9ccb0bc19f24b694a4129cc387279457e57671f8109937550258ffc40173423b

Analysis

max time kernel
137s
max time network
130s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
04-08-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GrowtopiaInstaller (2).exe
Size

230.6MB
MD5

3a3fc09ccd9742f23dfcd213ea0cc4fa
SHA1

e20b17bd6a625259b4f9b2c9f8439d761bc126e3
SHA256

9ccb0bc19f24b694a4129cc387279457e57671f8109937550258ffc40173423b
SHA512

cfc533d6c845692a94868d4df276b47276504cce838bfffea3ff41a33c6d384d70583bb9413fb6048ecea0cf1311ce38c3311fda2e712c2aef3625bb45016971
SSDEEP

6291456:2TkXdHjFqVWTv3QXZ0ZDhip7rOCXqCS6N:2WmWtb6rOCaC/

Score

6^/10

defense_evasion discovery persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

Processes:

MicrosoftEdgeUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

remove IFEO.

defense_evasion

Clear Persistence

T1070.009

Processes:

MicrosoftEdgeUpdate.exe

description	ioc	process
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation	MicrosoftEdgeUpdate.exe

Drops file in System32 directory 9 IoCs

Processes:

MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	MicrosoftEdgeUpdate.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 10 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe

Drops file in Program Files directory 64 IoCs

Processes:

MicrosoftEdgeWebview2Setup.exeMicrosoftEdgeUpdate.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_bg.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_hu.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_sq.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_en.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_gu.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_nn.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\MicrosoftEdgeUpdate.exe	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\MicrosoftEdgeUpdateBroker.exe	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\MicrosoftEdgeComRegisterShellARM64.exe	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_en-GB.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_hi.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_nb.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_vi.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_fr-CA.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_ug.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_az.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_es-419.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_ko.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_kk.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_sv.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_km.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_et.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_tr.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_gl.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_or.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_sr-Cyrl-RS.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\MicrosoftEdgeUpdateSetup.exe	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_fr.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_bn-IN.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_ar.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_sl.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_quz.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_tt.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\MicrosoftEdgeUpdateOnDemand.exe	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_it.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_mt.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\EdgeUpdate.dat	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_ca.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_ka.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_iw.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_sr.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_lv.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_ru.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_ga.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_mk.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_bs.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_lb.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\MicrosoftEdgeUpdateCore.exe	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_es.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_gd.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_fi.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_id.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_ms.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_th.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_zh-TW.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_el.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdate.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_hr.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\NOTICE.TXT	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_ja.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\psmachine.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_fa.dll	MicrosoftEdgeWebview2Setup.exe

Executes dropped EXE 18 IoCs

Processes:

vc_redist.x64.exevc_redist.x64.exeMicrosoftEdgeWebview2Setup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exe

pid	process
2888	vc_redist.x64.exe
2860	vc_redist.x64.exe
1980	MicrosoftEdgeWebview2Setup.exe
1532	MicrosoftEdgeUpdate.exe
2056	MicrosoftEdgeUpdate.exe
2636	MicrosoftEdgeUpdate.exe
2736	MicrosoftEdgeUpdateComRegisterShell64.exe
2824	MicrosoftEdgeUpdateComRegisterShell64.exe
2936	MicrosoftEdgeUpdateComRegisterShell64.exe
2648	MicrosoftEdgeUpdate.exe
2856	MicrosoftEdgeUpdate.exe
2588	MicrosoftEdgeUpdate.exe
2596	MicrosoftEdgeUpdate.exe
2016	MicrosoftEdgeUpdate.exe
1500	MicrosoftEdgeUpdate.exe
780	MicrosoftEdgeUpdateComRegisterShell64.exe
2716	MicrosoftEdgeUpdateComRegisterShell64.exe
2884	MicrosoftEdgeUpdateComRegisterShell64.exe

Loads dropped DLL 49 IoCs

Processes:

GrowtopiaInstaller (2).exevc_redist.x64.exevc_redist.x64.exeMicrosoftEdgeWebview2Setup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exe

pid	process
2188	GrowtopiaInstaller (2).exe
2188	GrowtopiaInstaller (2).exe
2188	GrowtopiaInstaller (2).exe
2888	vc_redist.x64.exe
2860	vc_redist.x64.exe
2188	GrowtopiaInstaller (2).exe
1980	MicrosoftEdgeWebview2Setup.exe
1532	MicrosoftEdgeUpdate.exe
1532	MicrosoftEdgeUpdate.exe
1532	MicrosoftEdgeUpdate.exe
1532	MicrosoftEdgeUpdate.exe
1532	MicrosoftEdgeUpdate.exe
2636	MicrosoftEdgeUpdate.exe
2636	MicrosoftEdgeUpdate.exe
2736	MicrosoftEdgeUpdateComRegisterShell64.exe
2636	MicrosoftEdgeUpdate.exe
2636	MicrosoftEdgeUpdate.exe
2824	MicrosoftEdgeUpdateComRegisterShell64.exe
2636	MicrosoftEdgeUpdate.exe
2636	MicrosoftEdgeUpdate.exe
2936	MicrosoftEdgeUpdateComRegisterShell64.exe
2636	MicrosoftEdgeUpdate.exe
1532	MicrosoftEdgeUpdate.exe
1532	MicrosoftEdgeUpdate.exe
1532	MicrosoftEdgeUpdate.exe
1532	MicrosoftEdgeUpdate.exe
2588	MicrosoftEdgeUpdate.exe
2856	MicrosoftEdgeUpdate.exe
2588	MicrosoftEdgeUpdate.exe
1532	MicrosoftEdgeUpdate.exe
1532	MicrosoftEdgeUpdate.exe
2588	MicrosoftEdgeUpdate.exe
1532	MicrosoftEdgeUpdate.exe
1500	MicrosoftEdgeUpdate.exe
780	MicrosoftEdgeUpdateComRegisterShell64.exe
1500	MicrosoftEdgeUpdate.exe
1500	MicrosoftEdgeUpdate.exe
2716	MicrosoftEdgeUpdateComRegisterShell64.exe
1500	MicrosoftEdgeUpdate.exe
1500	MicrosoftEdgeUpdate.exe
2884	MicrosoftEdgeUpdateComRegisterShell64.exe
1500	MicrosoftEdgeUpdate.exe
2188	GrowtopiaInstaller (2).exe
2188	GrowtopiaInstaller (2).exe
2188	GrowtopiaInstaller (2).exe
1184
1184
1184
1184

