BPR.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2144
- C:\Windows\Installer\MSIFCF.tmp
  "C:\Windows\Installer\MSIFCF.tmp" /silent /install
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
    3⤵
    - Sets file execution options in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
      4⤵
      Executes dropped EXE
      Modifies registry class
      PID:1284
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.175.29\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.175.29\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:2952
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.175.29\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.175.29\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:2784
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.175.29\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.175.29\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:2108
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzUuMjkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzUuMjkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MzUzNzAzOTktMzNDMy00RDk4LThGQjAtRTk4M0ZCNzNEQ0NGfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins5QTYyMTRCRC03NkYwLTQ2M0ItODQ1MS0xODUyRENFM0VDNDR9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iMiIgZGlza190eXBlPSIwIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjEuNzYwMS4wIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSIxIiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iIi8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuMy4xNzUuMjkiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjI2NDg1MjQwMDAiIGluc3RhbGxfdGltZV9tcz0iMjYyMSIvPjwvYXBwPjwvcmVxdWVzdD4
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Modifies system certificate store
      PID:2520
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{35370399-33C3-4D98-8FB0-E983FB73DCCF}" /silent
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2824
- C:\Program Files (x86)\The BPR\The BPR.exe
  "C:\Program Files (x86)\The BPR\The BPR.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2264
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name="The BPR.exe" --webview-exe-version=4.0.19.190 --user-data-dir="C:\Users\Admin\AppData\Roaming\The BPR\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --disable-features=OverscrollHistoryNavigation,msExperimentalScrolling --mojo-named-platform-channel-pipe=2264.1740.9146674926579497560
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    PID:904
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\msedgewebview2.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Roaming\The BPR\EBWebView" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\The BPR\EBWebView\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=109.0.5414.149 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=109.0.1518.115 --initial-client-data=0xc4,0xc8,0xcc,0x98,0xdc,0x7fef667ffa8,0x7fef667ffb8,0x7fef667ffc8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2256
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\The BPR\EBWebView" --webview-exe-name="The BPR.exe" --webview-exe-version=4.0.19.190 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1116 --field-trial-handle=1240,i,13714480672514909026,12262632478708972973,131072 --disable-features=OverscrollHistoryNavigation,msExperimentalScrolling /prefetch:2
      4⤵
      Executes dropped EXE
      PID:1688
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\The BPR\EBWebView" --webview-exe-name="The BPR.exe" --webview-exe-version=4.0.19.190 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=1476 --field-trial-handle=1240,i,13714480672514909026,12262632478708972973,131072 --disable-features=OverscrollHistoryNavigation,msExperimentalScrolling /prefetch:3
      4⤵
      Executes dropped EXE
      PID:3004
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\The BPR\EBWebView" --webview-exe-name="The BPR.exe" --webview-exe-version=4.0.19.190 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=1588 --field-trial-handle=1240,i,13714480672514909026,12262632478708972973,131072 --disable-features=OverscrollHistoryNavigation,msExperimentalScrolling /prefetch:8
      4⤵
      Executes dropped EXE
      PID:2440
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\The BPR\EBWebView" --webview-exe-name="The BPR.exe" --webview-exe-version=4.0.19.190 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --mojo-platform-channel-handle=2220 --field-trial-handle=1240,i,13714480672514909026,12262632478708972973,131072 --disable-features=OverscrollHistoryNavigation,msExperimentalScrolling /prefetch:1
      4⤵
      Executes dropped EXE
      PID:2296
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.115\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\The BPR\EBWebView" --webview-exe-name="The BPR.exe" --webview-exe-version=4.0.19.190 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1300 --field-trial-handle=1240,i,13714480672514909026,12262632478708972973,131072 --disable-features=OverscrollHistoryNavigation,msExperimentalScrolling /prefetch:2
      4⤵
      Executes dropped EXE
      PID:2656

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000594" "00000000000003D4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Program Files (x86)\The BPR\TheBPRService.exe
"C:\Program Files (x86)\The BPR\TheBPRService.exe" /start TheBPRService
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:304
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzUuMjkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzUuMjkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MzUzNzAzOTktMzNDMy00RDk4LThGQjAtRTk4M0ZCNzNEQ0NGfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntFRERCMzAyOC1CMUQyLTRBMUUtQjVBNy01NjMwNEJGOTJBRDF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iMiIgZGlza190eXBlPSIwIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjEuNzYwMS4wIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSIxIiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iIi8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEwNi4wLjUyNDkuMTE5IiBuZXh0dmVyc2lvbj0iMTA2LjAuNTI0OS4xMTkiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIzIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIyNjUxOTU2MDAwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1384
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{DAF0497A-9346-4A8A-9C6E-6A20414C4991}\MicrosoftEdge_X64_109.0.1518.115.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{DAF0497A-9346-4A8A-9C6E-6A20414C4991}\MicrosoftEdge_X64_109.0.1518.115.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1920
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{DAF0497A-9346-4A8A-9C6E-6A20414C4991}\EDGEMITMP_13970.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{DAF0497A-9346-4A8A-9C6E-6A20414C4991}\EDGEMITMP_13970.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{DAF0497A-9346-4A8A-9C6E-6A20414C4991}\MicrosoftEdge_X64_109.0.1518.115.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:740
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzUuMjkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzUuMjkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MzUzNzAzOTktMzNDMy00RDk4LThGQjAtRTk4M0ZCNzNEQ0NGfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InszNDI5NTVCNS04MkU1LTQ4QTQtODBDOS1DMkM2RjBGRTdGMDZ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iMiIgZGlza190eXBlPSIwIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjEuNzYwMS4wIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSIxIiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iIi8-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEwOS4wLjE1MTguMTE1IiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iLTEiIGluc3RhbGxkYXRlPSItMSI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIzMDIxODMyMDAwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMzAyMTgzMjAwMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjMxOTg0MjQwMDAiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5mLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2JkZWIxZjM3LTc4MTItNDZhNS05ZDg2LTA4YTk4YTM4OWY0Nz9QMT0xNjkzOTIxMzMzJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PUp3VkhxMVRSJTJiZXhxdFUzeHZUU2JXckNxZWJSV0pwZVRNUUJsSnBUMkIzVVFxbDAxU0FVZUhWUkZpellDR1piQ2FvMkxmdGtJNjZOcnNiJTJmQ1VsN0JFZyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE0MDg2MTQwMCIgdG90YWw9IjE0MDg2MTQwMCIgZG93bmxvYWRfdGltZV9tcz0iMTQ3NDIiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIzMTk4ODkyMDAwIiBzb3VyY2VfdXJsX2luZGV4PSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMzIxMjkzMjAwMCIvPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5NjYwOSIgc3lzdGVtX3VwdGltZV90aWNrcz0iMzQ1NzU0MDAwMCIgc291cmNlX3VybF9pbmRleD0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjYzMTgiIGRvd25sb2FkX3RpbWVfbXM9IjE3NjkxIiBkb3dubG9hZGVkPSIxNDA4NjE0MDAiIHRvdGFsPSIxNDA4NjE0MDAiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIwIiBpbnN0YWxsX3RpbWVfbXM9IjI0NDYwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Modifies system certificate store
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76de12.rbs

