ef2205ae2d9f197b0bbaa47727574613cc7d5551b3cb4bff567df44cfcaadce6

Analysis

max time kernel
404s
max time network
400s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

InstallTopup.exe
Size

49.0MB
MD5

6820e187ce38f3e540804a55f1ff9a5d
SHA1

52f4fcf363ff06e8363477441f9e8c087b3f9c45
SHA256

ef2205ae2d9f197b0bbaa47727574613cc7d5551b3cb4bff567df44cfcaadce6
SHA512

348e8541e24bfdf78464cfbb53859ba87deab96c0cad321790511ab645dbf4b2cfcadafcbd9e974a1e2403295f57adca97d07fadab563b6d100c982ec4bdf9f9
SSDEEP

1572864:lsTuRN2zfdzkypBxIBu1O8ghZfbEo8DFBoJ+J:q19tT1OtZfhqzJ

Score

6^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	InstallTopup.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	InstallTopup.exe
File opened (read-only)	\??\H:	InstallTopup.exe
File opened (read-only)	\??\Q:	InstallTopup.exe
File opened (read-only)	\??\Z:	InstallTopup.exe
File opened (read-only)	\??\J:	InstallTopup.exe
File opened (read-only)	\??\O:	InstallTopup.exe
File opened (read-only)	\??\U:	InstallTopup.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	InstallTopup.exe
File opened (read-only)	\??\N:	InstallTopup.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\I:	InstallTopup.exe
File opened (read-only)	\??\Y:	InstallTopup.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\P:	InstallTopup.exe
File opened (read-only)	\??\W:	InstallTopup.exe
File opened (read-only)	\??\Z:	InstallTopup.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	InstallTopup.exe
File opened (read-only)	\??\J:	InstallTopup.exe
File opened (read-only)	\??\K:	InstallTopup.exe
File opened (read-only)	\??\X:	InstallTopup.exe
File opened (read-only)	\??\A:	InstallTopup.exe
File opened (read-only)	\??\S:	InstallTopup.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	InstallTopup.exe
File opened (read-only)	\??\Y:	InstallTopup.exe
File opened (read-only)	\??\K:	InstallTopup.exe
File opened (read-only)	\??\L:	InstallTopup.exe
File opened (read-only)	\??\M:	InstallTopup.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	InstallTopup.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	InstallTopup.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	InstallTopup.exe
File opened (read-only)	\??\B:	InstallTopup.exe
File opened (read-only)	\??\V:	InstallTopup.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	InstallTopup.exe
File opened (read-only)	\??\R:	InstallTopup.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	InstallTopup.exe
File opened (read-only)	\??\Q:	InstallTopup.exe
File opened (read-only)	\??\T:	InstallTopup.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	InstallTopup.exe
File opened (read-only)	\??\H:	InstallTopup.exe
File opened (read-only)	\??\L:	InstallTopup.exe
File opened (read-only)	\??\M:	InstallTopup.exe
File opened (read-only)	\??\R:	InstallTopup.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	InstallTopup.exe

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	MicrosoftEdgeUpdate.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 10 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_mi.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_nn.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Topup Software Ltd\TopupTax\forms\2023\SA105.pdf	msiexec.exe
File created	C:\Program Files (x86)\Topup Software Ltd\TopupTax\forms\2023\SA801.pdf	msiexec.exe
File created	C:\Program Files (x86)\Topup Software Ltd\TopupTax\forms\2024\SA103F.pdf	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\MicrosoftEdgeUpdateSetup.exe	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Topup Software Ltd\TopupTax\Partnerships.dll	msiexec.exe
File created	C:\Program Files (x86)\Topup Software Ltd\TopupTax\DevExpress.XtraTreeList.v21.2.dll	msiexec.exe
File created	C:\Program Files (x86)\Topup Software Ltd\TopupTax\forms\2023\SA100.pdf	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_fa.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_vi.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_ne.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Topup Software Ltd\TopupTax\forms\2016\R40_M_v2.0.pdf	msiexec.exe
File created	C:\Program Files (x86)\Topup Software Ltd\TopupTax\DevExpress.XtraReports.v21.2.dll	msiexec.exe
File created	C:\Program Files (x86)\Topup Software Ltd\TopupTax\forms\2023\SA103S.pdf	msiexec.exe
File created	C:\Program Files (x86)\Topup Software Ltd\TopupTax\forms\2024\SA110.pdf	msiexec.exe
File created	C:\Program Files (x86)\Topup Software Ltd\TopupTax\forms\2015\CT600J-2015.pdf	msiexec.exe
File created	C:\Program Files (x86)\Topup Software Ltd\TopupTax\runtimes\win-x86\native\WebView2Loader.dll	msiexec.exe
File created	C:\Program Files (x86)\Topup Software Ltd\TopupTax\forms\2024\SA101.pdf	msiexec.exe
File created	C:\Program Files (x86)\Topup Software Ltd\TopupTax\forms\2024\SA108.pdf	msiexec.exe
File created	C:\Program Files (x86)\Topup Software Ltd\TopupTax\forms\2024\SA900.pdf	msiexec.exe
File created	C:\Program Files (x86)\Topup Software Ltd\TopupTax\forms\2020\MTR-v2-0.xslt	msiexec.exe
File created	C:\Program Files (x86)\Topup Software Ltd\TopupTax\TopupTaxTemplates\TR - return for signing - repayment.docx	msiexec.exe
File created	C:\Program Files (x86)\Topup Software Ltd\TopupTax\TopupTaxTemplates\notes for editing.txt	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_fi.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Topup Software Ltd\TopupTax\forms\2021\Partnerships-v1-0.xslt	msiexec.exe
File created	C:\Program Files (x86)\Topup Software Ltd\TopupTax\TopupTaxTemplates\Fee account to client.docx	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_hi.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Topup Software Ltd\TopupTax\DevExpress.Data.v21.2.dll	msiexec.exe
File created	C:\Program Files (x86)\Topup Software Ltd\TopupTax\forms\2023\SA102M.pdf	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\psuser_64.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Topup Software Ltd\TopupTax\topuptax.exe	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_hr.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Topup Software Ltd\TopupTax\O2S.Components.PDF4NET.dll	msiexec.exe
File created	C:\Program Files (x86)\Topup Software Ltd\TopupTax\DevExpress.XtraGrid.v21.2.dll	msiexec.exe
File created	C:\Program Files (x86)\Topup Software Ltd\TopupTax\forms\2024\SA109.pdf	msiexec.exe
File created	C:\Program Files (x86)\Topup Software Ltd\TopupTax\forms\2024\MTR-v1-0.xslt	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_nl.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_pt-BR.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_sq.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\MicrosoftEdgeUpdateSetup.exe	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Topup Software Ltd\TopupTax\TupHelp.exe	msiexec.exe
File created	C:\Program Files (x86)\Topup Software Ltd\TopupTax\DevExpress.XtraEditors.v21.2.dll	msiexec.exe
File created	C:\Program Files (x86)\Topup Software Ltd\TopupTax\forms\2023\SA904.pdf	msiexec.exe
File created	C:\Program Files (x86)\Topup Software Ltd\TopupTax\forms\2024\SA804.pdf	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_th.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_ug.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Topup Software Ltd\TopupTax\forms\2023\SA106.pdf	msiexec.exe
File created	C:\Program Files (x86)\Topup Software Ltd\TopupTax\forms\2023\SA109.pdf	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_id.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_lv.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_uk.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_kk.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_tt.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Topup Software Ltd\TopupTax\forms\2024\SA105.pdf	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\NOTICE.TXT	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_hu.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_bs.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_lb.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Topup Software Ltd\TopupTax\TupTools.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Topup Software Ltd\TopupTax\updater.ini	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_en.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_pa.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Topup Software Ltd\TopupTax\forms\2019\R40_M_2019.pdf	msiexec.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{05D88F42-69B3-4333-B1F0-C737B01F812D}\TUS.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{05D88F42-69B3-4333-B1F0-C737B01F812D}\TupTools_1.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f79cc44.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\{05D88F42-69B3-4333-B1F0-C737B01F812D}\topuptax.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\f79cc44.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICDCC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE8DE.tmp	msiexec.exe
File created	C:\Windows\Installer\f79cc47.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f79cc45.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSICE79.tmp	msiexec.exe
File created	C:\Windows\Installer\{05D88F42-69B3-4333-B1F0-C737B01F812D}\topuptax.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICF16.tmp	msiexec.exe
File created	C:\Windows\Installer\f79cc45.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{05D88F42-69B3-4333-B1F0-C737B01F812D}\TUS.exe	msiexec.exe
File created	C:\Windows\Installer\{05D88F42-69B3-4333-B1F0-C737B01F812D}\TupTools_1.exe	msiexec.exe

