darkside | 4dcb5d42f6a37cb000de14de346978fa3a9f6a8cd4e41aaec3a15534cc726a1d

Analysis

max time kernel
303s
max time network
412s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2023 13:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Darkside.exe
Size

59KB
MD5

cfcfb68901ffe513e9f0d76b17d02f96
SHA1

766b30e5a37d1bc8d8fe5c7cacc314504a44ac1f
SHA256

17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61
SHA512

0d26fa9478f4626107e38c570d1bae1049b744181cf0395d95fb07675575ca393d88d4783bf31bdf11bef1da5648a5a53a6d95b21492f96b4de35c0ec323ae0c
SSDEEP

768:9jjV7Iax7F3DS4/S96/P3rsAc4ci5pwwX5+R4VYY23W5:vx7Fu4/i6/P3rlckx5+R4VDZ5

Score

10^/10

darkside discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\README.9d117154.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have uploaded more then 90 GB data. These files include: Finance data Insurance data Buchgalting Data Banking data and details, bank contracts, creditors info Much personal data Marketing data Production, Technik data Email conversations dump and more others. All documents are fresh (last 365 days) and stored on our offline servers. All data will be published piece by piece. First data pack will be published in 7 days if we do not come for agreement. Your personal leak page: http://darksidedxcftmqa.onion/polifilm/AWeu5Sv7zTTCTjZD8YkgoPRznfE5r7G-vbsXok9EvfiaNL_eDwRlgRMruMHisnEF On the page you will find examples of files that have been stolen. The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/2AHUVJ3VGS97NUG5J5EYMQM5PJO77V9V0GDT3UYIJGFZUTOQRLUX593CQ2EZ2ZEH When you open our website, put the following data in the input form: Key: rIzr2nCuqbQL7MGMwoppaucqSp5AZufUiYhssYa1SGfO0XFf09fBDlLDWgKQSnnvIAfqYTsOgUhOTxzbxGsC9nH0yk2HOFhn7t8ntX8L0evyce8vKdgUKF7Xvjn6ljaQQ4HPEfPZFP2jvN0DgBVWl2WgNT1U3owZ1bNBjps34t33ObZc01Ce1yKx5CSlwUYbw1ktjqt5d7R9DwRL3NIGrTHvMX3qXI5aBAUnirnc4zHtfGPXq4CuFoh04Tv7VE81aohfvuz8D7wo7i28sbILoJyF6mzeQwSkAXolOhXKQAEPsGcdbfLxfY5uILkHB3d1gAyxT1owQXsY4heNQbY3yYL1Em7dDaLdbNhOf0adYWFiFfAl9EwLDRT96L9Xzsk17ho1B82wOWZ79ZqtT8yqnZ4APJb1LO91ASSsgUdNvR0lAaZTfXHHxUI1vDm5ygyV7cbxMlrQ5K1U6ughdd5WosogMJWVNjreirhzuDzY6SnixtukGYG0D9azzgOHcgidJcLV4n0orhzIaA1SMNYOpdOIadgBehCaHwEyr3hn8CEa6fgpUgK6E95 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://darksidedxcftmqa.onion/polifilm/AWeu5Sv7zTTCTjZD8YkgoPRznfE5r7G-vbsXok9EvfiaNL_eDwRlgRMruMHisnEF

http://darksidfqzcuhtk2.onion/2AHUVJ3VGS97NUG5J5EYMQM5PJO77V9V0GDT3UYIJGFZUTOQRLUX593CQ2EZ2ZEH

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside
Renames multiple (160) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Modifies extensions of user files 14 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