Filesize
14KB

MD5
9774888a0e736af96b7f6e4c2cb46479

SHA1
0f83777d85718decb0aa296957f51c54193b6d75

SHA256
6ab54ed88bbddd06baea99d218695dc96796c191eb504e9c265c603d594b185b

SHA512
62b3e4280b35c77c26bc89989a4d255b12e4220587683c252a8b510febcf9c99f103a0200f002cc0f401ff123c8f6f5f6652b3937d73e200a9ea661ed77402f6

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\109.0.1518.115\MicrosoftEdge_X64_109.0.1518.115.exe

Filesize
134.3MB

MD5
e4715c207793199b7aba7ff1c9b2be5f

SHA1
36a486a00763734b21c290d85bbeff249283065b

SHA256
afd829e766ec06f769f56b447669e5b1917d7db02e5ef8d64b45fe16f652fe2d

SHA512
992f5bc65a97d5aabd055d0cabb47387845cdd4d923d38129b0df0ddf12f70940d48b9a12dc61438b21badc7066c1d1003b3098330146e0811fafe398a42d945

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
cfad69d55cbb9ceeffaccdd176e19f7a

SHA1
076f72b145f761d23d533ed981ae059fa61339d2

SHA256
a238fc18a787d5f21a4942690029e0240597c7fc0d7dbb401063486387b7bf7c

SHA512
6a125ee8d46c444bfbd92967d46c7c127da7904fa9f9505528cd479ea169ce4c9026400e5b59e136fc0a2c8e2de64a53eb4e7cc8ddbdb5f541df47ed401f04a5

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source740_1635375532\109.0.1518.115\Installer\msedge_7z.data

Filesize
3KB

MD5
c82d8b246b04392e34071a367ea31630

SHA1
3f8abcfafc0c5ea2d4d9314b78d6cd6b53ac35ff

SHA256
07818921e05e4496efbdd575cb13a02dd94d345a012fad4d60ea9daaff4a0859

SHA512
aab934baf23817e44334e5ce48e75acdd6748a2c95ca220e19ce251821efe319035337aa1a550910e6b79ef8e0ff78542fb19dc7fcc20b53c45088913c57e5a4

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source740_1635375532\109.0.1518.115\Installer\setup.exe

Filesize
3.8MB

MD5
ea4eb19c4e5d45b71e1603cd432e66f1

SHA1
1f480919fca94309ac654455ddd4722b946572c1

SHA256
e2671439eb32841435a31f5e028c9115904e0ef1ef0c44018d656ee0f0d5a62f

SHA512
0ae22ce4a21770bdb6389390fd5ba487294efd254cd30514c1103c1b940108cce31e27351b3de088d88e6b6223433470437d0512bfd89a2affb426f8247e86ab

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\EdgeUpdate.dat

Filesize
12KB

MD5
369bbc37cff290adb8963dc5e518b9b8

SHA1
de0ef569f7ef55032e4b18d3a03542cc2bbac191

SHA256
3d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3

SHA512
4f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\MicrosoftEdgeComRegisterShellARM64.exe

Filesize
179KB

MD5
daada62a6b54ec575220c7745bedf20f

SHA1
69089725280a1f9fd9dd15c3cdfde57f1231dd49

SHA256
31b6cccd8b69ecdf4f171cf9fa3fed12526b4de483ef9481e843264a9c173a61

SHA512
7e166145502f46948bccf95921477867df57a9dc5fe3f8e6f5e85f3907bf0d9fa8c59c97447f67dcc71e4e218602482ec4c1138cc9da84d3bd7ca87cbe07348e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
cfad69d55cbb9ceeffaccdd176e19f7a

SHA1
076f72b145f761d23d533ed981ae059fa61339d2

SHA256
a238fc18a787d5f21a4942690029e0240597c7fc0d7dbb401063486387b7bf7c

SHA512
6a125ee8d46c444bfbd92967d46c7c127da7904fa9f9505528cd479ea169ce4c9026400e5b59e136fc0a2c8e2de64a53eb4e7cc8ddbdb5f541df47ed401f04a5

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
cfad69d55cbb9ceeffaccdd176e19f7a

SHA1
076f72b145f761d23d533ed981ae059fa61339d2

SHA256
a238fc18a787d5f21a4942690029e0240597c7fc0d7dbb401063486387b7bf7c

SHA512
6a125ee8d46c444bfbd92967d46c7c127da7904fa9f9505528cd479ea169ce4c9026400e5b59e136fc0a2c8e2de64a53eb4e7cc8ddbdb5f541df47ed401f04a5

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

Filesize
212KB

MD5
79d33cc2d0e0991846307af5135f19de

SHA1
7f7c48ad1da5e71ffa3e6e6b2611a84a51a16f3d

SHA256
5ad9879adffd90fcd5130599eb990248df4561e7fd913521c182c49daa2666a6

SHA512
eb1ca3dc0711f52d98ba2818e33b946c02f86a7f30fc26240ebc8f0720a915374b9704d0222fcb42d010b45a9a6655dcc13fe51f984bce7e9793fe46d6e70d87

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\MicrosoftEdgeUpdateCore.exe

Filesize
257KB

MD5
091020f03d39b049fbcbf76857e7f503

SHA1
b61a5756d1a06a60f0d1b6e9f97716b19d32a484

SHA256
170ddf64b90b4fb3bc569113f746ea46d474f7fa55d85a47f14e07ce95ac1e85

SHA512
1f6e5b89ddd10a135af7cca2e035ead8619f795689d0e5bf1a587eadd89389ad1086be5d821ce8b9b5e8a5e2ed908945f4425b0c86adbd3945f874c32d655109

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\NOTICE.TXT

Filesize
4KB

MD5
6dd5bf0743f2366a0bdd37e302783bcd

SHA1
e5ff6e044c40c02b1fc78304804fe1f993fed2e6

SHA256
91d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5

SHA512
f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdate.dll

Filesize
2.1MB

MD5
fe453156c03a6f223c2b9fd4436eab4f

SHA1
a9812efd18fc8b4b4ef93429c9555d4c0e27e939

SHA256
960034ebf4e93f488adc52f93a0b186b9eb88619418ccf66bafd4872770e5c56

SHA512
2a25c7b194aa3e05860b9346e50a39be914d230c668d8411f6a2a3607a28f0d86ccc9db118c64b70d4d78322b0a39e5d190b6fa22d9d32afb0247e750d572e4c