Executes dropped EXE 18 IoCs

pid	Process
2128	MicrosoftEdgeWebview2Setup.exe
1656	MicrosoftEdgeUpdate.exe
2628	MicrosoftEdgeUpdate.exe
2636	MicrosoftEdgeUpdate.exe
2888	MicrosoftEdgeUpdateComRegisterShell64.exe
2592	MicrosoftEdgeUpdateComRegisterShell64.exe
2740	MicrosoftEdgeUpdateComRegisterShell64.exe
2604	MicrosoftEdgeUpdate.exe
2444	MicrosoftEdgeUpdate.exe
2552	MicrosoftEdgeUpdate.exe
2448	MicrosoftEdgeUpdate.exe
3048	MicrosoftEdge_X64_123.0.2420.81.exe
2748	MicrosoftEdgeUpdate.exe
2784	MicrosoftEdgeUpdate.exe
760	MicrosoftEdgeUpdateComRegisterShell64.exe
2072	MicrosoftEdgeUpdateComRegisterShell64.exe
2296	MicrosoftEdgeUpdateComRegisterShell64.exe
1568	topuptax.exe

Loads dropped DLL 56 IoCs

pid	Process
1476	MsiExec.exe
1476	MsiExec.exe
1476	MsiExec.exe
1476	MsiExec.exe
1476	MsiExec.exe
1476	MsiExec.exe
1476	MsiExec.exe
2128	MicrosoftEdgeWebview2Setup.exe
1656	MicrosoftEdgeUpdate.exe
1656	MicrosoftEdgeUpdate.exe
1656	MicrosoftEdgeUpdate.exe
1656	MicrosoftEdgeUpdate.exe
1656	MicrosoftEdgeUpdate.exe
2636	MicrosoftEdgeUpdate.exe
2636	MicrosoftEdgeUpdate.exe
2888	MicrosoftEdgeUpdateComRegisterShell64.exe
2636	MicrosoftEdgeUpdate.exe
2636	MicrosoftEdgeUpdate.exe
2592	MicrosoftEdgeUpdateComRegisterShell64.exe
2636	MicrosoftEdgeUpdate.exe
2636	MicrosoftEdgeUpdate.exe
2740	MicrosoftEdgeUpdateComRegisterShell64.exe
2636	MicrosoftEdgeUpdate.exe
1656	MicrosoftEdgeUpdate.exe
1656	MicrosoftEdgeUpdate.exe
1656	MicrosoftEdgeUpdate.exe
1656	MicrosoftEdgeUpdate.exe
2552	MicrosoftEdgeUpdate.exe
2444	MicrosoftEdgeUpdate.exe
2552	MicrosoftEdgeUpdate.exe
2552	MicrosoftEdgeUpdate.exe
1656	MicrosoftEdgeUpdate.exe
1656	MicrosoftEdgeUpdate.exe
1656	MicrosoftEdgeUpdate.exe
2784	MicrosoftEdgeUpdate.exe
760	MicrosoftEdgeUpdateComRegisterShell64.exe
2784	MicrosoftEdgeUpdate.exe
2784	MicrosoftEdgeUpdate.exe
2072	MicrosoftEdgeUpdateComRegisterShell64.exe
2784	MicrosoftEdgeUpdate.exe
2784	MicrosoftEdgeUpdate.exe
2296	MicrosoftEdgeUpdateComRegisterShell64.exe
2784	MicrosoftEdgeUpdate.exe
1476	MsiExec.exe
1476	MsiExec.exe
1476	MsiExec.exe
1476	MsiExec.exe
1476	MsiExec.exe
1476	MsiExec.exe
1476	MsiExec.exe
1476	MsiExec.exe
1476	MsiExec.exe
1456	MsiExec.exe
1456	MsiExec.exe
1456	MsiExec.exe
1476	MsiExec.exe