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

vc_redist.x64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exewermgr.exeGrowtopiaInstaller (2).exeMicrosoftEdgeWebview2Setup.exeMicrosoftEdgeUpdate.exewermgr.exeMicrosoftEdgeUpdate.exevc_redist.x64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wermgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GrowtopiaInstaller (2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeWebview2Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wermgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe

pid process

2596 MicrosoftEdgeUpdate.exe
2016 MicrosoftEdgeUpdate.exe
2648 MicrosoftEdgeUpdate.exe

pid	process
2596	MicrosoftEdgeUpdate.exe
2016	MicrosoftEdgeUpdate.exe
2648	MicrosoftEdgeUpdate.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-f5-38-63-87-7a\WpadDetectedUrl	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-f5-38-63-87-7a\WpadDecisionTime = 80dafa1595e6da01	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{037A4A68-ED10-4779-B6EE-7852093F915E}\WpadDecisionTime = 80dafa1595e6da01	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{037A4A68-ED10-4779-B6EE-7852093F915E}\WpadDecisionTime = 00d2373495e6da01	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{037A4A68-ED10-4779-B6EE-7852093F915E}\ee-f5-38-63-87-7a	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-f5-38-63-87-7a\WpadDecision = "0"	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-f5-38-63-87-7a\WpadDecisionTime = 6053532895e6da01	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-f5-38-63-87-7a\WpadDecisionTime = 20e9f62e95e6da01	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{037A4A68-ED10-4779-B6EE-7852093F915E}\WpadDecisionTime = 20e9f62e95e6da01	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-f5-38-63-87-7a\WpadDecisionTime = 6053532895e6da01	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-f5-38-63-87-7a\WpadDecision = "0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{037A4A68-ED10-4779-B6EE-7852093F915E}\WpadDecision = "0"	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ = "IAppVersionWeb"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ProxyStubClsid32\ = "{BA4344C9-31F7-44C1-9802-7F90B352D5C5}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\ProgID\ = "MicrosoftEdgeUpdate.CoreMachineClass.1"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\ProgID\ = "MicrosoftEdgeUpdate.Update3WebMachineFallback.1.0"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassSvc\ = "Microsoft Edge Update Legacy On Demand"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ProxyStubClsid32\ = "{BA4344C9-31F7-44C1-9802-7F90B352D5C5}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachineFallback\CurVer	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\NumMethods\ = "7"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ProxyStubClsid32\ = "{BA4344C9-31F7-44C1-9802-7F90B352D5C5}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.ProcessLauncher\CurVer\ = "MicrosoftEdgeUpdate.ProcessLauncher.1.0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32\ = "{BA4344C9-31F7-44C1-9802-7F90B352D5C5}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\ = "Microsoft Edge Update CredentialDialog"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\NumMethods\ = "23"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ProxyStubClsid32\ = "{BA4344C9-31F7-44C1-9802-7F90B352D5C5}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachineFallback.1.0\CLSID\ = "{77857D02-7A25-4B67-9266-3E122A8F39E4}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CredentialDialogMachine\CLSID	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreClass	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ = "IAppVersion"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachine\CurVer	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\ProgID\ = "MicrosoftEdgeUpdate.OnDemandCOMClassSvc.1.0"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\AppID = "{A6B716CB-028B-404D-B72C-50E153DD68DA}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\ProgID\ = "MicrosoftEdgeUpdate.PolicyStatusMachineFallback.1.0"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\NumMethods	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\ = "IPolicyStatus4"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\NumMethods	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreMachineClass\CLSID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ = "IGoogleUpdate"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\NumMethods	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\NumMethods\ = "27"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ProxyStubClsid32\ = "{BA4344C9-31F7-44C1-9802-7F90B352D5C5}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachineFallback\CLSID\ = "{E421557C-0628-43FB-BF2B-7C9F8A4D067C}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\Elevation\IconReference = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.185.29\\msedgeupdate.dll,-1004"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CredentialDialogMachine.1.0	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CredentialDialogMachine\CurVer\ = "MicrosoftEdgeUpdate.CredentialDialogMachine.1.0"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.ProcessLauncher\CurVer	MicrosoftEdgeUpdate.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

MicrosoftEdgeUpdate.exe

pid	process
1532	MicrosoftEdgeUpdate.exe
1532	MicrosoftEdgeUpdate.exe
1532	MicrosoftEdgeUpdate.exe
1532	MicrosoftEdgeUpdate.exe
1532	MicrosoftEdgeUpdate.exe
1532	MicrosoftEdgeUpdate.exe
1532	MicrosoftEdgeUpdate.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

GrowtopiaInstaller (2).exe

pid process

2188 GrowtopiaInstaller (2).exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

MicrosoftEdgeUpdate.exe

description	pid	process
Token: SeDebugPrivilege	1532	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	1532	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	1532	MicrosoftEdgeUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

GrowtopiaInstaller (2).exevc_redist.x64.exeMicrosoftEdgeWebview2Setup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe