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_af.dll

Filesize
28KB

MD5
4cec13e07d17b661ecbbfa4f56601e12

SHA1
aa9ae58250b7753847c6460dc05f5daf3bd858c3

SHA256
5a8ed430cdb16d6f32ec0e0ab344dae7c012994c348cdce8b881dc4173851d41

SHA512
35564e36f4ae7fe6d00a6c2620a4e9210dedef24bbc4ab305cac58e6672f252ed09d26f9a22b0a47e3e3b3834ff04694cee5b31f821c958f1694987ec516df93

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_am.dll

Filesize
24KB

MD5
bbbecdd9ca70522678c71267483a893b

SHA1
7031f53a5caf739c6cc8818459146c0c1ff050d6

SHA256
e5a983528a86aeaa2a4eda7e82db4fe1694a48bebc99a928dafddcbccc45061c

SHA512
c4af1ff64d9de5322f10406aefe66717b006c1b671fe60b8ef58007357eff05ee7f04fb4e7e57559060b7c75df491cf144da22a0906590459b782d6b3eeeed95

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_ar.dll

Filesize
26KB

MD5
f753412c30232cc91ffefd45956dc12d

SHA1
34aadf2c9bc6aea3c3b3ab2b891fd7c91e29d2f1

SHA256
912a3ca7a4b611034525f9ab5111b745df05dbd8f2e15d4d9de5c1e5d52b1520

SHA512
e38e0e8dff76f49aa5cdbdbd77a21325e7448c8e84cccab31373740a7d70f75d741e3ff5d79bcaa7fbb7dfcb01f92814515d2c56689afb0590863fdbdf3ca5e9

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_as.dll

Filesize
28KB

MD5
a55c212c8283dbdc776af18a939c70db

SHA1
8a9a3f417cd6b819681201a8a450a3d8679fafa9

SHA256
840d51edcd5c2cb4bff412a909494c9e8c73e99fedf4651f4f3231111abaa7d0

SHA512
7d3474c577bfc27f69aabe5a3512adc8b0e742797f8d39adf344ca9ee2b778357b0af2bbcd6199e79df71e0d1fd35d69ff4a55b54abd3921bdfe84933d7fdd79

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_az.dll

Filesize
29KB

MD5
464557ed8bfbe347a3d549c975f4550a

SHA1
3e3332f4418c498abef3ffd073a5ca3503bea713

SHA256
4be8f54c52103a8a7d3d6b746d9f1f9beda673987a15f8646d9dd29c39830555

SHA512
8846662a38224687d4bbbbf8fcdc4da0fb273316b16c88367f77ade887070ab6b5df0abe67898b4b62095ff11c2460927420f6c0cc83daa87546277664be3a48

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_bg.dll

Filesize
29KB

MD5
7b87a195692db37f5e003a34f906b206

SHA1
a0906f62b8e758a9438cfbdaa2091ed709fb4876

SHA256
610a4b79e0c1712d529de7d51f572fc7bd36a2fb0a9376eb78ed787dac9d6ee1

SHA512
938856db033c5e545347e13cab66d4a19879fa1906db04aa66efa1b28d03794d7711397b5bd6379c992498bb904d9016659e0d33ab79fce2c72e4786ac60c682

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_bn-IN.dll

Filesize
29KB

MD5
11deafe353b91ffa4b97b11cedc4cf2f

SHA1
8d01ba078cef88d55b0d0b0a3047835260f9eac9

SHA256
41e015d17b6620865d4cf08ce3859b9c48213c6f6b3082547935914646798d69

SHA512
cad9c3a8507b337d6ba8eaad576cb7caf6e0f8bfaa8982828c5ea5e09ceec3c0e2688f16befa7fa6cdd904bf46efc4a9b9f3539a2c799c1984b8b3238a62d550

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_bn.dll

Filesize
29KB

MD5
6bf441c7934aed93562a51a259e8797a

SHA1
91231b594e1c4d71a211080cc65dcefe22023d54

SHA256
f6409fb67b919343e3ced35f37a679c6eb68a1fb297c8fd3ce2ccc5f1c4622ab

SHA512
66f79e6b71854d86e21084b67b7fcfb4dd7230b25fb1c7c91ddc79682497902effa949ce97a2ae6622fb131c54a98a13453081e4fd773144367f4e9d55e444ef

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_bs.dll

Filesize
28KB

MD5
835edda869b96197a194e2ff9dfe3385

SHA1
387b7e94bfc1299baa6801923a6f422af594b9d0

SHA256
90b2285a219a248327977ebcc9083a829346dd4e03e6e3726910db1f12dea43a

SHA512
e32db2609782214c96947014cc48edb9b2ecd9ac6857166fcef044aba47cce84696e67c3c40f5995bc6d558b50a93daaed1eeb22d833eea8355ebb9d36fa26d5

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_ca-Es-VALENCIA.dll

Filesize
29KB

MD5
47cc63b041960ee31f116a0bf9231c3e

SHA1
b759e38f93ba670032604cd86d53fbd2419cfe57

SHA256
2b4182f2867eb27a7e5b04b934b76cfb3f54fe4f47e5774494000874fb19f180

SHA512
2be494a7a17b04770a1d7cf36d0b0c41ae4182494346d8361490a62b32b636bf0d19837f299cbc9c0b4b3d8a3ef9e6532ca1046d5d8465f4019856002a78d394

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_ca.dll

Filesize
30KB

MD5
1ee784ccec7de0ebbaa62e60a617b06b

SHA1
1f2922e1f55126f57b53b5de529af5fc92f00362

SHA256
586ce366238d5f409f620fc0063c53dd7bf6777d7b21b24098de10bf4eeff536

SHA512
f030ff2ffe62a354f9a410bf99ba759092709b255a1474bc966317bd9150a32dd219c90271feb61f6540c29adb79d38202360fe2574e9f48ab097a786a55437a

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_cs.dll

Filesize
28KB

MD5
26bc8bd32fcd206e63fc1acca181fba1

SHA1
1f5d2d16cd1ec69816b0d0b5d48710fa18a23ee9

SHA256
fd4dee69e4a84e169c2170f257073da681986848e3697e83debc3ce50197d40c

SHA512
4305fb6fd980686d3b43b6eb3298747acb76e188cbc17642b780315f1c27db82c0e29c64ddfe7bd24faaf2b1785f8eac238295ee593b373124ed4157361fd9ee