Registers COM server for autorun 1 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.153.53\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4A02D72-2A34-41DB-B37F-05DFDB27E933}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4A02D72-2A34-41DB-B37F-05DFDB27E933}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.153.53\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4A02D72-2A34-41DB-B37F-05DFDB27E933}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4A02D72-2A34-41DB-B37F-05DFDB27E933}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4A02D72-2A34-41DB-B37F-05DFDB27E933}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4A02D72-2A34-41DB-B37F-05DFDB27E933}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.153.53\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.153.53\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4A02D72-2A34-41DB-B37F-05DFDB27E933}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4A02D72-2A34-41DB-B37F-05DFDB27E933}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.153.53\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4A02D72-2A34-41DB-B37F-05DFDB27E933}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.153.53\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.153.53\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.153.53\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4A02D72-2A34-41DB-B37F-05DFDB27E933}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.153.53\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-c6-42-6a-32-77\WpadDecisionTime = 3016d221648ada01	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8CF9FA3F-E1A1-4281-B70F-AEF1CFB1E28E}\WpadDecisionTime = d07247fb638ada01	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-c6-42-6a-32-77\WpadDecisionTime = d07247fb638ada01	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8CF9FA3F-E1A1-4281-B70F-AEF1CFB1E28E}\WpadNetworkName = "Network 3"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-c6-42-6a-32-77\WpadDecision = "0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-c6-42-6a-32-77\WpadDecisionTime = d07247fb638ada01	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8CF9FA3F-E1A1-4281-B70F-AEF1CFB1E28E}\WpadDecision = "0"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\EdgeUpdate\ClientState\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8CF9FA3F-E1A1-4281-B70F-AEF1CFB1E28E}\WpadDecisionReason = "1"	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8CF9FA3F-E1A1-4281-B70F-AEF1CFB1E28E}\WpadDecisionTime = 9044bef2638ada01	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8CF9FA3F-E1A1-4281-B70F-AEF1CFB1E28E}\5a-c6-42-6a-32-77	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\EdgeUpdate\ClientState\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\LocalServer32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3COMClassService\CurVer\ = "MicrosoftEdgeUpdate.Update3COMClassService.1.0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\VersionIndependentProgID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ProxyStubClsid32\ = "{B4A02D72-2A34-41DB-B37F-05DFDB27E933}"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\ProgID	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\LocalServer32	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\LocalServer32	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachineFallback.1.0\CLSID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\NumMethods	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.153.53\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\Elevation	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\ = "Update3COMClass"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\AppID = "{A6B716CB-028B-404D-B72C-50E153DD68DA}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\NumMethods	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\NumMethods\ = "24"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ = "IGoogleUpdate3Web"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ProxyStubClsid32\ = "{B4A02D72-2A34-41DB-B37F-05DFDB27E933}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ = "IGoogleUpdate3"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ = "IAppCommand"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ProxyStubClsid32\ = "{B4A02D72-2A34-41DB-B37F-05DFDB27E933}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC}\LocalServer32	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\Elevation\Enabled = "1"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\Elevation\IconReference = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.153.53\\msedgeupdate.dll,-1004"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.153.53\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ProxyStubClsid32\ = "{B4A02D72-2A34-41DB-B37F-05DFDB27E933}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC}\ = "Microsoft Edge Update Process Launcher Class"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\NumMethods\ = "8"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\Elevation	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachineFallback\CurVer	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.153.53\\psmachine.dll"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ = "IGoogleUpdate"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachine	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\NumMethods	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\NumMethods\ = "23"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CredentialDialogMachine.1.0	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachineFallback\CLSID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	InstallTopup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	InstallTopup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	InstallTopup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	InstallTopup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	InstallTopup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	InstallTopup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	InstallTopup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	InstallTopup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	InstallTopup.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1656	MicrosoftEdgeUpdate.exe
1656	MicrosoftEdgeUpdate.exe
2552	MicrosoftEdgeUpdate.exe
2552	MicrosoftEdgeUpdate.exe
2448	MicrosoftEdgeUpdate.exe
2448	MicrosoftEdgeUpdate.exe
2748	MicrosoftEdgeUpdate.exe
2748	MicrosoftEdgeUpdate.exe
1656	MicrosoftEdgeUpdate.exe
1656	MicrosoftEdgeUpdate.exe
1656	MicrosoftEdgeUpdate.exe
1656	MicrosoftEdgeUpdate.exe
1656	MicrosoftEdgeUpdate.exe
1192	msiexec.exe
1192	msiexec.exe
1568	topuptax.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1568	topuptax.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1192	msiexec.exe
Token: SeTakeOwnershipPrivilege	1192	msiexec.exe
Token: SeSecurityPrivilege	1192	msiexec.exe
Token: SeCreateTokenPrivilege	2076	InstallTopup.exe
Token: SeAssignPrimaryTokenPrivilege	2076	InstallTopup.exe
Token: SeLockMemoryPrivilege	2076	InstallTopup.exe
Token: SeIncreaseQuotaPrivilege	2076	InstallTopup.exe
Token: SeMachineAccountPrivilege	2076	InstallTopup.exe
Token: SeTcbPrivilege	2076	InstallTopup.exe
Token: SeSecurityPrivilege	2076	InstallTopup.exe
Token: SeTakeOwnershipPrivilege	2076	InstallTopup.exe
Token: SeLoadDriverPrivilege	2076	InstallTopup.exe
Token: SeSystemProfilePrivilege	2076	InstallTopup.exe
Token: SeSystemtimePrivilege	2076	InstallTopup.exe
Token: SeProfSingleProcessPrivilege	2076	InstallTopup.exe
Token: SeIncBasePriorityPrivilege	2076	InstallTopup.exe
Token: SeCreatePagefilePrivilege	2076	InstallTopup.exe
Token: SeCreatePermanentPrivilege	2076	InstallTopup.exe
Token: SeBackupPrivilege	2076	InstallTopup.exe
Token: SeRestorePrivilege	2076	InstallTopup.exe
Token: SeShutdownPrivilege	2076	InstallTopup.exe
Token: SeDebugPrivilege	2076	InstallTopup.exe
Token: SeAuditPrivilege	2076	InstallTopup.exe
Token: SeSystemEnvironmentPrivilege	2076	InstallTopup.exe
Token: SeChangeNotifyPrivilege	2076	InstallTopup.exe
Token: SeRemoteShutdownPrivilege	2076	InstallTopup.exe
Token: SeUndockPrivilege	2076	InstallTopup.exe
Token: SeSyncAgentPrivilege	2076	InstallTopup.exe
Token: SeEnableDelegationPrivilege	2076	InstallTopup.exe
Token: SeManageVolumePrivilege	2076	InstallTopup.exe
Token: SeImpersonatePrivilege	2076	InstallTopup.exe
Token: SeCreateGlobalPrivilege	2076	InstallTopup.exe
Token: SeCreateTokenPrivilege	2076	InstallTopup.exe
Token: SeAssignPrimaryTokenPrivilege	2076	InstallTopup.exe
Token: SeLockMemoryPrivilege	2076	InstallTopup.exe
Token: SeIncreaseQuotaPrivilege	2076	InstallTopup.exe
Token: SeMachineAccountPrivilege	2076	InstallTopup.exe
Token: SeTcbPrivilege	2076	InstallTopup.exe
Token: SeSecurityPrivilege	2076	InstallTopup.exe
Token: SeTakeOwnershipPrivilege	2076	InstallTopup.exe
Token: SeLoadDriverPrivilege	2076	InstallTopup.exe
Token: SeSystemProfilePrivilege	2076	InstallTopup.exe
Token: SeSystemtimePrivilege	2076	InstallTopup.exe
Token: SeProfSingleProcessPrivilege	2076	InstallTopup.exe
Token: SeIncBasePriorityPrivilege	2076	InstallTopup.exe
Token: SeCreatePagefilePrivilege	2076	InstallTopup.exe
Token: SeCreatePermanentPrivilege	2076	InstallTopup.exe
Token: SeBackupPrivilege	2076	InstallTopup.exe
Token: SeRestorePrivilege	2076	InstallTopup.exe
Token: SeShutdownPrivilege	2076	InstallTopup.exe
Token: SeDebugPrivilege	2076	InstallTopup.exe
Token: SeAuditPrivilege	2076	InstallTopup.exe
Token: SeSystemEnvironmentPrivilege	2076	InstallTopup.exe
Token: SeChangeNotifyPrivilege	2076	InstallTopup.exe
Token: SeRemoteShutdownPrivilege	2076	InstallTopup.exe
Token: SeUndockPrivilege	2076	InstallTopup.exe
Token: SeSyncAgentPrivilege	2076	InstallTopup.exe
Token: SeEnableDelegationPrivilege	2076	InstallTopup.exe
Token: SeManageVolumePrivilege	2076	InstallTopup.exe
Token: SeImpersonatePrivilege	2076	InstallTopup.exe
Token: SeCreateGlobalPrivilege	2076	InstallTopup.exe
Token: SeCreateTokenPrivilege	2076	InstallTopup.exe
Token: SeAssignPrimaryTokenPrivilege	2076	InstallTopup.exe
Token: SeLockMemoryPrivilege	2076	InstallTopup.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2076	InstallTopup.exe
2076	InstallTopup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1568	topuptax.exe
1568	topuptax.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 1476	1192	msiexec.exe	29
PID 1192 wrote to memory of 1476	1192	msiexec.exe	29
PID 1192 wrote to memory of 1476	1192	msiexec.exe	29
PID 1192 wrote to memory of 1476	1192	msiexec.exe	29
PID 1192 wrote to memory of 1476	1192	msiexec.exe	29
PID 1192 wrote to memory of 1476	1192	msiexec.exe	29
PID 1192 wrote to memory of 1476	1192	msiexec.exe	29
PID 1476 wrote to memory of 2192	1476	MsiExec.exe	30
PID 1476 wrote to memory of 2192	1476	MsiExec.exe	30
PID 1476 wrote to memory of 2192	1476	MsiExec.exe	30
PID 1476 wrote to memory of 2192	1476	MsiExec.exe	30
PID 1476 wrote to memory of 2192	1476	MsiExec.exe	30
PID 1476 wrote to memory of 2192	1476	MsiExec.exe	30
PID 1476 wrote to memory of 2192	1476	MsiExec.exe	30
PID 1476 wrote to memory of 2128	1476	MsiExec.exe	31
PID 1476 wrote to memory of 2128	1476	MsiExec.exe	31
PID 1476 wrote to memory of 2128	1476	MsiExec.exe	31
PID 1476 wrote to memory of 2128	1476	MsiExec.exe	31
PID 1476 wrote to memory of 2128	1476	MsiExec.exe	31
PID 1476 wrote to memory of 2128	1476	MsiExec.exe	31
PID 1476 wrote to memory of 2128	1476	MsiExec.exe	31
PID 2128 wrote to memory of 1656	2128	MicrosoftEdgeWebview2Setup.exe	32
PID 2128 wrote to memory of 1656	2128	MicrosoftEdgeWebview2Setup.exe	32
PID 2128 wrote to memory of 1656	2128	MicrosoftEdgeWebview2Setup.exe	32
PID 2128 wrote to memory of 1656	2128	MicrosoftEdgeWebview2Setup.exe	32
PID 2128 wrote to memory of 1656	2128	MicrosoftEdgeWebview2Setup.exe	32
PID 2128 wrote to memory of 1656	2128	MicrosoftEdgeWebview2Setup.exe	32
PID 2128 wrote to memory of 1656	2128	MicrosoftEdgeWebview2Setup.exe	32
PID 1656 wrote to memory of 2628	1656	MicrosoftEdgeUpdate.exe	33
PID 1656 wrote to memory of 2628	1656	MicrosoftEdgeUpdate.exe	33
PID 1656 wrote to memory of 2628	1656	MicrosoftEdgeUpdate.exe	33
PID 1656 wrote to memory of 2628	1656	MicrosoftEdgeUpdate.exe	33
PID 1656 wrote to memory of 2628	1656	MicrosoftEdgeUpdate.exe	33
PID 1656 wrote to memory of 2628	1656	MicrosoftEdgeUpdate.exe	33
PID 1656 wrote to memory of 2628	1656	MicrosoftEdgeUpdate.exe	33
PID 1656 wrote to memory of 2636	1656	MicrosoftEdgeUpdate.exe	34
PID 1656 wrote to memory of 2636	1656	MicrosoftEdgeUpdate.exe	34
PID 1656 wrote to memory of 2636	1656	MicrosoftEdgeUpdate.exe	34
PID 1656 wrote to memory of 2636	1656	MicrosoftEdgeUpdate.exe	34
PID 1656 wrote to memory of 2636	1656	MicrosoftEdgeUpdate.exe	34
PID 1656 wrote to memory of 2636	1656	MicrosoftEdgeUpdate.exe	34
PID 1656 wrote to memory of 2636	1656	MicrosoftEdgeUpdate.exe	34
PID 2636 wrote to memory of 2888	2636	MicrosoftEdgeUpdate.exe	35
PID 2636 wrote to memory of 2888	2636	MicrosoftEdgeUpdate.exe	35
PID 2636 wrote to memory of 2888	2636	MicrosoftEdgeUpdate.exe	35
PID 2636 wrote to memory of 2888	2636	MicrosoftEdgeUpdate.exe	35
PID 2636 wrote to memory of 2592	2636	MicrosoftEdgeUpdate.exe	36
PID 2636 wrote to memory of 2592	2636	MicrosoftEdgeUpdate.exe	36
PID 2636 wrote to memory of 2592	2636	MicrosoftEdgeUpdate.exe	36
PID 2636 wrote to memory of 2592	2636	MicrosoftEdgeUpdate.exe	36
PID 2636 wrote to memory of 2740	2636	MicrosoftEdgeUpdate.exe	37
PID 2636 wrote to memory of 2740	2636	MicrosoftEdgeUpdate.exe	37
PID 2636 wrote to memory of 2740	2636	MicrosoftEdgeUpdate.exe	37
PID 2636 wrote to memory of 2740	2636	MicrosoftEdgeUpdate.exe	37
PID 1656 wrote to memory of 2604	1656	MicrosoftEdgeUpdate.exe	38
PID 1656 wrote to memory of 2604	1656	MicrosoftEdgeUpdate.exe	38
PID 1656 wrote to memory of 2604	1656	MicrosoftEdgeUpdate.exe	38
PID 1656 wrote to memory of 2604	1656	MicrosoftEdgeUpdate.exe	38
PID 1656 wrote to memory of 2604	1656	MicrosoftEdgeUpdate.exe	38
PID 1656 wrote to memory of 2604	1656	MicrosoftEdgeUpdate.exe	38
PID 1656 wrote to memory of 2604	1656	MicrosoftEdgeUpdate.exe	38
PID 1656 wrote to memory of 2444	1656	MicrosoftEdgeUpdate.exe	39
PID 1656 wrote to memory of 2444	1656	MicrosoftEdgeUpdate.exe	39
PID 1656 wrote to memory of 2444	1656	MicrosoftEdgeUpdate.exe	39