description	pid	process	target process
PID 2188 wrote to memory of 2888	2188	GrowtopiaInstaller (2).exe	vc_redist.x64.exe
PID 2188 wrote to memory of 2888	2188	GrowtopiaInstaller (2).exe	vc_redist.x64.exe
PID 2188 wrote to memory of 2888	2188	GrowtopiaInstaller (2).exe	vc_redist.x64.exe
PID 2188 wrote to memory of 2888	2188	GrowtopiaInstaller (2).exe	vc_redist.x64.exe
PID 2188 wrote to memory of 2888	2188	GrowtopiaInstaller (2).exe	vc_redist.x64.exe
PID 2188 wrote to memory of 2888	2188	GrowtopiaInstaller (2).exe	vc_redist.x64.exe
PID 2188 wrote to memory of 2888	2188	GrowtopiaInstaller (2).exe	vc_redist.x64.exe
PID 2888 wrote to memory of 2860	2888	vc_redist.x64.exe	vc_redist.x64.exe
PID 2888 wrote to memory of 2860	2888	vc_redist.x64.exe	vc_redist.x64.exe
PID 2888 wrote to memory of 2860	2888	vc_redist.x64.exe	vc_redist.x64.exe
PID 2888 wrote to memory of 2860	2888	vc_redist.x64.exe	vc_redist.x64.exe
PID 2888 wrote to memory of 2860	2888	vc_redist.x64.exe	vc_redist.x64.exe
PID 2888 wrote to memory of 2860	2888	vc_redist.x64.exe	vc_redist.x64.exe
PID 2888 wrote to memory of 2860	2888	vc_redist.x64.exe	vc_redist.x64.exe
PID 2188 wrote to memory of 1980	2188	GrowtopiaInstaller (2).exe	MicrosoftEdgeWebview2Setup.exe
PID 2188 wrote to memory of 1980	2188	GrowtopiaInstaller (2).exe	MicrosoftEdgeWebview2Setup.exe
PID 2188 wrote to memory of 1980	2188	GrowtopiaInstaller (2).exe	MicrosoftEdgeWebview2Setup.exe
PID 2188 wrote to memory of 1980	2188	GrowtopiaInstaller (2).exe	MicrosoftEdgeWebview2Setup.exe
PID 2188 wrote to memory of 1980	2188	GrowtopiaInstaller (2).exe	MicrosoftEdgeWebview2Setup.exe
PID 2188 wrote to memory of 1980	2188	GrowtopiaInstaller (2).exe	MicrosoftEdgeWebview2Setup.exe
PID 2188 wrote to memory of 1980	2188	GrowtopiaInstaller (2).exe	MicrosoftEdgeWebview2Setup.exe
PID 1980 wrote to memory of 1532	1980	MicrosoftEdgeWebview2Setup.exe	MicrosoftEdgeUpdate.exe
PID 1980 wrote to memory of 1532	1980	MicrosoftEdgeWebview2Setup.exe	MicrosoftEdgeUpdate.exe
PID 1980 wrote to memory of 1532	1980	MicrosoftEdgeWebview2Setup.exe	MicrosoftEdgeUpdate.exe
PID 1980 wrote to memory of 1532	1980	MicrosoftEdgeWebview2Setup.exe	MicrosoftEdgeUpdate.exe
PID 1980 wrote to memory of 1532	1980	MicrosoftEdgeWebview2Setup.exe	MicrosoftEdgeUpdate.exe
PID 1980 wrote to memory of 1532	1980	MicrosoftEdgeWebview2Setup.exe	MicrosoftEdgeUpdate.exe
PID 1980 wrote to memory of 1532	1980	MicrosoftEdgeWebview2Setup.exe	MicrosoftEdgeUpdate.exe
PID 1532 wrote to memory of 2056	1532	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1532 wrote to memory of 2056	1532	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1532 wrote to memory of 2056	1532	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1532 wrote to memory of 2056	1532	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1532 wrote to memory of 2056	1532	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1532 wrote to memory of 2056	1532	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1532 wrote to memory of 2056	1532	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1532 wrote to memory of 2636	1532	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1532 wrote to memory of 2636	1532	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1532 wrote to memory of 2636	1532	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1532 wrote to memory of 2636	1532	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1532 wrote to memory of 2636	1532	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1532 wrote to memory of 2636	1532	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1532 wrote to memory of 2636	1532	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 2636 wrote to memory of 2736	2636	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdateComRegisterShell64.exe
PID 2636 wrote to memory of 2736	2636	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdateComRegisterShell64.exe
PID 2636 wrote to memory of 2736	2636	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdateComRegisterShell64.exe
PID 2636 wrote to memory of 2736	2636	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdateComRegisterShell64.exe
PID 2636 wrote to memory of 2824	2636	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdateComRegisterShell64.exe
PID 2636 wrote to memory of 2824	2636	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdateComRegisterShell64.exe
PID 2636 wrote to memory of 2824	2636	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdateComRegisterShell64.exe
PID 2636 wrote to memory of 2824	2636	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdateComRegisterShell64.exe
PID 2636 wrote to memory of 2936	2636	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdateComRegisterShell64.exe
PID 2636 wrote to memory of 2936	2636	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdateComRegisterShell64.exe
PID 2636 wrote to memory of 2936	2636	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdateComRegisterShell64.exe
PID 2636 wrote to memory of 2936	2636	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdateComRegisterShell64.exe
PID 1532 wrote to memory of 2648	1532	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1532 wrote to memory of 2648	1532	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1532 wrote to memory of 2648	1532	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1532 wrote to memory of 2648	1532	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1532 wrote to memory of 2648	1532	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1532 wrote to memory of 2648	1532	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1532 wrote to memory of 2648	1532	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1532 wrote to memory of 2856	1532	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1532 wrote to memory of 2856	1532	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1532 wrote to memory of 2856	1532	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe

C:\Users\Admin\AppData\Local\Temp\GrowtopiaInstaller (2).exe
"C:\Users\Admin\AppData\Local\Temp\GrowtopiaInstaller (2).exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Growtopia\vc_redist.x64.exe
  C:\Users\Admin\AppData\Local\Growtopia\vc_redist.x64.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Users\Admin\AppData\Local\Growtopia\vc_redist.x64.exe
    "C:\Users\Admin\AppData\Local\Growtopia\vc_redist.x64.exe" -burn.unelevated BurnPipe.{8161C627-7E60-4E7C-B48E-2DF1E5B7E57F} {CA24B7BC-F7E2-4200-B64D-1F1B9F1B6A9B} 2888
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2860
- C:\Users\Admin\AppData\Local\Growtopia\MicrosoftEdgeWebview2Setup.exe
  C:\Users\Admin\AppData\Local\Growtopia\MicrosoftEdgeWebview2Setup.exe
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\MicrosoftEdgeUpdate.exe" /installsource taggedmi /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - Indicator Removal: Clear Persistence
    - Checks system information in the registry
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2056
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.29\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.29\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2736
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.29\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.29\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2824
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.29\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.29\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2936
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODUuMjkiIHNoZWxsX3ZlcnNpb249IjEuMy4xODUuMjkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QzlCNzg1MjctODQyRS00MDgzLUE0NTctRUZDRDFERTFGQTgxfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezYzMTNDODI1LTQ1MzctNEFDRS04OTc4LUFGNDlGNzY4QjI4QX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSI4IiBwaHlzbWVtb3J5PSIyIiBkaXNrX3R5cGU9IjAiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjYuMS43NjAxLjAiIHNwPSJTZXJ2aWNlIFBhY2sgMSIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjEiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxLjMuMTg1LjI5IiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIyODcyMjEyMDAwIiBpbnN0YWxsX3RpbWVfbXM9Ijc5NiIvPjwvYXBwPjwvcmVxdWVzdD4
      4⤵
      Checks system information in the registry
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      PID:2648
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource taggedmi /sessionid "{C9B78527-842E-4083-A457-EFCD1DE1FA81}"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2856
    - - C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "2856" "456"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2540
  - - C:\Windows\SysWOW64\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1532" "324"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2676
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /unregserver
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:1500
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.29\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.29\MicrosoftEdgeUpdateComRegisterShell64.exe" /unregister
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:780
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.29\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.29\MicrosoftEdgeUpdateComRegisterShell64.exe" /unregister
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2716
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.29\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.29\MicrosoftEdgeUpdateComRegisterShell64.exe" /unregister
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2884

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Checks system information in the registry
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2588
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODUuMjkiIHNoZWxsX3ZlcnNpb249IjEuMy4xODUuMjkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QzlCNzg1MjctODQyRS00MDgzLUE0NTctRUZDRDFERTFGQTgxfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RjQ5NUNFNDktOTc4QS00Njk4LUEwMDEtMkRFNzdDRUEwMkZEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjIiIGRpc2tfdHlwZT0iMCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iNi4xLjc2MDEuMCIgc3A9IlNlcnZpY2UgUGFjayAxIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMSIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iIi8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEwNi4wLjUyNDkuMTE5IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzMCIgaW5zdGFsbGRhdGV0aW1lPSIxNzIwMTI3NTAxIiBvb2JlX2luc3RhbGxfdGltZT0iMTI4OTIwMjEyOTQ2Njk2NzY4Ij48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTcxNzIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjI4NzUwMjAwMDAiLz48L2FwcD48L3JlcXVlc3Q-
  2⤵
  - Drops file in System32 directory
  - Checks system information in the registry
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Modifies data under HKEY_USERS
  PID:2596
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODUuMjkiIHNoZWxsX3ZlcnNpb249IjEuMy4xODUuMjkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QzlCNzg1MjctODQyRS00MDgzLUE0NTctRUZDRDFERTFGQTgxfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezQ5OTc3OTczLUQxMUItNEQ3RS04RTMxLUVBNUQzMDU0QTlBNH0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSI4IiBwaHlzbWVtb3J5PSIyIiBkaXNrX3R5cGU9IjAiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjYuMS43NjAxLjAiIHNwPSJTZXJ2aWNlIFBhY2sgMSIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjEiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiIvPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSItMSIgaW5zdGFsbGRhdGU9Ii0xIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSI0IiBlcnJvcmNvZGU9Ii0yMTQ3MjE5NDQwIiBleHRyYWNvZGUxPSIyNjg0MzU0NTgiIHN5c3RlbV91cHRpbWVfdGlja3M9IjMwNTQ4ODgwMDAiIGlzX2J1bmRsZWQ9IjAiIHN0YXRlX2NhbmNlbGxlZD0iMiIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Drops file in System32 directory
  - Checks system information in the registry
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Modifies data under HKEY_USERS
  PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Defense Evasion