Darkside.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\LockWatch.tiff => C:\Users\Admin\Pictures\LockWatch.tiff.9d117154	Darkside.exe
File opened for modification	C:\Users\Admin\Pictures\PushWatch.tiff	Darkside.exe
File renamed	C:\Users\Admin\Pictures\PushWatch.tiff => C:\Users\Admin\Pictures\PushWatch.tiff.9d117154	Darkside.exe
File renamed	C:\Users\Admin\Pictures\AssertHide.png => C:\Users\Admin\Pictures\AssertHide.png.9d117154	Darkside.exe
File opened for modification	C:\Users\Admin\Pictures\RedoConnect.raw.9d117154	Darkside.exe
File renamed	C:\Users\Admin\Pictures\SwitchBlock.png => C:\Users\Admin\Pictures\SwitchBlock.png.9d117154	Darkside.exe
File renamed	C:\Users\Admin\Pictures\ConvertEnter.png => C:\Users\Admin\Pictures\ConvertEnter.png.9d117154	Darkside.exe
File opened for modification	C:\Users\Admin\Pictures\LockWatch.tiff	Darkside.exe
File opened for modification	C:\Users\Admin\Pictures\PushWatch.tiff.9d117154	Darkside.exe
File renamed	C:\Users\Admin\Pictures\RedoConnect.raw => C:\Users\Admin\Pictures\RedoConnect.raw.9d117154	Darkside.exe
File opened for modification	C:\Users\Admin\Pictures\SwitchBlock.png.9d117154	Darkside.exe
File opened for modification	C:\Users\Admin\Pictures\AssertHide.png.9d117154	Darkside.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertEnter.png.9d117154	Darkside.exe
File opened for modification	C:\Users\Admin\Pictures\LockWatch.tiff.9d117154	Darkside.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Darkside.exebitdefender_avfree.exeagent_launcher.exetorbrowser-install-win64-12.0.4_ALL.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	Darkside.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	bitdefender_avfree.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	agent_launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	torbrowser-install-win64-12.0.4_ALL.exe

Executes dropped EXE 21 IoCs

Processes:

bitdefender_avfree.exeagent_launcher.exebddeploy.exesetuppackage.exeinstaller.exeProductAgentService.exebdredline.exeProductAgentService.exeProductAgentService.exeProductAgentService.exeProductAgentService.exeDiscoverySrv.exeDiscoverySrv.exeProductAgentService.exeProductAgentUI.exeWatchDog.exetorbrowser-install-win64-12.0.4_ALL.exefirefox.exefirefox.exefirefox.exefirefox.exe

pid	process
2248	bitdefender_avfree.exe
4948	agent_launcher.exe
5284	bddeploy.exe
4776	setuppackage.exe
4164	installer.exe
3960	ProductAgentService.exe
680	bdredline.exe
6044	ProductAgentService.exe
4784	ProductAgentService.exe
724	ProductAgentService.exe
5200	ProductAgentService.exe
628	DiscoverySrv.exe
5508	DiscoverySrv.exe
3844	ProductAgentService.exe
3280	ProductAgentUI.exe
4080	WatchDog.exe
4468	torbrowser-install-win64-12.0.4_ALL.exe
4484	firefox.exe
736	firefox.exe
4592	firefox.exe
1184	firefox.exe

Loads dropped DLL 64 IoCs

Processes:

installer.exeProductAgentService.exebdredline.exeProductAgentService.exeProductAgentService.exeProductAgentService.exeProductAgentService.exeDiscoverySrv.exeregsvr32.exeDiscoverySrv.exeProductAgentService.exeProductAgentUI.exeWatchDog.exetorbrowser-install-win64-12.0.4_ALL.exefirefox.exefirefox.exe

pid	process
4164	installer.exe
4164	installer.exe
4164	installer.exe
4164	installer.exe
4164	installer.exe
3960	ProductAgentService.exe
3960	ProductAgentService.exe
4164	installer.exe
680	bdredline.exe
6044	ProductAgentService.exe
6044	ProductAgentService.exe
6044	ProductAgentService.exe
6044	ProductAgentService.exe
4784	ProductAgentService.exe
4784	ProductAgentService.exe
4784	ProductAgentService.exe
4784	ProductAgentService.exe
724	ProductAgentService.exe
724	ProductAgentService.exe
724	ProductAgentService.exe
4164	installer.exe
724	ProductAgentService.exe
4164	installer.exe
724	ProductAgentService.exe
5200	ProductAgentService.exe
5200	ProductAgentService.exe
5200	ProductAgentService.exe
5200	ProductAgentService.exe
628	DiscoverySrv.exe
628	DiscoverySrv.exe
4744	regsvr32.exe
5200	ProductAgentService.exe
5200	ProductAgentService.exe
5200	ProductAgentService.exe
5200	ProductAgentService.exe
5200	ProductAgentService.exe
5200	ProductAgentService.exe
5200	ProductAgentService.exe
5200	ProductAgentService.exe
5200	ProductAgentService.exe
5508	DiscoverySrv.exe
5508	DiscoverySrv.exe
5508	DiscoverySrv.exe
5200	ProductAgentService.exe
5200	ProductAgentService.exe
4164	installer.exe
3844	ProductAgentService.exe
3844	ProductAgentService.exe
3844	ProductAgentService.exe
3844	ProductAgentService.exe
3280	ProductAgentUI.exe
3280	ProductAgentUI.exe
3280	ProductAgentUI.exe
3280	ProductAgentUI.exe
4080	WatchDog.exe
4080	WatchDog.exe
4468	torbrowser-install-win64-12.0.4_ALL.exe
4468	torbrowser-install-win64-12.0.4_ALL.exe
4468	torbrowser-install-win64-12.0.4_ALL.exe
4484	firefox.exe
736	firefox.exe
736	firefox.exe
736	firefox.exe
736	firefox.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 8 IoCs