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_cy.dll

Filesize
28KB

MD5
b0b7b8833fb0caa927d8ed943fced24b

SHA1
a662f2f5832e069a4e7b4397823f713de62355a1

SHA256
a5dcc81269a36af2acfcff696a2c33defdf8b408b075b7a945c99fd709a9ac06

SHA512
a33619bdac69e9c4160fd8e8d8fd723582ef0ef223ec22244c98e38213437d33b47f12e760b8fe210e88e059a84465a3b4028bec4ea5f6aea111f78111b19089

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_da.dll

Filesize
28KB

MD5
bee2a241825641230fa53b6c93eb4dbd

SHA1
470ac27b056773be2fc3977921b4205d73c72060

SHA256
c8259c4f89169eb2985cbe9d08237d5ee21d141668316aa856e8bd3e45796b26

SHA512
28dd43e6b3498c9d9d8c828d3e30ce201c23fa4c658a44289cefdca4832166e94302e2bc7a312fa14a982bb7c456d525ecefc5cc66f92d77300b371c49e49589

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_de.dll

Filesize
30KB

MD5
cf67092063b8f6f4b58b34350c5de8f4

SHA1
1066488c4d6bc9d8f0419ca22a0a8eedf991d2ce

SHA256
b74d1512d68d5eb0c003f95a67a45a5b00541d632b87f906ffe420c352dd20fd

SHA512
9688f5fff4761615c92f783ca9a747fe9c14a654e75211d15a95a0bdb69fd0d91cb2b94ffad428245ced3886fa9e0097770d261cf7b3eb887879e6ea8bd15ee9

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_el.dll

Filesize
30KB

MD5
ad530063b28b10b31723c25d49dd3825

SHA1
f048fcfd567d788b27d09f537c29cbc5cfffb272

SHA256
7891e81f7bcf9fd8bd3ac3bde9a5712c4ec239719bdfd52ae270503516a45b3d

SHA512
2e83acf683f43329c2ebdcd42764ebc3c48a57363eb2cd33d13c6a2bd001c04925d53c8f676f850ad8fd282003d546f7ae073672abf5e94305cfd38d87afaf6e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_en-GB.dll

Filesize
27KB

MD5
874f1d117415c1860b25c0af6ce47b53

SHA1
1b9b10a29f3fb683d80546edc7e090e6ecc59a3d

SHA256
69cacfe109095eb35695db5dd3af7bf2eae62076ac63c8dca25da70c05a45960

SHA512
8fa4ddbce6ee284ef6718b54253b85e06cebedfb9fc7b5aee0c1a5510fb69b2f765ca685ff38e9e8b54c71f4c500a704fe058487d1957d9beefca9e225b12d4c

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_en.dll

Filesize
27KB

MD5
3b6cc9d8797beedf5bf7881358cb8049

SHA1
4a7204e2cb8d20317443b003df32da026aa20244

SHA256
ab7ee167a94a025ea67bed31d1014721b8dd83204ad677fbe83dc9d66ef6df7d

SHA512
4f4e1526f2d502237c341c1b5a307f12fd779dfab69939ee6620cb4ffe6acd221c9bf022793495deb6ac42a7669f4fe9e2f5880a468c7e861ef283c15603b2bb

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_es-419.dll

Filesize
29KB

MD5
5dff1114890ca82cd45f67fecb39589a

SHA1
b94cf4c680a6adb4b212d0463bf0442d5cbd0d07

SHA256
4881145d05f5496a6d60591eb90aa55404b8d89810b9e589a4a40d85a9b64024

SHA512
e90a6d0bf5ae380149e2d8b2a000107d234eefa2c91d5059430f74c6b98169c06acfc4985a27dbca54c3671d4c104585c8d0dd8b838f8415b3d5f1c70ad7edb7

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_es.dll

Filesize
28KB

MD5
bf88dd3967c92ccad357715dae767e64

SHA1
dcf8e5bdc481a7f49154fc4aa61fda2886b9397d

SHA256
ca74086f0fcca80f54b0596727b6251baa0127f0ccf1be2465aa067ac65ee8eb

SHA512
6337a57a7458531eedbabfbe6ca1001c33d13943e22dd7f40f986cc8a8f75331c47c85ad8e4b76f12b2e42e7c7d045f79e08af420ee5e80a811e6912caf6e3c2

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_et.dll

Filesize
28KB

MD5
763e6253cdb870d31b09941b970e9fd8

SHA1
1794f2174b2304b974b78e22c0f838e408206375

SHA256
fce0380b8de9b8da9a23872d51375e870fdeb0a0c936aa7f5b928ec29cb24b89

SHA512
220c19813bc1ca189189537fd1af952a9c51b7c5c9f84968b6f37e0d929e6912df3b53676dd9d76d115087ca9bc82807f58125d99f8a484a1006917cc60026f8

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_eu.dll

Filesize
28KB

MD5
9bc2401b0117a9eb52e6e0352b70710f

SHA1
e9464af5bf221d08681e53977c5914a1564baf60

SHA256
81813064b8591a7b31e0abde388674241940f972d0b6f9b4ef778dbf9015924e

SHA512
13b9e335e4325ef06638073b09c84370a99dc54724dfc0bfbe9d51da45d0631dcc587753a83b6f5bd64c832db8e6841061a46e242caf790b10313c6931a0cee7

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_fa.dll

Filesize
27KB

MD5
9a627a92e325d46f311ce1a6a3a89b14

SHA1
c8c840228c7165e29769416671fc4ea53c2bc92e

SHA256
ab79ee9500a7ad67f7f975b3b35e6934f7a2ff4df3436ef6fcebbcd2f1ac094f

SHA512
4d9787f1710293cf3df4f82831bde6d64947098c3eb8e00d108fc431881cccc56e435fa9e5858e753ba0468169b0b514ef5afc1471af6bd7b72a42da2dc7b462

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_fi.dll

Filesize
28KB

MD5
2dded7e065e9d261f967c7f298c42dfb

SHA1
ff5c5241392f89076e5d15105277ce80a0a5fdae

SHA256
ab2363fe35adff72b1e55065ba4207d46e00ce6d777e6047562be984efdbc258

SHA512
9f3ab285084705ff516f1f9970a4556b63b23348217f16955139d61807eb536e32e24eddde33848953723320e60a126bbe2d8b45d666f62f5a9e9dc88ef62dd1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_fil.dll