Indicator Removal

T1070

Clear Persistence

T1070.009

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\EdgeUpdate.dat

Filesize
12KB

MD5
369bbc37cff290adb8963dc5e518b9b8

SHA1
de0ef569f7ef55032e4b18d3a03542cc2bbac191

SHA256
3d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3

SHA512
4f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\MicrosoftEdgeComRegisterShellARM64.exe

Filesize
182KB

MD5
e0a4142f6fd7098661dd27f41f6b51d3

SHA1
b92bed61c6b66f958878f498d4e7bb3d23e8975d

SHA256
52496289bd868f12474d9dca3f063853923f541803388b427487ef63f52c6e8a

SHA512
42d071c4990cd2d5aefe53ba91cf0880810a003236675d7f251588a507d2654db332b940962479f97811b7b83f5f686f5ff662df4ffa124552fdb0a1be8d1cb5

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
24e62a7c8d7f60336e60c003af843a87

SHA1
9576d1924d37113c301cadfd36481586cdef870c

SHA256
43f7de9fae6b79a844d7da6056ac82beadf028a347e227c2bc33d503f7eb402c

SHA512
34f33015d3e7cabdea2ef39f7f149aaf39caa534b188a34021e577d68bbc48d1d99b7b13a1303d4ebaf5c29fda0bb573f3a6cb171aa2db67cc4b25292eac4a36

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

Filesize
215KB

MD5
8200a55843c5c0da5ca8e01f77038bcc

SHA1
cdf2588a010fd6ac5536f9083076c480e05eb43d

SHA256
098eb4c373a48ee49681d83f9f03e3701f6dfd5361b6a071242ca23b3162ee96

SHA512
10780aa7a9d2021f7dfa2273a641f64ca37a941ec5ef08486becf2422e76382f424f9aca03925adb964e2423322b62ba4ff87b4ae8731e7d5743ac82e33b75f9

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\MicrosoftEdgeUpdateCore.exe

Filesize
261KB

MD5
8f559de7fab651b2a31caed79ac2600d

SHA1
46c7ce06e6592c391dfb54634b5caf136f5f6d7f

SHA256
a1b818b507c87bab9e3b4643ff68e6e35f05872ebcd1e8075a68a4cc87650df6

SHA512
e975ab0175a363c56da03e43730abfd0dc90e14a486a0f04ecb40c4f2279eafd29254ff69748930d102fb8480bdcbc86611105fccb18028f60e7b3f451c6a69d

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\NOTICE.TXT

Filesize
4KB

MD5
6dd5bf0743f2366a0bdd37e302783bcd

SHA1
e5ff6e044c40c02b1fc78304804fe1f993fed2e6

SHA256
91d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5

SHA512
f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdate.dll

Filesize
2.1MB

MD5
c1c4e3a4d49561dd0f6bc85f8062530d

SHA1
5394c3a4a2601a6bf7b06b5ae9119a3f0c95c974

SHA256
e9f1d362867beb3a767233de9d5af3a6e2762bb0627f291c6cb8f9faffb922ea

SHA512
0e7f6d2a29c48d99fb417c630287d8d9e9f0365f1c1f2e415f0fc64e12e577c9d4e93bf6573a589e88c75a9dc6c5758fcfd970588c3d187621f8aff8e5ffc5b3

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_af.dll

Filesize
29KB

MD5
bd6f3d4a46abc156e47fe0d6c312a203

SHA1
dedb517b1d75993df4d7140cea0a84afebbfb22b

SHA256
5294a6e08b6f9818e89931eda4a0bd4ac3949c3f17ff036c1c5e2a6de8df458e

SHA512
bee57ee4c14d4c93a125f5219894d10f68982e3f03fac8acc90f2f9e159553ed82aee373107d0ab3b6d5aac2ea8cd58ecb0138de8f6ab28d5d963c28d0d84039

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_am.dll

Filesize
24KB

MD5
914899c76f15e4eb33455f50f60e9e25

SHA1
a66113325b547638824d5fa020e4b1eb0c3a4a96

SHA256
5c0b6bcb983b3ec422c1459802c993219b66318e8b69ffb09f07ccb28f607ffd

SHA512
ee2699489c6496d9db21484771a957acff27e39f2535d74f91dd352432b33ff15581ce4d9023a7ae273b7f2d8729103c5c06859e6cbcdef2c6ebda32ebfca3e8

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_ar.dll

Filesize
26KB

MD5
b06ae2aaa639338686ec4f4445173ae8

SHA1
842f67cab1334871e81e6428d23827505055a9bf

SHA256
7e0fbc3af82b58dfc244d17d18335fac1c7e72d87d9593a359a2390a241450a7

SHA512
4b8bb12b11074ce21314072577a7172dec62926a7a628d6526db46062354ad23c2e76b2dcc93e489c9ad17bf2a1b3782d155193f1ea24eb50c8fa551d40486bf

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_as.dll

Filesize
28KB

MD5
7310b6ae3b95e9a1ca5b60b3fbd619f9

SHA1
03fd7d4d53fd38cc8b48d837d5a43788a6bd8ea1

SHA256
65dcfc983496529b89c575451c6a897b4491f886783228526e06417499b124f9

SHA512
d012d3a27bd7ac166c3ec3614423b89216ff7dcb165d99462f01ac204117fb5afc525d448f8c250638f0ee11929e2c5be61447f83089a4cee9cdd26459656687

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_az.dll

Filesize
29KB

MD5
af0364c9356845870577374bc5609ea1

SHA1
be464b53d5dc8a31a32bffec2413081a330f0170

SHA256
813220adb207a07ec609a757a10217bccf22bd3742e3ca658324add81849121c

SHA512
68fecac6bf4e00fcd5c6c201c1756da13a3d87e4cbfa64fd2d1ab986bf3124303724f5ab9576bf33542d8a0f64d70069becd61182e4c6ab46801fe49a2e5be93

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_bg.dll

Filesize
29KB

MD5
e3d3b90ed17afc3312b22051de516aba

SHA1
6dfd177bda02980ddcb21459969c8d21b4a42df0

SHA256
ee36812f90b3a1b5f72c512d44d312dc0d72404d98222bca8ea27ccc8ef106ae

SHA512
dbbe7499f0218e2628c357b5195e1f19349e79c53309daa972e294b19582c86d91a23b642c3bace74b0b7d7c94920931db7548178e0b7324feb29b0bae156a70