Processes:

ProductAgentService.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	ProductAgentService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EE44ECA143B76F2B9F2A5AA75B5D1EC6_847118BE2683F0C241D1D702F3A3F5F9	ProductAgentService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	ProductAgentService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EE44ECA143B76F2B9F2A5AA75B5D1EC6_847118BE2683F0C241D1D702F3A3F5F9	ProductAgentService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CA4458E7366E94A3C3A9C1FE548B6D21_1593F3C3102A71FA61528AB81588ED09	ProductAgentService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CA4458E7366E94A3C3A9C1FE548B6D21_1593F3C3102A71FA61528AB81588ED09	ProductAgentService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	ProductAgentService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	ProductAgentService.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Darkside.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\9d117154.BMP"	Darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\9d117154.BMP"	Darkside.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Darkside.exe

pid process

2108 Darkside.exe

pid	process
2108	Darkside.exe

Drops file in Program Files directory 64 IoCs

Processes:

installer.exeProductAgentService.exe

description	ioc	process
File created	C:\Program Files\Bitdefender Agent\26.0.1.244\lang\nl-NL\bdsubwiz.txtui	installer.exe
File created	C:\Program Files\Bitdefender Agent\26.0.1.244\lang\sv-SE\productagentui.txtui	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\26.0.1.244\skin\images\success.svg	installer.exe
File created	C:\Program Files\Bitdefender Agent\26.0.1.244\lang\es-ES\bdsubwiz.txtui	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\26.0.1.244\skin\html\Agent	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\26.0.1.244\skin\html\Agent\login2_no_net.html	installer.exe
File created	C:\Program Files\Bitdefender Agent\26.0.1.244\skin\images\ico_red.png	installer.exe
File created	C:\Program Files\Bitdefender Agent\26.0.1.244\installer\bdec.dll	installer.exe
File created	C:\Program Files\Bitdefender Agent\26.0.1.244\installer\lang\fr-FR.txtui	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\26.0.1.244\skin\css	installer.exe
File created	C:\Program Files\Bitdefender Agent\26.0.1.244\lang\de-DE\productagentui.txtui	installer.exe
File created	C:\Program Files\Bitdefender Agent\26.0.1.244\lang\pl-PL\bdsubwiz.txtui	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\26.0.1.244\lang\pl-PL\bdsubwiz.txtui	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\26.0.1.244\skin\images_2\common\bdui_progress_fgr.png	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\settings	installer.exe
File created	C:\Program Files\Bitdefender Agent\26.0.1.244\bdnc.dll	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\26.0.1.244\lang\ro-RO\bdsubwiz.txtui	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\26.0.1.244\lang\sv-SE	installer.exe
File created	C:\Program Files\Bitdefender Agent\26.0.1.244\skin\html\Agent\progress.html	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\26.0.1.244\skin\images\ill_protect_device.png	installer.exe
File created	C:\Program Files\Bitdefender Agent\26.0.1.244\installer\additional.dll	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\26.0.1.244\bdreinit.exe	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\26.0.1.244\settings\LoggerConfig.xml	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\26.0.1.244\skin	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\26.0.1.244\skin\images\loader.png	installer.exe
File created	C:\Program Files\Bitdefender Agent\26.0.1.244\installer\lang\es-ES.txtui	installer.exe
File created	C:\Program Files\Bitdefender Agent\26.0.1.244\lang\nl-NL\productagentui.txtui	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\26.0.1.244\skin\images\btn-close.svg	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\26.0.1.244\skin\images\ieloader.gif	installer.exe