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\InstallTopup.exe
"C:\Users\Admin\AppData\Local\Temp\InstallTopup.exe"
1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2076
- C:\Users\Admin\AppData\Local\Temp\InstallTopup.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallTopup.exe" /i "C:\Users\Admin\AppData\Roaming\Topup Software Ltd\TopupTax\1.3.38\install\01F812D\InstallTopup.msi" /L*V C:\Users\Admin\AppData\Local\Temp\installtopup.log AI_EUIMSI=1 SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TopupTax" APPDIR="C:\Program Files (x86)\Topup Software Ltd\TopupTax" SECONDSEQUENCE="1" CLIENTPROCESSID="2076" AI_MORE_CMD_LINE=1
  2⤵
  - Enumerates connected drives
  - Modifies system certificate store
  PID:2496

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1C1B63F1DB3849A79F8CDC8103D28142 C
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Users\Admin\AppData\Local\Temp\InstallTopup.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallTopup.exe" /groupsextract:101; /out:"C:\Users\Admin\AppData\Roaming\Topup Software Ltd\TopupTax\prerequisites" /callbackid:1476
    3⤵
    PID:2192
- - C:\Users\Admin\AppData\Roaming\Topup Software Ltd\TopupTax\prerequisites\WebView2\MicrosoftEdgeWebview2Setup.exe
    "C:\Users\Admin\AppData\Roaming\Topup Software Ltd\TopupTax\prerequisites\WebView2\MicrosoftEdgeWebview2Setup.exe" /silent /install
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=true"
      4⤵
      Sets file execution options in registry
      Checks system information in the registry
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1656
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
        5⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2628
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.53\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.53\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:2888
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.53\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.53\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:2592
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.53\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.53\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:2740
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNTMuNTMiIHNoZWxsX3ZlcnNpb249IjEuMy4xNTMuNTMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RUUwQkZBODEtQjNFQi00MkU0LUE3NUItMzIzRDBFMTNCNzI4fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntFQTU0NkRCQy1GM0E4LTQyOEItQjY5QS1BMDBGRTM2QUQ1RTB9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iMiIgZGlza190eXBlPSIwIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjEuNzYwMS4wIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IkRBRFkiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjE1My41MyIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgaW5zdGFsbF90aW1lX21zPSIxNjY5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
        5⤵
        Checks system information in the registry
        Executes dropped EXE
        
        PID:2604
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=true" /installsource otherinstallcmd /sessionid "{EE0BFA81-B3EB-42E4-A75B-323D0E13B728}" /silent
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2444
      - C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "2444" "460"
        6⤵
        
        PID:2560
    - - C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "1656" "540"
        5⤵
        
        PID:2696
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /unregserver
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2784
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.53\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.53\MicrosoftEdgeUpdateComRegisterShell64.exe" /unregister
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:760
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.53\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.53\MicrosoftEdgeUpdateComRegisterShell64.exe" /unregister
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2072
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.53\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.53\MicrosoftEdgeUpdateComRegisterShell64.exe" /unregister
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2296
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C1B65E865FCF57F832A01743CCF4BCAD
  2⤵
  - Loads dropped DLL
  PID:1456

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Checks system information in the registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2552
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNTMuNTMiIHNoZWxsX3ZlcnNpb249IjEuMy4xNTMuNTMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RUUwQkZBODEtQjNFQi00MkU0LUE3NUItMzIzRDBFMTNCNzI4fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InszMDU5QTY4MC1BMDVFLTQyMkMtQjE5Ny0yOTE1OTFCNTMxMDB9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iMiIgZGlza190eXBlPSIwIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjEuNzYwMS4wIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IkRBRFkiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTA2LjAuNTI0OS4xMTkiIG5leHR2ZXJzaW9uPSIxMDYuMC41MjQ5LjExOSIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iNDciIGluc3RhbGxkYXRlPSItNCIgaW5zdGFsbGRhdGV0aW1lPSIxNzA4NTI5MjA1Ij48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMyIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Drops file in System32 directory
  - Checks system information in the registry
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2448
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FFF9785E-9B08-4F16-8479-514DB38AC5D1}\MicrosoftEdge_X64_123.0.2420.81.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FFF9785E-9B08-4F16-8479-514DB38AC5D1}\MicrosoftEdge_X64_123.0.2420.81.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNTMuNTMiIHNoZWxsX3ZlcnNpb249IjEuMy4xNTMuNTMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RUUwQkZBODEtQjNFQi00MkU0LUE3NUItMzIzRDBFMTNCNzI4fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InszRkJGMTdCMi02MDYxLTQxRjUtQjA3NS00Nzc1NTNCNDE2MEN9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iMiIgZGlza190eXBlPSIwIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjEuNzYwMS4wIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IkRBRFkiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTIzLjAuMjQyMC44MSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9Ii0xIiBpbnN0YWxsZGF0ZT0iLTEiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iOSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuZi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy83YTBhMGJkNi1iOWM5LTRjNTYtOTY0OS1lOWU5YzIyZmJlNDM_UDE9MTcxMzI2MTMxNSZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1PRUdVcHUlMmZiMyUyYjhjYVNuRzZZcTloZ1JEVUJHRlIlMmZwJTJmcEdnalplZjExZHQwaDN0cnk2Y29NWEpEcVlkQ0JBayUyZkolMmZHNnpZeW9iTGhTRGxjRSUyYnhoSFd3JTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBkb3dubG9hZGVkPSIxNzIwODY3NDQiIHRvdGFsPSIxNzIwODY3NDQiIGRvd25sb2FkX3RpbWVfbXM9IjIyNzQ1Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc291cmNlX3VybF9pbmRleD0iMCIvPjxldmVudCBldmVudHR5cGU9IjYiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMCIgZXJyb3Jjb2RlPSItMjE0NzIxOTE5OSIgZXh0cmFjb2RlMT0iLTIxNDcwMjQ3MDMiIHNvdXJjZV91cmxfaW5kZXg9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSI1ODM0IiBkb3dubG9hZF90aW1lX21zPSIyNjg3OSIgZG93bmxvYWRlZD0iMTcyMDg2NzQ0IiB0b3RhbD0iMTcyMDg2NzQ0IiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSIxMTU0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
  2⤵
  - Drops file in System32 directory
  - Checks system information in the registry
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2748

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2620

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000554" "0000000000000564"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2016

C:\Program Files (x86)\Topup Software Ltd\TopupTax\topuptax.exe
"C:\Program Files (x86)\Topup Software Ltd\TopupTax\topuptax.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1568
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1568 -s 1412
  2⤵
  PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f79cc46.rbs

Filesize
26KB

MD5
fcbc8e934b5e9bab254173b7b8222593

SHA1
90f1475bfc91c0c7218d7c17ecad3735bd9d09ae

SHA256
e8deca89944d6bbf86f3f53e2faf443e0176e6aae25f6919dc690c21fe0b4c5e

SHA512
b27bca720cda71cb990bff303895355c24fc9ab30a64f3edd29e45c5b001ab3b0d0fb985647957b28fad61ad1d163b20780991be17cb57d406544526ad75c795

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\123.0.2420.81\MicrosoftEdge_X64_123.0.2420.81.exe