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_bn-IN.dll

Filesize
29KB

MD5
690f6eaa05e17f94ef59f988f052a4b6

SHA1
a3703cd237aa460e2729657a339febcbf8b8a863

SHA256
5a6dd9d9fdf372b723e8043881d4c39fcaa4f70c838fefbfb192f9c11b18fdf4

SHA512
47aa48f8de124d928c0b5d7f635909b3bbb6e640da67a0f014e00c238e06b060540b98a99fa51c9ce1c37baf9ee149502e05a753a25608b00ec7da39526f88d8

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_bn.dll

Filesize
29KB

MD5
93a91259d51cf1260bcea708c44319d8

SHA1
2d76d5f7afa1be815838e1aab109973006e3d0fb

SHA256
a1ab052c365976ae66b6b851a2282636c2c1f1b838a929e761f374472f0bcc55

SHA512
8c3d7bf11796adb998362343399a85ab5127f36f7ce64d575cf9918724e09a21ca8cae0cc0123290db5bcf6254a7b10d979ad0c2a7251c43529edebce85279e7

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_bs.dll

Filesize
28KB

MD5
c7fb8690962bd9a9051cfb04b87d3ec3

SHA1
d843498bbc3ae01fc0f0fce13160db723696767b

SHA256
12330d302841d37fd8bb5b74df7d454062524fac88e954041ce485ac818122c0

SHA512
ed074b0890e5cfc2beadab8dab624687f2838ecebafc3da760e248c315201d2230ac6197e016ce480e1798d34e6bd2329e5bda2ef2d329207f1ed7f9d00491aa

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_ca-Es-VALENCIA.dll

Filesize
29KB

MD5
97dc17c19ea5196783b2a20ce423697a

SHA1
693744a6f679cb111fca1134dd5efddf90b4b13a

SHA256
05b78e67f9400c654ad368d3e63b988602cb2cb89ad486ea340bfe05acefa040

SHA512
cbd980f7a99244bc47bf631bf6e661adece2c5d3f998172cbcdef59aab9cedf8226f15222cc9d96c56153c08d2424de70967dd96b76ab629492e25ca8660c974

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_ca.dll

Filesize
30KB

MD5
6212f397ffe20c6cef27ce0ff4fef439

SHA1
7910895fb0b9ff6f954ece32aa069507e6914a45

SHA256
e94189425823ef69f9bf1f3cc133c23e67ad46419cc455a21d4090bf73a11ea6

SHA512
5f04d8c9bd0269ba87bbf4b6a8af07ba426784c08b0a88af4fda3555e1c4e192b56db3c6f0214433fed23675ffde8b0590e5b39bd6b1011c2aad71599ec47ed5

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_cs.dll

Filesize
28KB

MD5
85f99091263667f3b5e10ef585c6e31f

SHA1
de83594f08a9cf2df74b4100827d2a68d0304961

SHA256
c73bdd7c4c4d89f9e0c6827f4f2feb78efd4cb047253aab3cf48412b9a78fb7a

SHA512
272d8d8e45c5c9d96af41431747b09814b11ae7b08955e598b07f639277cfee8cac11455db43530d78a85ecb095ad83a8735d3e80f0e745629b0091fb0b8a2ad

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_cy.dll

Filesize
28KB

MD5
6ce4b22b621bf021bf79117a13118280

SHA1
1b35ca44973ac7bbdadc4d6f3d160ab15ceb47f7

SHA256
7aa813b3bb3fbbec5d56da83d5b1db923be9c365511b1b02588336213fede938

SHA512
f8deca730042198c2b4fe506b6ef1af62b0e1dd1983b9e92e8d4247027f30d07cec7ff097a8304226ff96cdd528208961754d33403f20463d0b6802ade2cfde0

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_da.dll

Filesize
29KB

MD5
bf382a14c9546ca8a6311f6b5df66d75

SHA1
10b61ba1e20da2b1b01e760caaa179256aa844e8

SHA256
5e516cb414cd8adf278cdceb2ae537cfd7c49c277cb5d7718bcf97897350ce70

SHA512
0172c495cc6213b073056dab89979a05ae9eabb7a04d2cc7c16206628f7eb98396909a1914055575b0edde75e53479739c54eae1b9282eb96172930ee10935d0

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_de.dll

Filesize
31KB

MD5
642225f16e2c841a23eb51dfc6e0e1f6

SHA1
bcb8ed686351cc56f8c5c326b1032eea7e07c4bc

SHA256
95643c34f8ba13738ad3d19a4eb6cd52eaf39f55cd46b21e148627866b4ea30f

SHA512
d9fe06e5a81dbdb457f93435966e4321c1b0020e68ca0c466d870e599206a9f1b245653259a051e885cd8b88117881456d248308d278af86e6b3f75f41918b1d

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_el.dll

Filesize
31KB

MD5
2c1b44a6c27b8510335dfe8c22d01840

SHA1
e2c291fbf5a709a7a1e3c5ad507fcecf25e11554

SHA256
b15d11ec96c712d102125d2e1de19507889562f857910e6f76a400d412c4afe4

SHA512
adc4171a9335721c13d9d4c71ec0eaa3e873ec1729443b258eebe9ad723380bbf3eb912415f650ac3c8a13d31b658acbcc8cfbbb6fc6453eeb82b619a35e805d

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_en-GB.dll

Filesize
27KB

MD5
985d279b815e130a790eaecd697bb5ad

SHA1
bed21cdb6b3983a86fc7fd3d4e0bdf2a7690807a

SHA256
22a5f81e478dcc8d54e0a0ca10a66ff98117698883d9fbdee36a110d6554f14f

SHA512
018c9dd127a8b8900236c4c10c7770384db82946f6f1646878683960dee06b150558e52bf55a8003e7467eb9b1359d24f081539c644b7c11efa5e661e645ba4e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_es-419.dll

Filesize
29KB

MD5
67ca727bdf1e5fd6686fe3e6c1b1d43d

SHA1
d3ee7ce26c3b1eb4e0fcd5af6f83bbf3c949e8df

SHA256
c54a461e2eeb79d7462a4f3810f720835a2827ca752282c01520b8fede5c65da

SHA512
68e93cae35433f27593f92d1741ba98a430c6a408394de4f10ce0219fe8213e7878df71747c597c7384660ed696e35dedc08a1d15d5175f9b781fa70d92a3dfe

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_es.dll

Filesize
29KB

MD5
4dce98d8ab8857371dc4f787c77b91b7

SHA1
9d8569edcb1af0e122e5293495f94b388a3c6f3d

SHA256
7b79d2f66bdfea60aed02eb60f3d28d396c23c147e1d42f3f10a82b5d3afeb47

SHA512
6f4ec5f3fc6f5dcc77d2e811b9fbc4dd00dd15385739888e81835624bbc5e5d32c11eb23bc5dc4e6e9c2b66c77c923efd7edb81f9d8b88b446ba244455881fb2