Filesize
29KB

MD5
f65a6c09bb1f54270428f5e6fab5539f

SHA1
93cf85382719b1504bc068716f98c9f43134df9d

SHA256
c7108064951fde4f07bdc224ae5943d3c2d64f0b222b9cc4913cc57470b4abf4

SHA512
59954af15fef82b6eaba5d568ad5e18c3c56bdbee9b50f827178d226daceb1cd4c9721dc8306f1182df481d6c744d5db7e947bba6d8f24bf67f8c454d77002d7

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_fr-CA.dll

Filesize
30KB

MD5
a524885489da2db13df6b88c75c6ff27

SHA1
ae8f5d3246e52988d320c498954239e7b9bfd5d4

SHA256
81f7c40a10e28ddf7100794573d89dde8ba45353f5a4f3944c15e7bf7520ac60

SHA512
1f498c3223e1b4572e726ccfc00f3b52951375fbccbc08a2747f0b64ccf76c624bc42fccbaec8e5547ee07d1a348226b66eb86e36497e943fd53ddc141350491

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_fr.dll

Filesize
30KB

MD5
62ef057e21dc30ee3129874451b7870f

SHA1
15f609cb2297479ef06d1c08bf07ded6524f396b

SHA256
e55ea3fb222a247a6aacd5c721968993507d133f3b07b6e3913be26da7e4b3ff

SHA512
d6b37d9b4d0bf4a7030ccb2e3a4dcc8407cf35b68948cb0177e7d53fe6277066d423fcc8b33ec2127faeba9261106896e7b83bd31be6498453d1cbf8072c8e46

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_ga.dll

Filesize
28KB

MD5
ab13f041e3ad6e67f087c131236da3af

SHA1
697ddd32053fe3687c1a502ff83a923a1fec1cc5

SHA256
14d7d6b480e411c79805b89a23a2166e80e025c9a4678f6bd41f359b7532180b

SHA512
86b189c6bf34b0005d1c2cfd14fd7b2ab1f63d076ea69439d80ea6e414a96903567f891eb0d5ad6e68da2321d5e3fd365bf3436bcc0e28b986cd7fae49f1e460

Download Submit
C:\Program Files (x86)\The BPR\Newtonsoft.Json.dll

Filesize
686KB

MD5
b9e0bab5c344b88ab1ff8d5427801ed6

SHA1
3b3b1eb060990305fac74670787e676816faead5

SHA256
827c417c12c5b28d28284fc919f0d1e271dadaf45022f5640234fa66cd12414e

SHA512
b7de36e3ae63e7d50fa6119986224682703092f03c2519d4642245463300d6c933631d5a1873f8b2d2bab1b319d9c2b4feaf74e598865a47a9d1f6aa28290197

Download Submit
C:\Program Files (x86)\The BPR\The BPR.exe

Filesize
4.2MB

MD5
9d8f151e53cd19d6d76a4f1a45bd2ccd

SHA1
7e26ce0c30e0a5e654cca80743a0aebc6e94a7e5

SHA256
2900d0e7204a38ebb65eedb7357db8aefd0527787738a87f12ad84d9f0534137

SHA512
f1b26756f72e1339ef7a3df0b0e13205851c93794f7321668ba64588ab70c7f57d0f91889e42acbf7d5e51a90df13dd78c24d775f6b5d0eb9601f48e390b1999

Download Submit
C:\Program Files (x86)\The BPR\TheBPRService.exe

Filesize
27KB

MD5
dce55d3591d309ea42ca94b30532ffa3

SHA1
ba64968e0e8cc91fa298fe8108bf61168e35fb2a

SHA256
1c4594ca41dceb90e1435eddd6254af49c228998c3d27b5c3670247d24ba5d2e

SHA512
38c9f27891e32d5288d7faa3debf3bcc8950239478f663ba57daf8e0eeaec4c1d7633cc235c66f77a8590f8e15cc3cd128bdffc2b0eb98d5cb2b73463725aa6b

Download Submit
C:\Program Files (x86)\The BPR\TheBPRService.exe

Filesize
27KB

MD5
dce55d3591d309ea42ca94b30532ffa3

SHA1
ba64968e0e8cc91fa298fe8108bf61168e35fb2a

SHA256
1c4594ca41dceb90e1435eddd6254af49c228998c3d27b5c3670247d24ba5d2e

SHA512
38c9f27891e32d5288d7faa3debf3bcc8950239478f663ba57daf8e0eeaec4c1d7633cc235c66f77a8590f8e15cc3cd128bdffc2b0eb98d5cb2b73463725aa6b

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
14KB

MD5
9bcb7c7bc4dec3e5801fcd8daca29206

SHA1
c805c64d73f7eae0d544a4c60d9fcbd2fe12cc65

SHA256
50d5e72624590aa6211253cc3e91e63bad9565b22addcb8202c2d5299b761998

SHA512
7c97da43ad5f531b3302daf17ef1e12b1cb791b07351e7843b645729312feb56a7d643f432b11e49c337e2015b01af575ed6eaea830fe88701d61873a9afd59b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B

Filesize
2KB

MD5
dfce822557f6ff05615242546c381d31

SHA1
be998301034266968b96fb8de8716cbd256f960a

SHA256
7ab8ec96c66434cea57cb05611141eb3f486015c6b31d3e095dbc1984e3cc77c

SHA512
bd81a74ef573b7c21421845a255b8d06fd14e3e16e9d639a4460fd4967b6f1943c371a7fc5b459d46d428d4e1bf2fe9acab7b7c3a8bc97a50ae18d658c0c2dc9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D11549FC90445E1CE90F96A21958A17_10CB794FE9A249117F4005C9B6FF585D

Filesize
509B

MD5
bfd022e7a777e8041ce24800c4355122

SHA1
afb12d2061b5ca23dab577741480617f76623330

SHA256
c8d620d97481d0be0ff8a667b50fb6848a88e3e56b280c0edd3143b9eb742888

SHA512
afc286b691695bd4fed28c94de259c923bafa8459f9d8df4cb9307dcef54a8d0ace454cd18bf16a124b152e21c0684bb7ff44227c36cb7b7ca6c76ed347543aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691

Filesize
1KB

MD5
cdf8656737b5e64cbfda822f1f3fbbef

SHA1
caae804d81335629ec018a068466dd5a3a17d1fd

SHA256
4e93059c137d94b28f4f79e6f97fc1007efa7067ef008a6ba5e874a46e6e6fde

SHA512
73543470cf87c62f4c10258aa4e3e6936f6109245adf1095e3f3ccf7ed4affadbb1373a63c0d1ec16bce867e2d8f081029ac0c208a1caffaab197b3eedf545e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B