Filesize
164.1MB

MD5
cf5144a59c3b26558c05a5226c4b53fe

SHA1
bcf541fbd1bf0168a2d63ead5b06d8918b89b296

SHA256
3a848782e612b4fd77d4910acb1a6f91b1eea3336065d4643486ff17e24970ea

SHA512
2d46fdc92c09257cfafc9bdd659413d7925f405d7b78a6d9a44e353984d9fd70b7c3e9b87475eeee80f984377fdbb884055f4a4f10b7972746811326bfeb9a34

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\EdgeUpdate.dat

Filesize
12KB

MD5
369bbc37cff290adb8963dc5e518b9b8

SHA1
de0ef569f7ef55032e4b18d3a03542cc2bbac191

SHA256
3d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3

SHA512
4f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\MicrosoftEdgeComRegisterShellARM64.exe

Filesize
160KB

MD5
ffb6702956d281b3a6ba56038072584b

SHA1
0b6e2cbee6e297d8afbd0503ff00b53e30dcfa0b

SHA256
8bca492fb1f5dddca9722dd18dad4a7ee75599644f06eb46bf281bbeec4ac1aa

SHA512
402556c91f0537badc3fb7f75ed39c460838bf43ed64dfabd0a588ec6da9681e15f909e4fd5af66c9ed3c4e100a726423443f685b13dcf4e492d52ef19c1a771

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

Filesize
203KB

MD5
4c8680365aaf2610a945923fadd1e7da

SHA1
77f3ad34bb0f3e4861d4c644544138642e4a9e62

SHA256
860222a28c334c17bcbcbdfa258926fda0dbf64b42101e5a6ceea86c304fac57

SHA512
0dd6db0f4f26c408a241490b21fa75c8829fe11c85d0dad22888f7bbfb925a081087e535f35fade3df3950eec3cd8fcb4689cab99e86d3a404d157051c0c1c48

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\MicrosoftEdgeUpdateCore.exe

Filesize
241KB

MD5
2d07dcf260df835d11c805f2e7f8c159

SHA1
25c8284b4b097da369349b39af3dabce2cc97802

SHA256
68a568252382db530607116076df3a26082efe67d216547bcc688a8b478957a6

SHA512
adfec8cc759e9fbbc51295c356eb4e90f26d9ee7d759ab5e9f740a55ab79fe14265c447ec20275ba8c8054a750087f717f27397566db1c4ee5cac2a76f513fcb

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\NOTICE.TXT

Filesize
4KB

MD5
6dd5bf0743f2366a0bdd37e302783bcd

SHA1
e5ff6e044c40c02b1fc78304804fe1f993fed2e6

SHA256
91d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5

SHA512
f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdate.dll

Filesize
2.4MB

MD5
6cfb1cd81b4c65e3a0b3e7d6d8c8cee5

SHA1
a413c36ba58cb1aae06523da8751cb2984b67c9c

SHA256
ac21842fa444ab5fe6f677565a2a6734e0c798633da9dfdc434ba5bcbae6bb22

SHA512
042466d8a606a1b1085ccdddee43cdb90607348179478d42f1fd71e89053ae7f482b9353268afab3fc3e44cc798614d6ad1364bd65040df406d5761eb8a8c307

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_af.dll

Filesize
27KB

MD5
96b7c2e7488555b0ea74a55a6eb08fc7

SHA1
5fba1ef4332f00a9ac1e0a95dd92719d11e931bf

SHA256
ead92721fee00699e3878a51c2432a6de4f1de55405d07e486d7458ccadd57a6

SHA512
9c4f68b6c6f029ae2ffd33bb40bb4f12a59872613006f19766a9dc2c2c7704e9b33b4b6a6ec44c02920c71bba11cbf245f93816a7659fc11394e43771cbddffd

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_am.dll

Filesize
23KB

MD5
993a9ea0056417c22996d273c4cfe0d3

SHA1
2fd91e16c17f50624581b47eee47929e86e37715

SHA256
f1f2c1070f8523636107eb86c53dd3b4ac60bbf0ccea99d8e536ee8ce6e45b85

SHA512
0fd9b9446a4296023d55a821a9b0b84c3b5fd2d2d6da231325acae1b3696fa659b44f54b1d814a271724fba24e72b79dd33994a8ce96e2fde9aa97e04a09814c

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_ar.dll

Filesize
25KB

MD5
ae6f01dff13f3f346d3e7fab70b94c86

SHA1
977c9797fa3500bb199bce84d26ba6b78d4c38d7

SHA256
243d3369b2379ced25bb650cfccd2723c3caaaa1cd35bb557dbffac861e6717b

SHA512
8dbdf32315d4e276199b5fdeb9ec4364da0d0d5dd851f07228fc5d21ce6f9764e3983f0221119f294a4e76c11fa72368f2df9e9684bc274cbe7adea5c020e9f4

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_as.dll

Filesize
27KB

MD5
d060a6b214167b36b600084a1fce6d7b

SHA1
2060742691912bb7ef7b76f5e7a6f14efb310291

SHA256
1a9d6e3afa58a2fbb63e6489ae1ab1fea3d8976771d61a128457b80d3e0a64cf

SHA512
e96d9652d35d67860d9857785e2d798dbd28c34b508734e6e804a6352ced6d0dbe89aeeb95f1254e7fe690a6c13dd08e61044315153f813aaff1bb2a3a1cd23f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_az.dll

Filesize
28KB

MD5
ef8fbcb5b232d1863f8201389113aadc

SHA1
9ee80f6f0d9cc36b0b5b312c8d0a062aaa3c655c

SHA256
d84e5be67107e893601cf5ab4f2448db392972e00772139df50dc432a9a262cb

SHA512
09935f8b769f9542ce135df8d9d9598057f72ef4ef795a6d1e95aa554cebcf9b783d233cf6250cc7c7396316034d9ad02c69f6d816ac44a5528100a0d6e35da0

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_bg.dll

Filesize
28KB

MD5
40f5673b792aedfcce328502d559203d

SHA1
3e8c73e8333b32cff92997dd22907b3a0ab13cbd

SHA256
f4d9599d52dd7b1336b9f0f00195df3f51d9b4403f76ad35f6bc27066bbcf257

SHA512
8c83d624ce5745ffb107c7e67690406ccb074c2e9d0e260c0952960b8f49fb3650299abf5ea52f1e2b963387f011fe60bf24ba8957dfad50c912ba9bdf6a461d

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_bn-IN.dll

Filesize
28KB

MD5
6b551185c4abb67cd6c84129c9b169a4

SHA1
68cef1ff1578f23dfaf1d4c86f9d39d37a1e92a4

SHA256
5a908e3b82b303bdb9665560ef67c3c8613f0d04bc98ceebbff313cb1a0df49e

SHA512
a27632e5c0de0d7d0d67b8ce28f7dc9c4756b5985e544f640981451b32d2471fd746cf49074c559fa19ffa8d684e445749be3751a4e72a22e68204c046f85074

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_bn.dll

Filesize
28KB

MD5
c9604aad7d1e68654d7f8c030061c7ed

SHA1
227fec1594f6f34d576e16e911014b677a631c6d

SHA256
c7f9587526477bf146c67c823e2e26afbca370db294c9f1edb0ef6570d419dd5

SHA512
71e8b5eebdae271887e22af7873d98028ce096fc0e35f3b6091f7f3a4ba5121f1a13030d8e2ba735df5dc17fe4f336e8193f1a3921b8af46ceca3b7b53155ef5

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_bs.dll

Filesize
27KB

MD5
46c1c90fd9c2aff9ecbaaddf76b05947

SHA1
1eefe8b225b3b2db68cc39462a876d71b1f3eaa3

SHA256
f2ef06b1ca06ba8c5ba1cc335ecb3b64454d825d88093fcdcfd444319ce4dc86

SHA512
6c5f3a2522f62bd597a5cbeead95aa18f70ab11cf383f9f8880900c64438f1db1e89e97e62b147a24d3a804665e89cc135b86adaf599222c628626f5c2b02770

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_ca-Es-VALENCIA.dll

Filesize
28KB

MD5
11b32b750c88b34c745ea1969b948a56

SHA1
f3adb0f85f2f963c6d29df65807291bd5272cd28

SHA256
c53f9d293c6cda95a2fabe165f7232b2a3506ba35e9d4e18b1ac00309e25b126

SHA512
2edf47c4bbbd429c86bf1ee4707706fbcfccc5f13b08687d6530d90a74b05b81b49704568df1045f3b98b677ca38a4c7e3efef08ec3ec86a5bd97a4a25dc5ce6

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_ca.dll

Filesize
28KB

MD5
1a9382add72a8b65cfdc4383febab107

SHA1
4b00e4df3f0b02e28f7e9a3a07281f798480adfa

SHA256
3b0a5335c17434a0c30fa8c52bc8af15b1c7702aea554edefb19184442fd26fb

SHA512
6b296efbf1c73c8d7a3510f5e7c2c1ac83415c3cc905398199ee5c1b70939512ccd8cfe5e8a8fb60ceb4899272dd9b4367e8c5f4c7e2f04a5754800147681032