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_et.dll

Filesize
28KB

MD5
28777e8a0de15e07d365f375b71796c3

SHA1
4f3231a68e7d4817c5f6ab20bcfbc208ba63b6ea

SHA256
571aa6917ccbfe221dbeeb485b9f9b358dc2b3ec72271854f880fbadeebc9665

SHA512
87a14421ba72f5255d568c1be6f8e108db587525909ae33cd84526714ff89a3ea2bf9c9a78c11718fc3f22c0139ec2bb4d9cde2327cfd4a8dbdd51e992d7381a

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_eu.dll

Filesize
28KB

MD5
7ee4925d3b4e4116b0b4d61a03ffdc96

SHA1
7f6e1116374314527100ee854ef5befcb962ce77

SHA256
99fd8800699829fd0ad767eff54dafeb913a6261ccb5c31825fdef6835653ae9

SHA512
c6ef896870d427fc2ee783bc38b187fc5485dfa9c29f14f4b044b060f2385b445dd051c83a9412d3fde79f929755239061ddcefb012f8fc38ce257c87dd9a8b5

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_fa.dll

Filesize
27KB

MD5
f1e551e10354047b68ec1aa1b36327c4

SHA1
417b267661838c0626a74e1232154d8245c4bb0c

SHA256
171ef4f700c8bdfe146e9ac7306c72b7a41153796d23e526aa6852a150207463

SHA512
674ba129c8e1b2d9dc57e77595a994afd8e19f81cff86dbd749c855aff1ffec9c7e9920e1d45b193d83ec6f20ee4fe5966415006a0dff357b471d97b271fa067

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_fi.dll

Filesize
28KB

MD5
73b893cd1d2d759f98944e8809db3ce4

SHA1
70fae4564f9eeb3c503a13eebbcbe725e9c2caae

SHA256
bc9ed2615e5e6c185c20bbbef898e5ba1543b6dedb15330080dc41e74a0a5df1

SHA512
255ef2552a35cba6fd41b53cebee1b9749485017a053668c1271aaf0056bd08107dba6c842a926c83d78472c92aa92f54fbd84678557dc911d20fc190ee242ed

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_fil.dll

Filesize
29KB

MD5
06fc13625ead1257583224eae1afe1c3

SHA1
02f3de2d81c4c2868a73211d8096ae79c506d846

SHA256
ef3f30691b45838caff42db92a4d6cb8857c8c36ba4b3ed9bd600bae8dc0fcf6

SHA512
b2fb89890c6ebf54a325bb1023194f461b532f94113b3ddbe337aa556b0db38159643c57e41b121b3bb21c4e547bd3e89137462a3fa29608e0dbcba00aa9cae5

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_fr-CA.dll

Filesize
30KB

MD5
30c5a417363b47f3a58d08e44198dd17

SHA1
1e979631e34cefee21b8a0e0aa22f4dd6e30dedd

SHA256
1e76475df6a8a5889f0757584787112745a3775c8dcb04257a4ec0a2cfa58b9a

SHA512
691e25436186bbda91b471b5451d06950943e6efe653362be50a3f0d21f341f4b8f751c617f39ab04571d92ef93c04b9db04192220173b66d879cbd5128f7287

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_fr.dll

Filesize
30KB

MD5
46b4263a73c35d717d65eae93c781f81

SHA1
3f8678c63d174aa8289d20b7f821a326c33ec07d

SHA256
88661266d279b161264678af48fbfbdcaf28b1f8821336b3fb16e2126c5e5e11

SHA512
3453b80619277b9efe19f2302a2a2c94372ed2ccec2a01d07741fe037f64e93b281757669750db8e6cc2efdef96b0eb1e373211da51ab887d8f0eb748931cce6

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_ga.dll

Filesize
29KB

MD5
5381426201e98d1e6efd86d24e341f62

SHA1
2b2df88be65d0512e140931c2878563345c77dc0

SHA256
e3f7c7d612945fc79d2e47872898ae3831d4bcc73bed8d24513780612fbc0523

SHA512
9e6aed7dcc33f7c9e9a888da580c2d1e4732e3a61a04bc7e682c11aea53391c82d849e341a98edff7d4792b2d2f5f0e61730d12e19fc5b2a77a5a1087c2b9fab

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_gd.dll

Filesize
30KB

MD5
6feb8258912fca8354160c02d70de767

SHA1
d04f918370da6a637f5a032c8bb616ab8d0d9b64

SHA256
6b13e8b6149be225e7f35fbccfd84cedeed9219f06b70630db6bf4be598fa25d

SHA512
f69ae204b6569b1cea77fbcaab30d556d325fd18989a347837cd08eb669dbc6bb7794820cb3028f864be7109af84c8532525242063fc2d1901f588fb458dc02a

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_gl.dll

Filesize
29KB

MD5
75c582abc6e13902afae51da71cdb3ec

SHA1
0f1813d9992209d9fe60bcafae8f8652658832eb

SHA256
587b4af55922cbf961852d0a9234c77eebf0ded6e561b18b09bdb2b2d8b2190e

SHA512
7afa52772caf93df7cba83fcffb8b427860dcd92fee4ac732f42b5db11c3c5ef086b212bda555cb095e23d89669e0e8a31c55ca59d9b00e564c5b7ddc43de4ad

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_gu.dll

Filesize
29KB

MD5
80f4ee6f0158c5a2f50e90ab12051ef3

SHA1
4a0daef60adc57559bcc22a5b071a0609de82b75

SHA256
066e0e6f67fb92785002e0cfdc09777b330c55cf8d34f9597ad45aa5c2171849

SHA512
b6cf12625f54bf1855797100a4fa3a5fff0e4c6fa8448ea78afdadccc2639237b34a4b058592a783d5918bdcdafe562d8e8bb59fdec5bb90f3f356fb94e70432

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_hi.dll

Filesize
28KB

MD5
2cdd815eca87eea8363d7789cbdd8595

SHA1
3dec86ff3c88b96da8ebdf340d149b775f84880c

SHA256
0150d75f78763060d4b5b00e1cdc87cdd6398fb42666da9a733c8b708f3f53f5

SHA512
3d66a2b955cc31885df66b9ace4f472136ffd94a00ad769414831f4df66e5f1b44b1d8787e781fdd2ef4300ab0e03b4ecd638f46e39958df7a12281ad6812fcc

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_hr.dll

Filesize
29KB

MD5
a2027e9099d943f12ca8a5b6f3f216d5

SHA1
b9060511354ac7204df9aa441fb084886f135034

SHA256
c74ed61b07e5120798795de86695b8b80255f3111b77836f89820df27dc09b87

SHA512
2ea7d141b568ac5df1ba6ccf2af3c4c4acef080763e68e3f3e2b3b3ffda9deda93fa1b9a4e19541afa1f4cf2039b576df23ff98c68d96213944d4f942266ca44

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_hu.dll

Filesize
29KB

MD5
23a61f4e352d09431c3e6ec05522fd84

SHA1
c663b459ce508255cc7b09615520142694526191

SHA256
65c0d3996fef2d9caf87e609fb16173c1b35a691a71d926ed3858955566be3fe

SHA512
4ec261b2b4b32219eb168da8c247152a1ea4139e577974c0ab571ce84301fde030cc5c3fd554ab4f8dbfba9059be51b6ffca4eef996d5782968cbdf94a474133