Filesize
490B

MD5
2e8e81fcfa7590aabfef9e476817f6d4

SHA1
c03f3be278422fbe15b0181e2762030741e465e5

SHA256
505564455b85cd6dc68dd499d47783733220072c89aaa3a278df14dd172f6bb7

SHA512
d97a92b1cc50fe911f0da822e5fccdaad75e333bc2fae7af3cb6881344cd1bae6f6ce50ab0668644c4c96443135afead8604cdc9467cfbc055e2a58cd770cbc9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D11549FC90445E1CE90F96A21958A17_10CB794FE9A249117F4005C9B6FF585D

Filesize
486B

MD5
85f7df9a25a4176058bbf62fc428bf81

SHA1
48373c503ece719d66d0e39f2c8de4bafe7bcf63

SHA256
03f732ebbf7fb1979cc9f719c1817fcbdb415501c59329f74e38972dc22383c8

SHA512
d84d5f2e2615803e9c96948f0d69bb0a0b783b2358919ee435b472320eb76f359ff55fd27981cec06375382ebe347f8f6541ff596f01e9cb1046e5d7325c6ce7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5d1987ace70512be8fc32d5f6e6b91a4

SHA1
9f7359803b502d9d179d86f7d781a1c683090f7a

SHA256
ff1cbc0f4aec54e2fb7dfd4ea42e8248c94d06feba99014834c7cca23b6f80ba

SHA512
555116a6fde6cdb50dd62416afd4896283e464c2ab3480f514dde5f364cd2b83b3114e296b6a001478f8aabe1651a9aca579fda26a1661b88d426bb6705c7cb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5cd8fe4e885dce99aac6e88a775a84c4

SHA1
b1e2b2aa6203b31fb4a2ca09e06d1005b114c736

SHA256
fa447395a3c9ba6c4948919b2da5d547d9ace50c95b410d5e099f209bc255d1f

SHA512
b2bd8e1ea968f76a7e0999fa2e78beeb6ac8215d9ef38c426ec5f1142290875446bab5405a3401ef528633fcf7e73e9ebcabb1b82b5f6c178523fa58e4963af5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b3e2deec1143021be09bac9b2842a97e

SHA1
abede0a48a9acbf8512276b022d632952530b4a3

SHA256
c648c9f3f1db808fb8b6e5e089f59845ee80030077698f92d95cba96bd07a958

SHA512
1817ac06d6ba27e6c9b0e1c776bfcafe99aba8f36cabb327bba93e3a1e1f1d40a1efb731e1905c544499a7b9c67b4045acf7aa36bde6989e0fa2d56f22348dd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a773661d1d21e0ea0e48b30b72a4debe

SHA1
7d2f4206cbe2bf46623459798d0fee83daa0e462

SHA256
09220f96fce6a8d24ffd58a210eb089dcf2b72be120dc1bcffd3242992a9f7c1

SHA512
9c9fc19241af0c47dbd20f10e6ac9c7f9093200159b690570b13324d10a98a8c6a7a95630cf7c182939aa4c785cf2dc9f7201ac1d7b9022ccb1b7ec5889dfeba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691

Filesize
486B

MD5
9551becbbbb6ebf0bccb10bc3e5681a3

SHA1
0c911ea57a263aef40e5937ee10ed36953774bf5

SHA256
73295a247d66a63366f5f7db5d13ff048afaf2b3bb6ba75e5d3437ed4aeccbf1

SHA512
1bcdf1860d86a6a077d3067fe2167969b69acca3b851531b2deb529ac35dcc0544beecf2bf52dd43bc3335bff52cca2f0c425c49547455b64fde1536ed537c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab826B.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8432.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8699.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Roaming\The BPR\EBWebView\Crashpad\settings.dat

Filesize
280B

MD5
40fb9d65745402cd4c1a51b376533495

SHA1
f984f31856e1865d4b47e59358e10b83640b9c29

SHA256
73080934e4bdc9cac0aeb5cba2bda7c0981d141d5d8129491d21ab0fe956c7bb

SHA512
fea81ea8af1adce4b4dcf8c9f5265fc04973cea293d89903597ed0bda34851451d94b89cc6228009d33a37c94c8b54338110d52445c3701bdecd2f8cebc4470b

Download Submit
C:\Users\Admin\AppData\Roaming\The BPR\EBWebView\Default\Site Characteristics Database\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Roaming\The BPR\EBWebView\Default\Site Characteristics Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\The BPR\EBWebView\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\The BPR\EBWebView\Local State

Filesize
1KB

MD5
390ab088afa5cc64ad6c82e2e0816e0d

SHA1
603accb8f2915e8da1230e252ab665336bc4b184

SHA256
47dc7b6ea5655cc981f6260eeff030d2556594b46a0160f49d6ee878fb6f9141

SHA512
2fa6b9daba3412c66a9585e4673bc1f4bdaa3a8701b3569ab1a98e5a190baa61633d9f228f1c5320784dc1a2f5e7e932c5a135009b52aa1ec5d6e7813eca406a

Download Submit
C:\Users\Admin\AppData\Roaming\The BPR\EBWebView\ShaderCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\The BPR\EBWebView\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Roaming\The BPR\EBWebView\ShaderCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\The BPR\EBWebView\ShaderCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Windows\Installer\MSI5CC8.tmp

Filesize
202KB

MD5
d773d9bd091e712df7560f576da53de8

SHA1
165cfbdce1811883360112441f7237b287cf0691

SHA256
e0db1804cf53ed4819ed70cb35c67680ce1a77573efded86e6dac81010ce55e7

SHA512
15a956090f8756a6bfdbe191fda36739b1107eada62c6cd3058218beb417bdbd2ea82be9b055f7f6eb8017394b330daff2e9824dbc9c4f137bead8e2ac0574cd

Download Submit
C:\Windows\Installer\MSIDF69.tmp

Filesize
202KB

MD5
d773d9bd091e712df7560f576da53de8

SHA1
165cfbdce1811883360112441f7237b287cf0691

SHA256
e0db1804cf53ed4819ed70cb35c67680ce1a77573efded86e6dac81010ce55e7

SHA512
15a956090f8756a6bfdbe191fda36739b1107eada62c6cd3058218beb417bdbd2ea82be9b055f7f6eb8017394b330daff2e9824dbc9c4f137bead8e2ac0574cd

Download Submit
C:\Windows\Installer\MSIE0D1.tmp

Filesize
202KB

MD5
d773d9bd091e712df7560f576da53de8

SHA1
165cfbdce1811883360112441f7237b287cf0691

SHA256
e0db1804cf53ed4819ed70cb35c67680ce1a77573efded86e6dac81010ce55e7

SHA512
15a956090f8756a6bfdbe191fda36739b1107eada62c6cd3058218beb417bdbd2ea82be9b055f7f6eb8017394b330daff2e9824dbc9c4f137bead8e2ac0574cd