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_cs.dll

Filesize
27KB

MD5
2bfd3ce1a1bcf3d116df5414faa5d285

SHA1
e85c3588a98ecab7c3d21a96534222bb063dae7d

SHA256
8a0367576591cf6261e3fcaf7e52e266b6c325e22d7f94441b9002f18f604461

SHA512
6c69a7271777277f9ee1c98bd680904296427c00fd67c64c567877bd50650b891ac18544143b0f4b3c2a839325d3eba63b23ad63fa7d58b2469cc0ed64a06083

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_cy.dll

Filesize
27KB

MD5
3c8bbfdbd4817d02a9954307107211f1

SHA1
7cb746d9dbde0bb6a35d75ffce42bb1c3cb8ba98

SHA256
f0e0ef1f82643fea9db0f79c727f1a7e3ead52ef209162258e7c37323e3214e7

SHA512
365eb28dde451d164624ced721dc099ef290bbef5fbfc054558d9f43447fb1ae1dcfedf910260c972f12c35f7f27d05e23bd90590ebc6d3f1e70acbb5de8092c

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_da.dll

Filesize
27KB

MD5
f7fd3e001cc1191ab201c1dfb25ddd6e

SHA1
064fb4e941a6c487e792240fecc186b4bf79355a

SHA256
a57e2258e5422b8d89248ce541bbaed5e47063b70a16b446af1ad210094cb64c

SHA512
0f4870ce742e2cbc39ee504906426d768829d25dda6bf31afc5bbffc0ac3b4808f7a7b98d952ea977f10d27ae3c5e1ff5d05f65c61364f851d67e68a6b8189cb

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_de.dll

Filesize
29KB

MD5
87e0d2b50a90fdcc1861f8a066403bff

SHA1
abf39bdc5e5687b798340f7b3c8fa7940966cf4a

SHA256
a5d33e98b7c72aa3d954f811541af524a5f3c4123efd196e36ac52e383e08894

SHA512
4d5434c423156e5ac5d2cd8d492940cc9564e661f39ad1dca8cd1830e04868d081f7ed0e75086dcc6dd551039f12125ceea49fab3b6959e5ed49f37d69423124

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_el.dll

Filesize
29KB

MD5
ce6442e0f9614988b2e37b649101e9a9

SHA1
8e5b9587d94874c7d1e6881c5c40f814d48460f7

SHA256
b519b9a3938807243cece58809b47036243ca81c957075a6eee65c0605383862

SHA512
bad75f04b5b16b41c23f6a1b58fae303f513f72ad37be0ee969436ab736a7bf56944cd61774d87861ea0ca128f5b48ea11e6c54f2116f1b7a674e025520c8238

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_en-GB.dll

Filesize
26KB

MD5
86766127a8e0dc547f0f64598db92691

SHA1
cfb56cec1cbb4f1685aef8699579d6035e086a2a

SHA256
a889dda8a51ce9c84ea1071512fc5e05b0fcc782fc45843feebe2470a0f7ffbf

SHA512
3131e2b9a84f315e075de9b77c576265b1043dec70ed3d40955307819935bc2d90caaf92d4b3cfb1023a40fd14402c3952121ba86f714be9ed0db049a1de54b3

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_es-419.dll

Filesize
27KB

MD5
715b1e3f1879ff94374185f3c31f935d

SHA1
0448afd9435f08469a167f061c7e6470cef5f664

SHA256
98b381350573b9345545f36de57d556aaeb18e83428380427aa78398475be828

SHA512
13ca2cd2e53db6c28958dd76eea9f4989ef4a2ec1d7708bcf458ee40e668b3394b0efabd0dc48918c1ab773119afa4abfa74ccbe276a8a01855ed4041215089b

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_es.dll

Filesize
27KB

MD5
8aa2eeee9867a78cd9d24a9d7efa65de

SHA1
c5a38858e63b3b95621810493c8c78d81519b963

SHA256
47dce4d04ca263d68c7b9818c9ffedd8bb194262e93f002f20af095c4420d555

SHA512
693ed6d248a1f903ed706e63c27a03ec17ca607b2f525b2e412e9efccf48bcad7dc1481aaa08f91abed09a2b63039502275e369e8a8393f6ed5799534cb80d15

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_et.dll

Filesize
26KB

MD5
4a0ded6b7238876524f1543bf9c1b08e

SHA1
53d2dc8b6fad79cc65aab1086c8b33aafc9fabec

SHA256
c11959f8f8f4b7a14b6c6019f9cad639aa674a47edcc87e7ec3864d8ff20e9aa

SHA512
7168a00f2533fa3bed484dd6fd34341972fae019e377b02aafbbcb01ac276b6d713bfdd7972d0b6b3aa03b4e59575f98a36154b20cfce2b51dd5bcfbe814ffd0

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_eu.dll

Filesize
27KB

MD5
75419454882991170ed13b9590edec87

SHA1
942ad256bc23b134a34dcf70d510d09c8cb1d8ed

SHA256
01b2b710cf2d8c41120f265c97456d64b81fc5de557c263e3a41069019784c5d

SHA512
040dc9cec4e0b8d08fa27c5159c589ee45a9b7d763bce8e7e409d6b3152f0642dbc1b8cf55c8392f5efb502c6fe14e82f2458daa0fa5600fb12e55500042f96c

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_fa.dll

Filesize
26KB

MD5
3af6730f373e7a1355ec9cab1eebec28

SHA1
58b7c7c0818622208d0a9124d2da8f65d0d2a35f

SHA256
6726b22df72da907dde5bd897835bb747c2df4235859d20ffc6ecf1594b72bea

SHA512
a138cef9c76c224471692042a95fecf61e97fdd26d9e5d468698454436e1ca4fc68c15a6d7b346a901b0bb187f27b5dc6388b7da8a53268439e8f45719c6a6b1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_fi.dll

Filesize
27KB

MD5
c67e2f456859e3b747e49ca40d303a96

SHA1
82a1fc90adeea44453859a7a3dc445a64b71ca80

SHA256
328ddbaeee9fea6d2aee8d2bbd286af178b2a088cce24c9c774afbf035f6bfd5

SHA512
ea381f0ad307b8ff7c8e89a3c9b09a1ae88bea3cf7bfa0d9f09b28a732a7fca09f7bc6dd60f8f950fad8e8bca5a0c12909c844d2fa25b1524ce4767af53b0457

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_fil.dll

Filesize
28KB

MD5
e6ab658d70f9cc88657d6d18c59312ed

SHA1
1049ae82bd6786b4cb458141067d49f99c6d8a2e

SHA256
f9dabd8dedfa0f6c80dad7b86ec7ceb5bbad6b461d67534db9428ab59cee3fd7

SHA512
ffec0ab77b6b6e2751d6a0ba2d26d5739603895e3ab7fb390f899ff8ec743894a5def906910979ac805485cbecb2da2a6ae02e50905631084e580dbbcd23dc76

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_fr-CA.dll

Filesize
29KB

MD5
125fd51b300c821536548cbfe72bbf84

SHA1
b4b3b84870f08120da8ec88900b28fc8eab3c2e7

SHA256
486e193ec46ce4d8f9f925d73564e9a3b68d39f3c2f9c00302fd8fd4c6810711

SHA512
57f310589a034bcacb42d91cc0c7a53f128b3804ea50fa2b461cfc322c824dbece5d67c67f4ade66177d687af8595efeb8283fc7925b3d644612f5998c5bd48e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_fr.dll

Filesize
29KB

MD5
a1723bf780c3af8bae9e01f525884dd5

SHA1
b827f0f52e002ece363da5f44b20e55199617af7

SHA256
7edde6ac3346e654b66a0621c30626f8d1720608b4c107e78b1c6e42595b14d8

SHA512
26147ad565d8694a244b923ce907ff0d9d26dda7cc7bb3d2e755f91bdaa9455b75bbac959ee4481ca009967b849223400efc6d72ed9106bf684c2bfeead2cd71

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_ga.dll

Filesize
27KB

MD5
564024e243e97f89d3acb6eca15c81ae

SHA1
42f0898d40f8782ce9c4b848baabd3c97b760a22

SHA256
015f5318a47dcfb6db4cfa41394118d0b6a6a09cb972fbbff7549e144c445816

SHA512
487d5f737e79bd40c73dbd75ec8cd57b90884ab18d1659a79e7c2ed657fd2f96045a65276397850108315adaeb2a70e2acd5a2dfd1f61437fe5d69cd0f51d183