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_id.dll

Filesize
28KB

MD5
874409f9bd74f4238e02a15ef3a21d94

SHA1
5e0336c6717345d102c4b58032e43e2a316e92ca

SHA256
77fc8dd2400150d098583ce867fb98c5beec0f0ea72542418a8a99451af12fe7

SHA512
4bfda3c743f435ad88db71feaef1a8ed9706adb255d68dedf7704af618476191524e0d9fe19b2213542ac9413f05d4673eca1cc94b00f5d4191868b59e063d5e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_is.dll

Filesize
28KB

MD5
07aa8bf27778ef275b4f7a5242eede66

SHA1
386a57f02a521d373466eef276d59c69409d6854

SHA256
60e6e4cdcb2147a4a516198746adba553bf9da839a2979222efb9c4220399ec6

SHA512
2e529fcbed1418bd2ac674e21d49636af0e7aaaee4f2a63bc17a13a19e43ed9c7c55335089f3d73b232ea911ba384639696a33b603e2b5bc0857875ae78c8217

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_it.dll

Filesize
30KB

MD5
22edd8cd3e92e093ab858277552a42fa

SHA1
cd5798edcb6ff59a1592bb7a0e044599b7bd8d9a

SHA256
620d1ddd4ea912b58589ca415dfd80c78f49c3bcfd6012512e309c4556ba932d

SHA512
54838f0c7443930cb3ec1335a7000344453b62d4103bb0ce805a5c5187d63bf9016c9b92ef8a2437e1a9abc5c4b1a632d4c95bf57c217adbeb33dcdf50b68dbf

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_iw.dll

Filesize
25KB

MD5
46cf423c6ef9301ae776b8f31a0163ba

SHA1
e45a34cd8e0e96111c4ec547fa22d176b185aa01

SHA256
b4e700f59f1362b0ff2a6987a5a4604225f6aa02c897bfaeafd0cd220dd02837

SHA512
c5e567d6d3aa19cc51ec258e596df2c9c742fa135ffa84b1a33b1a4a8b2c74f6e2e2ce0ee1dadeeac55456d2c2d949a440b4ecb9d0d8c69b57c292844266493e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_ja.dll

Filesize
24KB

MD5
196a62a2a30088c4f8f0b637e972dfd4

SHA1
cd650889e43abce3a968778e7f47b9f7cd791f64

SHA256
fcff08b2b6eec5c1d4a833e3b837923c5fd3f3789a42f9d3683c62e7d8320940

SHA512
92861604f2f2077eb70df34fb1b6f91da02a144ded1afe84c7b3878bf068f740ebdef5402ad6832b4c87716d271548c5cc04acf472d3d1564a781a3c5dda5033

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_ka.dll

Filesize
29KB

MD5
5cfb34e296eccfcd63a6b86fcf04369a

SHA1
35fc9121ed4901d2213b612194dc6865bb3f4bac

SHA256
6ba87a9a475468dad616e007f7953a5f193039714357361b4b5e64c7f4123d3d

SHA512
6ccdf706485a0e719ccc806deb4689c7682f269b93869aac746aaa6831c5ebbbdc8b3acc6bc5aed61aeecfe48a37f63357722e55e2c806bd91691098af486247

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_kk.dll

Filesize
28KB

MD5
7baf1dd8638a4e15c791ea503de05aee

SHA1
389fe381c5a903bb3fc1614fe5960c1b16d491ed

SHA256
7bf3cb81f44fe8ab41b4f9b221a3c1f82de5388db0aa9b94fb60862748d2862e

SHA512
b24bec0201a6246e2ccb1587466c7dfa186b3dcec59eeef1fc8db098e702a8eda49211bbd87e6fb9c553b3e70c38c1669b32072d572d2e8139d015f0710a53fb

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
15KB

MD5
f954b967248d5c381cee26df744f23f8

SHA1
b7f3434f9a94e5f49b1105d9c25d026c5c2a7bbe

SHA256
a0c2a8240408a9ed4e94857823ef5390810c78f67011c37b33abecaa41b0781d

SHA512
3616aab0887d7b3be1c333b5f01b5486f05a70a8f0620b5b4ccf005edfb54c7913a838615ed3f1ae5837e5b3af75a12abe37d66953c5a9380f0b96fb65edf1d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b1d735132bf42b5da257b1b3a092298

SHA1
e61dd6d839a7313a331498912d38e7b943577949

SHA256
d5d51061bb2a3dc110e866b4868d4b0e414a4173249f39c9623a9716f7ad4851

SHA512
574c7957113601c7b35fcb30e634a592038a1c5b8c5c913a4977ff7e887830a56e4a0a9c80dd12f69358c021affe6b5ad1ee65cc3fccffe1abb0900788322485

Download Submit
C:\Users\Admin\AppData\Local\Growtopia\Growtopia.exe

Filesize
39.8MB

MD5
eaca97167873094e5561a7a8c270edb0

SHA1
039be5d64c9fed35ba20e3bc049ff7a80d8bd69b

SHA256
ef525f5c3ae61a24e99fa290043e6a41b4bbe73fbec799addf7545538814044d

SHA512
912ea2fbf9e85f4828424d86535f3f86275b86865cd861ce7709321cd29cfd7828f32478e00b5cd938e3131f6f0fc2c7981d7c7fa7e2d90255f289dc91f0e6bb

Download Submit
C:\Users\Admin\AppData\Local\Growtopia\interface\large\az_4x3_adv1.rttex

Filesize
67B

MD5
1896385b19daa70f512320ba52a1fdf6

SHA1
63f2954b2cd949e45d02c4f1d4c3f35063aec757

SHA256
71fa2aa665788dff80d37cc26db1f6845685d7542bcdac61779a95a51bf95309

SHA512
f23b50c201e0cf1ff42e4e543e6ae856573cec3e11fa6cec66a8ca661fe69f3cbb4728b3d0e4e2762cd9f2b98e44297d9969ba1a93224dedf8e8e044d37febc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8AE3.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8AF6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse1E0D.tmp\ioSpecial.ini

Filesize
565B

MD5
f67ac6bb4237d62412613d5874f52778

SHA1
568e61598b463e058ef93547ce2e6ed18a8c9fb8

SHA256
4c3a3ad8c43d6ae42122eedd22987c0ce5b4de76eaf44dff7d1bddaa768f56b8

SHA512
1c954be7ff150f74ed742db821b8a595d08348aaaeaafd189b83b475688ef6464f46e52279ce09bdced0191878cfe74c9f4a79d54c39f53e84427f94cf60d110

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse1E0D.tmp\ioSpecial.ini

Filesize
604B

MD5
646d3220497b203f7a62f292c2b4ff28

SHA1
e6912c23c63b7469345cb4b6bc91d05ef9786783

SHA256
14ee2d964e68888df3b1fff8fd1e6a18bc56c0e77b796c28b905cdd5e13162ce

SHA512
95c861e1c3040ca0d129fba235b032aae7b6747aa8e2389aa3fa4efa1e19b1afb26286c7b4c1ff9797306df4a2528cf82f5b9f1152c667beed1b35b8b0e67087