Download Submit
C:\Windows\Installer\MSIFCF.tmp

Filesize
1.5MB

MD5
8f40e559a798f91fd8accf0e35b801c1

SHA1
72b3aee65acdeaece3be5b0087627d36e35597c8

SHA256
372fd3deb515af9534164d1aa91c5143c8feeb5f06ced7be00a708fc7b2bfaa3

SHA512
29fa4745e357c9627d8404a6fa3c78191fa10e8da80f74a2f84cd05140305598ac0bc228709e0acceb222d47ca2db3d632709bdfe47d62be3cabe6d87e0c1799

Download Submit
C:\Windows\Installer\MSIFCF.tmp

Filesize
1.5MB

MD5
8f40e559a798f91fd8accf0e35b801c1

SHA1
72b3aee65acdeaece3be5b0087627d36e35597c8

SHA256
372fd3deb515af9534164d1aa91c5143c8feeb5f06ced7be00a708fc7b2bfaa3

SHA512
29fa4745e357c9627d8404a6fa3c78191fa10e8da80f74a2f84cd05140305598ac0bc228709e0acceb222d47ca2db3d632709bdfe47d62be3cabe6d87e0c1799

Download Submit
C:\Windows\Installer\f76de10.msi

Filesize
11.8MB

MD5
6c18d2ef58254ef7ed313615a4d22313

SHA1
b3378cd5fdb3e39ec2efa56f8f734528dd60edc0

SHA256
c3ff654a5d646b05b0f2bbd561c9755523da906faf5159fa681beddce2a5edab

SHA512
fe211b2ed86e3c8d5503ffe182b904707b4885e7af3b98df50d78d65b98b6aa1d976e9949b80e583746baf9b96e186740fab569888888bec61822cbfb6e22e2f

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b28bc43a4a52f23074c74a3db34e790f

SHA1
df5d8ac19d94b5d9a69cb75ff1561991c1b04937

SHA256
8a484a7a0a0706d078f89d7cf7e570c979fef24e5638127dc8c62017b8646b9d

SHA512
42d773bdc758dc423e23071f4de58e05f17c5fbccd3a5a32fe5dc1df049e45b1bb942432bdd03384138b82dd8f4ca0601a3f379b7fb68236965753d5129d2b02

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
f35c6d561501c2278f7db923d41a040a

SHA1
2139651ade08250a06a5b1987cb3236d38b18577

SHA256
b2b1950ae017892309f1bbbb361d15281412e949da41f76a83bc28316fcf8bc4

SHA512
21d748a37eaf4fca7008e3783e607a61a9ec54d13993d8d1827ec6f7f28c58716a27a7df9a663e44a937a43e862c5fcc85fd260de2ebbbd84cfcb62de54b1f8e

Download Submit
\Program Files (x86)\Microsoft\Temp\EU1056.tmp\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
cfad69d55cbb9ceeffaccdd176e19f7a

SHA1
076f72b145f761d23d533ed981ae059fa61339d2

SHA256
a238fc18a787d5f21a4942690029e0240597c7fc0d7dbb401063486387b7bf7c

SHA512
6a125ee8d46c444bfbd92967d46c7c127da7904fa9f9505528cd479ea169ce4c9026400e5b59e136fc0a2c8e2de64a53eb4e7cc8ddbdb5f541df47ed401f04a5

Download Submit
\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdate.dll

Filesize
2.1MB

MD5
fe453156c03a6f223c2b9fd4436eab4f

SHA1
a9812efd18fc8b4b4ef93429c9555d4c0e27e939

SHA256
960034ebf4e93f488adc52f93a0b186b9eb88619418ccf66bafd4872770e5c56

SHA512
2a25c7b194aa3e05860b9346e50a39be914d230c668d8411f6a2a3607a28f0d86ccc9db118c64b70d4d78322b0a39e5d190b6fa22d9d32afb0247e750d572e4c

Download Submit
\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_en.dll

Filesize
27KB

MD5
3b6cc9d8797beedf5bf7881358cb8049

SHA1
4a7204e2cb8d20317443b003df32da026aa20244

SHA256
ab7ee167a94a025ea67bed31d1014721b8dd83204ad677fbe83dc9d66ef6df7d

SHA512
4f4e1526f2d502237c341c1b5a307f12fd779dfab69939ee6620cb4ffe6acd221c9bf022793495deb6ac42a7669f4fe9e2f5880a468c7e861ef283c15603b2bb

Download Submit
\Program Files (x86)\Microsoft\Temp\EU1056.tmp\msedgeupdateres_en.dll

Filesize
27KB

MD5
3b6cc9d8797beedf5bf7881358cb8049

SHA1
4a7204e2cb8d20317443b003df32da026aa20244

SHA256
ab7ee167a94a025ea67bed31d1014721b8dd83204ad677fbe83dc9d66ef6df7d

SHA512
4f4e1526f2d502237c341c1b5a307f12fd779dfab69939ee6620cb4ffe6acd221c9bf022793495deb6ac42a7669f4fe9e2f5880a468c7e861ef283c15603b2bb

Download Submit
\Program Files (x86)\The BPR\Newtonsoft.Json.dll

Filesize
686KB

MD5
b9e0bab5c344b88ab1ff8d5427801ed6

SHA1
3b3b1eb060990305fac74670787e676816faead5

SHA256
827c417c12c5b28d28284fc919f0d1e271dadaf45022f5640234fa66cd12414e

SHA512
b7de36e3ae63e7d50fa6119986224682703092f03c2519d4642245463300d6c933631d5a1873f8b2d2bab1b319d9c2b4feaf74e598865a47a9d1f6aa28290197

Download Submit
\Program Files (x86)\The BPR\Newtonsoft.Json.dll

Filesize
686KB

MD5
b9e0bab5c344b88ab1ff8d5427801ed6

SHA1
3b3b1eb060990305fac74670787e676816faead5

SHA256
827c417c12c5b28d28284fc919f0d1e271dadaf45022f5640234fa66cd12414e

SHA512
b7de36e3ae63e7d50fa6119986224682703092f03c2519d4642245463300d6c933631d5a1873f8b2d2bab1b319d9c2b4feaf74e598865a47a9d1f6aa28290197

Download Submit
\Program Files (x86)\The BPR\Newtonsoft.Json.dll

Filesize
686KB

MD5
b9e0bab5c344b88ab1ff8d5427801ed6

SHA1
3b3b1eb060990305fac74670787e676816faead5

SHA256
827c417c12c5b28d28284fc919f0d1e271dadaf45022f5640234fa66cd12414e

SHA512
b7de36e3ae63e7d50fa6119986224682703092f03c2519d4642245463300d6c933631d5a1873f8b2d2bab1b319d9c2b4feaf74e598865a47a9d1f6aa28290197