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_gd.dll

Filesize
29KB

MD5
81d4b648b3c3de7833fed0dfe0cad957

SHA1
a073986a290ba878a0f4b605af27c5f551a01a2d

SHA256
55b107edd473adc897edb619006b867c1cb3e32f6b29631315a46764a95e96ec

SHA512
125eab74e8f760095914a4a9285aa645375896b7b2d7f957f317b289a4cea512d4f8b64c65832ff9bc1541f2b3d91b9233d6278e20a07f97acbef04429371085

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_gl.dll

Filesize
27KB

MD5
a8ce04e1e7cbaa613443c12c16104b8f

SHA1
d990a50a58449eeb7a0439f831b60848acf15034

SHA256
db1e17395400cb402a1d75ac51351af2b5100794dfa2cc11befc5cf6bd87505c

SHA512
a126b03a6c913621e89448bc53be25bf0e29e2743cfa015933b0d0180da421941b359f9fb2fb525e122a4924a78e51abd450e3459a9bcaaf8ccd7c301d5d9609

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_gu.dll

Filesize
27KB

MD5
876cfa7452ebd6908e9190603f34969d

SHA1
5cdbc3e4a8c7ed9c615f64f1a72a64bdc4c33f38

SHA256
ecbe933cf5548e47eeda04b843eaf7bc1259777bf7de79c99b6a9365fed5a679

SHA512
a5cbccb0b78c56c12f9121c4a64d110d4ffa41ae42e5581146978497cbc0ffe4d97640676e08a6b7317fcb216e3e18649306ef53e1f6892201f320b4fe5bccfc

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_hi.dll

Filesize
27KB

MD5
72e08ac0ccaf23b9c8930a2f3095231e

SHA1
ed5e67be12f2abde36d03b4d91c65fe65b62350d

SHA256
dbf1f92547a16d44694195efb846d92fe1c9d458de86fc193558cdf6ad7f11d8

SHA512
c72097cd918ac1d1742e6fb6fe966cac4fcb4b96ae39e116314383e65424c64e5ee3340b07295c1a98b1c0797b4ba8f8387e7e0d27c9fef077b2b69726311bfa

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_hr.dll

Filesize
27KB

MD5
a48f1bd9e421ee374265cd83c0e39ae7

SHA1
ddbaaa64964b0c8025fc896fa6d6728609454148

SHA256
7b9086fba930dfa5bdd3a0ab94475107055dc9f997fbf46178eeddb1e4dd8ed5

SHA512
b889e66e9d116363c8cff9bcbcf9d863940566ebc6e083b1684ce869ea7d88a5d228670e70c57578b7f8c246e0f1a3b3e65ef49dec0f28013c63c883d8d57a6f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_hu.dll

Filesize
28KB

MD5
08f00bd737b4f654d1d870d54aa0c198

SHA1
0b180855b7d2e92454a0c1b46f01f4e823821ac6

SHA256
2ea9127fb8afd1e3e87df4684d13bbbf4605ff4e7458ee0f24e6a9a7e0405199

SHA512
1183942479b485eb1564b3c49adcdef1105906058f3176d7dc7499ce64a91d6ce79a3a618b9ae209503fc4100d8ef7b1c536c902363b12d91d9c2a0a957865a9

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_id.dll

Filesize
26KB

MD5
19caa80ec5f7a53e4b2c66f6d35b4fec

SHA1
37df0974fe6e7d0c1d8f5fb80056cfc6947a653d

SHA256
e4c243a191c8f51f8b7041aae4d87f1b1773c5ce6cb20072c8e3d6a8223fdefb

SHA512
229da3a1f4d61a8a26689624132e75039d0d629be3befbb2a46266cda51009af8cfbb35cad11a49bdedc429ce4f7f758cb9431567fa2040ee0809b1aef4ee566

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_is.dll

Filesize
26KB

MD5
191a76357b0f12e7005d4fb46352bbb5

SHA1
3fd863ad41f9987ad699d49e9250fdaddf0e8fef

SHA256
cec511e41f8a4ab4cd4e0725d5cf31002be354eddc04895b9e315be0f057c374

SHA512
a6b6f79b4acc024ae84001c819e30a68f3018b6623c8048f0b7ac26c58fd440734b48cef364a3f3bf384dc18f1304ac4569dcbc1cca1dbb6eb7b69a312acc9c5

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_it.dll

Filesize
28KB

MD5
9db6d19ca5d0d0c863b7e0a45b0ac00d

SHA1
9e9da9a7b39fec72d768593ac2ac9bdfe5a6f079

SHA256
d7ea9892539b7241909a5c3bc5a63ba931952214ef522165f7af5f2d23db87c5

SHA512
e739b0dfa656b3c75f8f8f1590d6598a1bd2950c36d5427562a3eeef46727cd9bce7d1451db8f5a85a84487706bf23a9665349165e76abcc0d8d7a79965861c5

Download Submit
C:\Program Files (x86)\Topup Software Ltd\TopupTax\topuptax.exe

Filesize
14.3MB

MD5
55a3de0cb397e8d3bc523ec6a34f81c8

SHA1
c7d330c53c986f4ee509b7d757bc56eb6cdf34f2

SHA256
5becb8b279507fdfb5923de32bb9b055e5dccc03d8b105e707d71ddd8a101f93

SHA512
2fd18840dfc7a031596a295393c6072ba7b1f49a785d2e31a53f0bab183ebf9c6457ecce43fd094948464199d0bdba15112669e67c434b4d412857013143866a

Download Submit
C:\ProgramData\IsolatedStorage\oo5kis3l.lid\yn20lie5.sez\Publisher.hq3fnytg3lirup0j4mn4h4hexkru5q11\identity.dat

Filesize
1KB

MD5
c4733c748bab65e64d46fd2634609132

SHA1
09bfa76b6b2bde8b795e3d6bd63c50dc723b33a4

SHA256
6fc405f0adc728681745216f2a36bbd44b4427d48d14adafa2db9d224d615b70

SHA512
457739ff27b7481ea2ab85e968f50e5407d2d0bc554d8f09f944036456c30795533c8417a3c92b970e0b038b05ed2ef09a2c61b967ffcad37fc9301ac0b85a5a

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
16KB

MD5
648830c2740d28c756d7774a64d9735a

SHA1
b370409f4d879b04f92d069d03ae6bdeb4067e30

SHA256
0be8932934df56420b9885fa14b15534ca3b04b76a250e292f438ee7f30edc84

SHA512
2e909d9ffc0d584754d58bcdfd8d72cd5500eb3d560232919c8b6b55b6c9f0bf26123aabb4eadd6f89f5244040bf03c214c89fe95e89145e56bf1e7c9fc71b86

Download Submit
C:\ProgramData\topupsoftware\topuptax\cumulus.vdb5

Filesize
4.3MB

MD5
b22150024e9617ea9eeedc78830f6bf1

SHA1
766d2e6e67036bc948e3c0eb100f5949ef7f8318

SHA256
0baf8f5d67d3f69abb2ddf81ca5c22b593ebcd06324e233a0d2b2abbb68d28e1

SHA512
dda253d0ef33a02e8e786801a05c56a87ae6839d13922e9f2a44ed8183a07627eb082f2a9a32df382fa4d60adf019a5ec21f719f7c9c1c80e168c7a63c4b8251

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2076\Logo128x128.ico

Filesize
66KB

MD5
eff2038909675e03ec33836e774790a8

SHA1
817ded3150ccde975d180f4f7a27b6f86529ccd6

SHA256
0d9a5a57ebe577d01ca3691bbb67982aadd2509fcee15d961405ed36e052f97f

SHA512
b4f974e0e9f7e7d856b921aa74e92fee955a92107b890293c242e288fb4ccd9f6feb780aca5b39de98c76ef1e183d82a77d6ddc416fd3abb6ef14f857c42bbed

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2076\background

Filesize
20KB

MD5
3ddc9ae9395280f17e5003076f8221bc

SHA1
3c1cda38a92690c3eac7169914aee2d0a2b804f4

SHA256
5dc5506f2ddbf259b48e26ab44429804571a2da19fa4a4be7bca63cef6a790d4

SHA512
4c911fc5e3b13dfccb7fb621f52a756bdedcf4746d1f3135de14e337ca3106bb92f2c114cef3f4bf1a4498a88dd386a53597ed2740d047a2cf0885f37ab6bc22

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2076\exitbackground

Filesize
12KB

MD5
ad524d99c8fc4d6831a8b93863bbcb0c

SHA1
002f5ff4222e013b4b790a68d63347809ac29bde

SHA256
be668802cadcbe20af73e37b8aab99c15e70ef86ac08d51ffe368fca4b801696

SHA512
c2a3c6bc22922145b4f793a93023fc3c1e3c605e2cc833330d7bd71ee35ad99984a1af07fe7d2af1ea62644be0e127873ebfc555cb61fe7c8dcafbbb1ebf3f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6FA6.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7697.tmp