File created	C:\Program Files\Bitdefender Agent\version.json	installer.exe
File created	C:\Program Files\Bitdefender Agent\26.0.1.244\lang\pt-PT\bdsubwiz.txtui	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\26.0.1.244\skin\images_2\common\close.svg	installer.exe
File created	C:\Program Files\Bitdefender Agent\redline\bdch.dll	installer.exe
File created	C:\Program Files\Bitdefender Agent\26.0.1.244\storage\modules_cache.json	ProductAgentService.exe
File opened for modification	C:\Program Files\Bitdefender Agent\26.0.1.244\bdch_bdec.ini	installer.exe
File created	C:\Program Files\Bitdefender Agent\26.0.1.244\installer\lang\en-US.txtui	installer.exe
File created	C:\Program Files\Bitdefender Agent\26.0.1.244\bdnc.uuid.tmp.5200	ProductAgentService.exe
File opened for modification	C:\Program Files\Bitdefender Agent\26.0.1.244\skin\images_2\common\icon_informative.svg	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\26.0.1.244\lang\hu-HU\bdsubwiz.txtui	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\26.0.1.244\lang\sv-SE\productagentui.txtui	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\26.0.1.244\skin\images\down-arrow.svg	installer.exe
File created	C:\Program Files\Bitdefender Agent\redline\bdredline.conf	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\26.0.1.244\lang\fr-FR\productagentui.txtui	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\26.0.1.244\skin\images\slider.png	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\26.0.1.244\ui\rtl\commoncss.ui	installer.exe
File created	C:\Program Files\Bitdefender Agent\26.0.1.244\ProductAgent.dll	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\26.0.1.244\skin\images\close_hover.svg	installer.exe
File created	C:\Program Files\Bitdefender Agent\redline\bdec.ini	installer.exe
File created	C:\Program Files\Bitdefender Agent\26.0.1.244\installer\bdnc.ini	installer.exe
File created	C:\Program Files\Bitdefender Agent\26.0.1.244\lang\it-IT\productagentui.txtui	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\26.0.1.244\settings\ProductAgentCommands.dll	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\26.0.1.244\skin\images\b-icon-popup.svg	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\26.0.1.244\skin\images\icon-warning.svg	installer.exe
File created	C:\Program Files\Bitdefender Agent\26.0.1.244\skin\images_2\common\close_hover.svg	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\26.0.1.244\lang\sv-SE\bdsubwiz.txtui	installer.exe
File created	C:\Program Files\Bitdefender Agent\26.0.1.244\ProductAgentUI.exe	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\26.0.1.244\skin\css\main.ui.css	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\26.0.1.244\skin\images\ico_red.png	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\26.0.1.244\skin\images\minimize.svg	installer.exe
File created	C:\Program Files\Bitdefender Agent\26.0.1.244\skin\images\network-error.svg	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\26.0.1.244\skin\images_2\common	installer.exe
File created	C:\Program Files\Bitdefender Agent\26.0.1.244\skin\img\btn-close.svg	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\26.0.1.244\bdnc.client_id	installer.exe
File created	C:\Program Files\Bitdefender Agent\26.0.1.244\lang\tr-TR\bdsubwiz.txtui	installer.exe

Drops file in Windows directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ProductAgentService.exefirefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProductAgentService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ProductAgentService.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Control Panel 1 IoCs

evasion

Processes:

Darkside.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\Desktop\WallpaperStyle = "10"	Darkside.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

DiscoverySrv.exeProductAgentUI.exeDiscoverySrv.exeProductAgentService.exeWatchDog.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DiscoverySrv.exe

Modifies registry class 50 IoCs

Processes:

regsvr32.exeDarkside.exetorbrowser-install-win64-12.0.4_ALL.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\ = "IUPnPService_SCPD"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\ = "IUPnPService_SCPD"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\9d117154	Darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ProductAgent.UPNPDevice\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\VersionIndependentProgID\ = "ProductAgent.UPNPDevice"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\InprocServer32\ = "C:\\Program Files\\Bitdefender Agent\\26.0.1.244\\DiscoveryComp.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}\1.0\ = "ProductAgent UPNP Service Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ProductAgent.UPNPDevice\ = "UPNPDevice Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ProductAgent.UPNPDevice\CurVer\ = "ProductAgent.UPNPDevice.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	torbrowser-install-win64-12.0.4_ALL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.9d117154	Darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ProductAgent.UPNPDevice.1\ = "UPNPDevice Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\InprocServer32\ThreadingModel = "Free"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\TypeLib\ = "{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\TypeLib\ = "{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\ = "UPNPDevice Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}\1.0\0\win32\ = "C:\\Program Files\\Bitdefender Agent\\26.0.1.244\\DiscoveryComp.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\TypeLib\ = "{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\9d117154\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\9d117154.ico"	Darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ProductAgent.UPNPDevice	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.9d117154\ = "9d117154"	Darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\9d117154\DefaultIcon	Darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ProductAgent.UPNPDevice.1\CLSID\ = "{CB23A858-ED47-425B-AAD2-D809C11E1DA6}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\ProgID\ = "ProductAgent.UPNPDevice.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ProductAgent.UPNPDevice.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}\1.0\HELPDIR\ = "C:\\Program Files\\Bitdefender Agent\\26.0.1.244"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ProductAgent.UPNPDevice.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\TypeLib	regsvr32.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

installer.exeagent_launcher.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a15c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	agent_launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	agent_launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	agent_launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	agent_launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	agent_launcher.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1008 NOTEPAD.EXE

pid	process
1008	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

powershell.exeDarkside.exechrome.exeProductAgentService.exechrome.exe

pid	process
220	powershell.exe
220	powershell.exe
2108	Darkside.exe
2108	Darkside.exe
5580	chrome.exe
5580	chrome.exe
5200	ProductAgentService.exe
5200	ProductAgentService.exe
5200	ProductAgentService.exe
5200	ProductAgentService.exe
5200	ProductAgentService.exe
5200	ProductAgentService.exe
5200	ProductAgentService.exe
5200	ProductAgentService.exe
4752	chrome.exe
4752	chrome.exe
5200	ProductAgentService.exe
5200	ProductAgentService.exe
5200	ProductAgentService.exe
5200	ProductAgentService.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

Processes:

chrome.exe

pid	process
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Darkside.exepowershell.exevssvc.exechrome.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2108	Darkside.exe
Token: SeSecurityPrivilege	2108	Darkside.exe
Token: SeTakeOwnershipPrivilege	2108	Darkside.exe
Token: SeLoadDriverPrivilege	2108	Darkside.exe
Token: SeSystemProfilePrivilege	2108	Darkside.exe
Token: SeSystemtimePrivilege	2108	Darkside.exe
Token: SeProfSingleProcessPrivilege	2108	Darkside.exe
Token: SeIncBasePriorityPrivilege	2108	Darkside.exe
Token: SeCreatePagefilePrivilege	2108	Darkside.exe
Token: SeBackupPrivilege	2108	Darkside.exe
Token: SeRestorePrivilege	2108	Darkside.exe
Token: SeShutdownPrivilege	2108	Darkside.exe
Token: SeDebugPrivilege	2108	Darkside.exe
Token: SeSystemEnvironmentPrivilege	2108	Darkside.exe
Token: SeRemoteShutdownPrivilege	2108	Darkside.exe
Token: SeUndockPrivilege	2108	Darkside.exe
Token: SeManageVolumePrivilege	2108	Darkside.exe
Token: 33	2108	Darkside.exe
Token: 34	2108	Darkside.exe
Token: 35	2108	Darkside.exe
Token: 36	2108	Darkside.exe
Token: SeDebugPrivilege	220	powershell.exe
Token: SeBackupPrivilege	2744	vssvc.exe
Token: SeRestorePrivilege	2744	vssvc.exe
Token: SeAuditPrivilege	2744	vssvc.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exeinstaller.exe

pid	process
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
4164	installer.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

installer.exefirefox.exe

pid process

4164 installer.exe
736 firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Darkside.exechrome.exe