Download Submit
\Program Files (x86)\The BPR\Newtonsoft.Json.dll

Filesize
686KB

MD5
b9e0bab5c344b88ab1ff8d5427801ed6

SHA1
3b3b1eb060990305fac74670787e676816faead5

SHA256
827c417c12c5b28d28284fc919f0d1e271dadaf45022f5640234fa66cd12414e

SHA512
b7de36e3ae63e7d50fa6119986224682703092f03c2519d4642245463300d6c933631d5a1873f8b2d2bab1b319d9c2b4feaf74e598865a47a9d1f6aa28290197

Download Submit
\Program Files (x86)\The BPR\The BPR.exe

Filesize
4.2MB

MD5
9d8f151e53cd19d6d76a4f1a45bd2ccd

SHA1
7e26ce0c30e0a5e654cca80743a0aebc6e94a7e5

SHA256
2900d0e7204a38ebb65eedb7357db8aefd0527787738a87f12ad84d9f0534137

SHA512
f1b26756f72e1339ef7a3df0b0e13205851c93794f7321668ba64588ab70c7f57d0f91889e42acbf7d5e51a90df13dd78c24d775f6b5d0eb9601f48e390b1999

Download Submit
\Program Files (x86)\The BPR\The BPR.exe

Filesize
4.2MB

MD5
9d8f151e53cd19d6d76a4f1a45bd2ccd

SHA1
7e26ce0c30e0a5e654cca80743a0aebc6e94a7e5

SHA256
2900d0e7204a38ebb65eedb7357db8aefd0527787738a87f12ad84d9f0534137

SHA512
f1b26756f72e1339ef7a3df0b0e13205851c93794f7321668ba64588ab70c7f57d0f91889e42acbf7d5e51a90df13dd78c24d775f6b5d0eb9601f48e390b1999

Download Submit
\Windows\Installer\MSIDF69.tmp

Filesize
202KB

MD5
d773d9bd091e712df7560f576da53de8

SHA1
165cfbdce1811883360112441f7237b287cf0691

SHA256
e0db1804cf53ed4819ed70cb35c67680ce1a77573efded86e6dac81010ce55e7

SHA512
15a956090f8756a6bfdbe191fda36739b1107eada62c6cd3058218beb417bdbd2ea82be9b055f7f6eb8017394b330daff2e9824dbc9c4f137bead8e2ac0574cd

Download Submit
\Windows\Installer\MSIE0D1.tmp

Filesize
202KB

MD5
d773d9bd091e712df7560f576da53de8

SHA1
165cfbdce1811883360112441f7237b287cf0691

SHA256
e0db1804cf53ed4819ed70cb35c67680ce1a77573efded86e6dac81010ce55e7

SHA512
15a956090f8756a6bfdbe191fda36739b1107eada62c6cd3058218beb417bdbd2ea82be9b055f7f6eb8017394b330daff2e9824dbc9c4f137bead8e2ac0574cd

Download Submit
memory/904-2110-0x00000000071E0000-0x00000000071E1000-memory.dmp

Filesize
4KB

Download
memory/1564-156-0x0000000004F00000-0x0000000004FB0000-memory.dmp

Filesize
704KB

Download
memory/1564-151-0x0000000004990000-0x00000000049D0000-memory.dmp

Filesize
256KB

Download
memory/1564-453-0x00000000739D0000-0x00000000740BE000-memory.dmp

Filesize
6.9MB

Download
memory/1564-150-0x00000000739D0000-0x00000000740BE000-memory.dmp

Filesize
6.9MB

Download
memory/1564-149-0x00000000003E0000-0x00000000003EA000-memory.dmp

Filesize
40KB

Download
memory/1564-458-0x0000000004990000-0x00000000049D0000-memory.dmp

Filesize
256KB

Download
memory/1688-1978-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2264-1794-0x0000000001170000-0x00000000011B0000-memory.dmp

Filesize
256KB

Download
memory/2264-1977-0x0000000001170000-0x00000000011B0000-memory.dmp

Filesize
256KB

Download
memory/2264-1976-0x0000000001170000-0x00000000011B0000-memory.dmp

Filesize
256KB

Download
memory/2264-1975-0x0000000001170000-0x00000000011B0000-memory.dmp

Filesize
256KB

Download
memory/2264-1911-0x00000000739D0000-0x00000000740BE000-memory.dmp

Filesize
6.9MB

Download
memory/2264-1909-0x00000000063A0000-0x0000000006522000-memory.dmp

Filesize
1.5MB

Download
memory/2264-1910-0x0000000005E30000-0x0000000005EDC000-memory.dmp

Filesize
688KB

Download
memory/2264-2103-0x00000000009C0000-0x00000000009CA000-memory.dmp

Filesize
40KB

Download
memory/2264-2108-0x00000000009C0000-0x00000000009CA000-memory.dmp

Filesize
40KB

Download
memory/2264-1908-0x0000000000B20000-0x0000000000B30000-memory.dmp

Filesize
64KB

Download
memory/2264-2143-0x0000000005950000-0x000000000595C000-memory.dmp

Filesize
48KB

Download
memory/2264-1729-0x00000000739D0000-0x00000000740BE000-memory.dmp

Filesize
6.9MB

Download
memory/2264-1834-0x00000000009C0000-0x00000000009CA000-memory.dmp

Filesize
40KB

Download
memory/2264-1835-0x00000000009C0000-0x00000000009CA000-memory.dmp

Filesize
40KB

Download
memory/2264-1806-0x00000000009A0000-0x00000000009BE000-memory.dmp

Filesize
120KB

Download
memory/2264-1799-0x0000000000A10000-0x0000000000A58000-memory.dmp

Filesize
288KB

Download
memory/2264-2759-0x0000000018DA0000-0x0000000018EA0000-memory.dmp

Filesize
1024KB

Download
memory/2264-1785-0x0000000000650000-0x000000000065E000-memory.dmp

Filesize
56KB

Download
memory/2264-1732-0x0000000001170000-0x00000000011B0000-memory.dmp

Filesize
256KB

Download
memory/2264-1728-0x0000000001330000-0x000000000176A000-memory.dmp

Filesize
4.2MB

Download
memory/2264-2447-0x0000000018DA0000-0x0000000018EA0000-memory.dmp

Filesize
1024KB

Download
memory/2264-2734-0x0000000001170000-0x00000000011B0000-memory.dmp

Filesize
256KB

Download
memory/2296-2177-0x0000000077280000-0x0000000077281000-memory.dmp

Filesize
4KB

Download
memory/2824-473-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download