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse1E0D.tmp\ioSpecial.ini

Filesize
776B

MD5
c309f72cba514bb66e2a62f9d3fe2cfd

SHA1
27341a260b8e0e78397d42d11275a048fbaf09de

SHA256
5920747e0575a757f82f4a0a88103f295cf4e290f3a3962dd63efb3672f33ff3

SHA512
38db4bcc5ae26c27840b22fd50fd2023dff41bc107781dc0d9230742a29823bd56d4e89d9e8571dc7b1196e330ab9728f7b714070dd5ab07a47b252c7981ec9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{e46eca4f-393b-40df-9f49-076faf788d83}\.ba1\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
e00a315509cffdf112108cad66da6c57

SHA1
d8337f170b38cecff0b6d2e20cf1970427b7d767

SHA256
e32d8ecc6b07ebe7ebf205c16e38ee247a76091be6934258692375ff25b65390

SHA512
38f1548a1e04ab2b3d47537761beddaa53eca7b64ae38169769e767a5e1fd57a7b97fd8c78142bd78a59cc1e272fb5aaebefda5e8ebc0fce6763d29d723f9749

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
291c7c5e254c94a211995a18d204253f

SHA1
6d0a69d47901a8b1e7e9e16a7e16eda3ded26778

SHA256
cb5e51a064e9a1933e553ab183c6be891254e9cc8ac473bee579759941e71274

SHA512
0993cf516bbbe9cff368915d2db00496f4d3f84a91847392eb40919e8c0926f4330aa7477746c1d8910a5f4506556bfa34dd2654417578e694e886c05947e721

Download Submit
\Program Files (x86)\Microsoft\Temp\EU70CD.tmp\msedgeupdateres_en.dll

Filesize
27KB

MD5
f5f1ed2d55637a183674959e82cab3c2

SHA1
9472086a62950c6b40e1ecefc1fda4573e36ef3c

SHA256
cfbe36dac5d40f221f377aeaf2e983dc76ab3667f4672676a8fb37c7bd4f9fbd

SHA512
9c4635f791608f815e359ce49f7535bcaca404dd4932efb23f638bc9900cd77854b1d38b5ca60e5dbf3e252cf06bb179b4d9a77368b524233117f48bef345013

Download Submit
\Users\Admin\AppData\Local\Growtopia\MicrosoftEdgeWebview2Setup.exe

Filesize
1.6MB

MD5
8b9812ba27e12c79319d859e97955ca4

SHA1
3cb35ac811c27e7b21b381dccab55517609190c3

SHA256
a63d59b2af0c7b2be6984280386042a230dab928e3b426d51a0afb2eff5f98e9

SHA512
8312081fcca20f1d8d393ea2588c2fd19830eb9b36700ec8bc541cd25c4c2046008f3eec07883056956adae5c56083d43ded74d3122d21555d1e43a9d1ab5618

Download Submit
\Users\Admin\AppData\Local\Growtopia\vc_redist.x64.exe

Filesize
13.9MB

MD5
27b141aacc2777a82bb3fa9f6e5e5c1c

SHA1
3155cb0f146b927fcc30647c1a904cd162548c8c

SHA256
5eea714e1f22f1875c1cb7b1738b0c0b1f02aec5ecb95f0fdb1c5171c6cd93a3

SHA512
7789eabb6dd4a159bb899d2e6d6df70addb3df239bda6f9ead8c1d2a2ac2062fce3a495814b48a3c2bec12f13800ad0703e2c61c35158b0912011b914f098011

Download Submit
\Users\Admin\AppData\Local\Temp\nse1E0D.tmp\InstallOptions.dll

Filesize
14KB

MD5
3e277798b9d8f48806fbb5ebfd4990db

SHA1
d1ab343c5792bc99599ec7acba506e8ba7e05969

SHA256
fe19353288a08a5d2640a9c022424a1d20e4909a351f2114423e087313a40d7c

SHA512
84c9d4e2e6872277bffb0e10b292c8c384d475ad163fd0a47ca924a3c79077dfde880f535a171660f73265792554129161d079a10057d44e28e2d57ebc477e92

Download Submit
\Users\Admin\AppData\Local\Temp\nse1E0D.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
\Users\Admin\AppData\Local\Temp\{e46eca4f-393b-40df-9f49-076faf788d83}\.ba1\wixstdba.dll

Filesize
118KB

MD5
4d20a950a3571d11236482754b4a8e76

SHA1
e68bd784ac143e206d52ecaf54a7e3b8d4d75c9c

SHA256
a9295ad4e909f979e2b6cb2b2495c3d35c8517e689cd64a918c690e17b49078b

SHA512
8b9243d1f9edbcbd6bdaf6874dc69c806bb29e909bd733781fde8ac80ca3fff574d786ca903871d1e856e73fd58403bebb58c9f23083ea7cd749ba3e890af3d2

Download Submit
memory/1532-417-0x00000000002A0000-0x00000000002D5000-memory.dmp

Filesize
212KB

Download
memory/1532-694-0x00000000741B0000-0x00000000743D3000-memory.dmp

Filesize
2.1MB

Download
memory/1532-418-0x00000000741B0000-0x00000000743D3000-memory.dmp

Filesize
2.1MB

Download
memory/1532-1528-0x00000000002A0000-0x00000000002D5000-memory.dmp

Filesize
212KB

Download
memory/2016-1298-0x00000000741B0000-0x00000000743D3000-memory.dmp

Filesize
2.1MB

Download
memory/2016-2088-0x00000000003F0000-0x0000000000425000-memory.dmp

Filesize
212KB

Download
memory/2016-1518-0x00000000741B0000-0x00000000743D3000-memory.dmp

Filesize
2.1MB

Download
memory/2588-903-0x00000000741B0000-0x00000000743D3000-memory.dmp

Filesize
2.1MB

Download
memory/2588-528-0x00000000741B0000-0x00000000743D3000-memory.dmp

Filesize
2.1MB

Download
memory/2588-1297-0x00000000741B0000-0x00000000743D3000-memory.dmp

Filesize
2.1MB

Download
memory/2588-696-0x00000000741B0000-0x00000000743D3000-memory.dmp

Filesize
2.1MB

Download
memory/2596-1131-0x00000000741B0000-0x00000000743D3000-memory.dmp

Filesize
2.1MB

Download
memory/2596-904-0x00000000741B0000-0x00000000743D3000-memory.dmp

Filesize
2.1MB

Download
memory/2596-697-0x00000000741B0000-0x00000000743D3000-memory.dmp

Filesize
2.1MB

Download
memory/2596-529-0x00000000741B0000-0x00000000743D3000-memory.dmp

Filesize
2.1MB

Download
memory/2648-526-0x00000000741B0000-0x00000000743D3000-memory.dmp

Filesize
2.1MB

Download
memory/2648-902-0x00000000741B0000-0x00000000743D3000-memory.dmp

Filesize
2.1MB

Download
memory/2648-695-0x00000000741B0000-0x00000000743D3000-memory.dmp

Filesize
2.1MB

Download
memory/2856-527-0x00000000741B0000-0x00000000743D3000-memory.dmp

Filesize
2.1MB

Download