Filesize
738KB

MD5
36cd2870d577ff917ba93c9f50f86374

SHA1
e51baf257f5a3c3cd7b68690e36945fa3284e710

SHA256
8d3e94c47af3da706a9fe9e4428b2fefd5e9e6c7145e96927fffdf3dd5e472b8

SHA512
426fe493a25e99ca9630ad4706ca5ac062445391ab2087793637339f3742a5e1af2cedb4682babc0c4e7f9e06fed0b4ed543ddeb6f4e6f75c50349c0354aceda

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI782E.tmp

Filesize
1.1MB

MD5
7e4ef4bc701a5f46a1fee1a9fdc403f1

SHA1
ab00fc0985d7cae8ccfdae1cd4e687192f079d47

SHA256
34fe948e2b005a424f4e8aff9d9ef847d5623b99196fe5f5e9bff4983770d95a

SHA512
7f8013d024142377aad49fc2c5c30376a4b9dd6c732dbbe3d88d2377965ca9e544d7065c7ee5aa1bd9d29b51f19255335c7ac3f85b5079b1cad710dc74bb8748

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI79A5.tmp

Filesize
870KB

MD5
65b853552e16654c53ab4d16920a9182

SHA1
9f8182ef1b58d0d52f4faf1688d4f4e9dd8af5c5

SHA256
80c5e769470bb98c5b1ec3be0a9a51f0821c67e9adc7e3e254bbc41183ceb76f

SHA512
b56c00e78ca901738a4a067709c772cfbdf10d3a049af4e7eb6bd7a0cb0629472d7798dabb0eb82958ae90cd71acc79e5cbc3d26b0f42d3cc7cc8ec2236aa54a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6FD8.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7250.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Topup Software Ltd\TopupTax\1.3.38\install\01F812D\InstallTopup.msi

Filesize
3.6MB

MD5
6402237c8445a01f8c2f84270c1e4d09

SHA1
1a92b61be170bf4badb8bd3ad52c02e00c8d2df0

SHA256
bb5309b1424b1df0aaa204d51f07c093d0c99d67c229185c90d693251a24f9d4

SHA512
f048f44517218f052f0f91131505f1edface8a1d8e559ae5e52f2207ec24fc55ac2ebf127ff2dbc3d46d91bd4776a0b17aaf06c6a81476064decd4c406f61291

Download Submit
C:\Users\Admin\AppData\Roaming\Topup Software Ltd\TopupTax\prerequisites\WebView2\MicrosoftEdgeWebview2Setup.exe

Filesize
1.7MB

MD5
b97ff6d43d00ae1df8b45f13c3348c0e

SHA1
25c34e3cdafbf5ae0b920d03a19022cf88908888

SHA256
0568839c9f95b04b863f292589f930c63f0375e6db462b38b6aae7410ce02584

SHA512
161541bd608f99cd2471d0b0f42e06feb9ce5cd68be2725f2aa61db2b6a3e78320545dd67bf5427065408b8b2fb761f88ae9518b05b4df4f891d984d6b6b39dd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
5f7b33530129d1f9bc1eef63aaad1d8c

SHA1
4e0501d580940037b371344ed65c15b56063a46a

SHA256
7abdbd4c4ffd1e97bfa104a2bdaca6eb9abc92048690bbd35123f2347e59c51f

SHA512
6d87ad89e6a9633a661a9121b59b40f4f45c59001e0a0cd76e8ec7471cd89b9cbf08c6e94a6bade21483f1463957456ef8f86968095f332496e77b7b1d2b3089

Download Submit
\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\MicrosoftEdgeUpdate.exe

Filesize
209KB

MD5
a40025702cce661c4fb1e77c449d7be1

SHA1
214a5af47d68293ba1670852718e67213feeac4f

SHA256
025df5c7a2b0afa43d54fc53a0a21f2ddf6df03db03a5032ee7ac0360e284185

SHA512
6a6c9e4d40a2afdafc65cad26a1448c44e4a488d16d1856235f575c47603aa5615ab062736d7988fe6e882aa4fa1b943649a28c9e74dc926151023cfa21a02d3

Download Submit
\Program Files (x86)\Microsoft\Temp\EUA93A.tmp\msedgeupdateres_en.dll

Filesize
26KB

MD5
0be55d32cfb7eab185a7fa7fd7f8f260

SHA1
5b1c47b1bf0c82432b31f83d7d9a67df324851d2

SHA256
77c36d4a9ac2dc5ba64b69d4e8686bc79de101e0ae45da1738c9cc467ac968ce

SHA512
f1534b4763b8895b20aaede5132cf3cfb21196631287c801362879459dd8e6073ecf4715cd1aa3fa91c46fdb35255695741a10158c0b7d9fe074893938c0aa2c

Download Submit
memory/1568-2246-0x000000001BEB0000-0x000000001BF30000-memory.dmp

Filesize
512KB

Download
memory/1568-2267-0x000000001B6C0000-0x000000001B73E000-memory.dmp

Filesize
504KB

Download
memory/1568-2243-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/1568-2244-0x000000001BF30000-0x000000001D0EA000-memory.dmp

Filesize
17.7MB

Download
memory/1568-2245-0x000000001D600000-0x000000001DB24000-memory.dmp

Filesize
5.1MB

Download
memory/1568-2397-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/1568-2247-0x0000000000150000-0x000000000015A000-memory.dmp

Filesize
40KB

Download
memory/1568-2248-0x000000001E230000-0x000000001E5C6000-memory.dmp

Filesize
3.6MB

Download
memory/1568-2249-0x000000001E5D0000-0x000000001ED5C000-memory.dmp

Filesize
7.5MB

Download
memory/1568-2250-0x0000000000AF0000-0x0000000000BA0000-memory.dmp

Filesize
704KB

Download
memory/1568-2251-0x00000000005C0000-0x0000000000630000-memory.dmp

Filesize
448KB

Download
memory/1568-2252-0x000000001ED60000-0x000000001F1AC000-memory.dmp

Filesize
4.3MB

Download
memory/1568-2253-0x000000001F1B0000-0x000000001F60A000-memory.dmp

Filesize
4.4MB

Download
memory/1568-2261-0x000000001FAC0000-0x000000001FC0C000-memory.dmp

Filesize
1.3MB

Download
memory/1568-2262-0x0000000001270000-0x00000000012B4000-memory.dmp

Filesize
272KB

Download
memory/1568-2263-0x000000001FC10000-0x0000000020290000-memory.dmp

Filesize
6.5MB

Download
memory/1568-2264-0x0000000020290000-0x00000000203A6000-memory.dmp

Filesize
1.1MB

Download
memory/1568-2265-0x000000001BEB0000-0x000000001BF30000-memory.dmp

Filesize
512KB

Download
memory/1568-2266-0x000000001B530000-0x000000001B586000-memory.dmp

Filesize
344KB

Download
memory/1568-2242-0x00000000012D0000-0x0000000002122000-memory.dmp

Filesize
14.3MB

Download
memory/1568-2268-0x000000001BB40000-0x000000001BB76000-memory.dmp

Filesize
216KB

Download
memory/1568-2274-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/1568-2275-0x000000001B750000-0x000000001B75E000-memory.dmp

Filesize
56KB

Download
memory/1568-2276-0x000000001BEB0000-0x000000001BF30000-memory.dmp

Filesize
512KB

Download
memory/1568-2283-0x000000001BEB0000-0x000000001BF30000-memory.dmp

Filesize
512KB

Download
memory/1568-2284-0x000000001BEB0000-0x000000001BF30000-memory.dmp

Filesize
512KB

Download
memory/1568-2285-0x000000001BEB0000-0x000000001BF30000-memory.dmp

Filesize
512KB

Download
memory/1568-2396-0x000000001BEB0000-0x000000001BF30000-memory.dmp

Filesize
512KB

Download
memory/1568-2305-0x0000000025410000-0x000000002561E000-memory.dmp

Filesize
2.1MB

Download
memory/1568-2306-0x0000000025620000-0x00000000257B8000-memory.dmp

Filesize
1.6MB

Download
memory/1568-2371-0x000000001BEB0000-0x000000001BF30000-memory.dmp

Filesize
512KB

Download
memory/1568-2331-0x000000001BEB0000-0x000000001BF30000-memory.dmp

Filesize
512KB

Download
memory/1568-2343-0x000000001BEB0000-0x000000001BF30000-memory.dmp

Filesize
512KB

Download
memory/1568-2344-0x000000001BEB0000-0x000000001BF30000-memory.dmp

Filesize
512KB

Download
memory/1568-2345-0x000000001BEB0000-0x000000001BF30000-memory.dmp

Filesize
512KB

Download
memory/2076-0-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2076-402-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2444-343-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download