description	pid	process	target process
PID 2108 wrote to memory of 220	2108	Darkside.exe	powershell.exe
PID 2108 wrote to memory of 220	2108	Darkside.exe	powershell.exe
PID 2108 wrote to memory of 5484	2108	Darkside.exe	cmd.exe
PID 2108 wrote to memory of 5484	2108	Darkside.exe	cmd.exe
PID 2108 wrote to memory of 5484	2108	Darkside.exe	cmd.exe
PID 5580 wrote to memory of 5652	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5652	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5800	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5800	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5800	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5800	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5800	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5800	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5800	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5800	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5800	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5800	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5800	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5800	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5800	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5800	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5800	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5800	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5800	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5800	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5800	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5800	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5800	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5800	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5800	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5800	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5800	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5800	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5800	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5800	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5800	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5800	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5800	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5800	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5800	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5800	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5800	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5800	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5800	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5800	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5820	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5820	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5912	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5912	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5912	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5912	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5912	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5912	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5912	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5912	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5912	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5912	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5912	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5912	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5912	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5912	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5912	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5912	5580	chrome.exe	chrome.exe
PID 5580 wrote to memory of 5912	5580	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Darkside.exe
"C:\Users\Admin\AppData\Local\Temp\Darkside.exe"
1⤵
- Modifies extensions of user files
- Checks computer location settings
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:220

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C DEL /F /Q C:\Users\Admin\AppData\Local\Temp\Darkside.exe >> NUL
2⤵
PID:5484

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a3989758,0x7ff9a3989768,0x7ff9a3989778
2⤵
PID:5652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:2
2⤵
PID:5800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:8
2⤵
PID:5820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1284 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:8
2⤵
PID:5912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3192 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:1
2⤵
PID:6048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3316 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:1
2⤵
PID:6056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4532 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:1
2⤵
PID:1516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4552 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:8
2⤵
PID:3296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4828 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:8
2⤵
PID:2684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:8
2⤵
PID:1300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:8
2⤵
PID:3128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4996 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:1
2⤵
PID:3480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3240 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:1
2⤵
PID:5404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5044 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:1
2⤵
PID:5752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3404 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:1
2⤵
PID:224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5100 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:1
2⤵
PID:2328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5868 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:8
2⤵
PID:1484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5708 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:1
2⤵
PID:4156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3332 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:1
2⤵
PID:2876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=1020 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:1
2⤵
PID:5424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5124 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:1
2⤵
PID:5500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=3280 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:1
2⤵
PID:680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5620 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:1
2⤵
PID:2116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=3372 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:1
2⤵
PID:5292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=5972 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:1
2⤵
PID:2168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5876 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:8
2⤵
PID:6012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5152 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:8
2⤵
PID:3676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3324 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:8
2⤵
PID:4916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=4716 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:1
2⤵
PID:544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=5172 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:1
2⤵
PID:1796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6192 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:8
2⤵
PID:2996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6332 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:8
2⤵
PID:5608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3304 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:8
2⤵
PID:2300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5664 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:8
2⤵
PID:3108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3296 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:8
2⤵
PID:5128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5624 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:8
2⤵
PID:1480

C:\Users\Admin\Downloads\bitdefender_avfree.exe
"C:\Users\Admin\Downloads\bitdefender_avfree.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2248

C:\Users\Admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies system certificate store
PID:4948

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bddeploy.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\bddeploy.exe"
4⤵
- Executes dropped EXE
PID:5284

C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe"
5⤵
- Executes dropped EXE
PID:4776

C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\installer.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\installer.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4164

C:\Program Files\Bitdefender Agent\ProductAgentService.exe
"C:\Program Files\Bitdefender Agent\ProductAgentService.exe" protect
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3960

C:\Program Files\Bitdefender Agent\ProductAgentService.exe
"C:\Program Files\Bitdefender Agent\ProductAgentService.exe" install
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6044

C:\Program Files\Bitdefender Agent\ProductAgentService.exe
"C:\Program Files\Bitdefender Agent\ProductAgentService.exe" enable
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4784

C:\Program Files\Bitdefender Agent\ProductAgentService.exe
"C:\Program Files\Bitdefender Agent\ProductAgentService.exe" start "C:\Users\Admin\Downloads\bitdefender_avfree.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4352 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=5896 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:1
2⤵
PID:5340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=2836 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:1
2⤵
PID:3872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6068 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:8
2⤵
PID:5796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4624 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:8
2⤵
PID:1816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:8
2⤵
PID:2016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5892 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:8
2⤵
PID:4088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4580 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:8
2⤵
PID:3060

C:\Users\Admin\Downloads\torbrowser-install-win64-12.0.4_ALL.exe
"C:\Users\Admin\Downloads\torbrowser-install-win64-12.0.4_ALL.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:4468

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4484

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:736

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="736.0.203359547\774458529" -parentBuildID 20230702050101 -prefsHandle 2016 -prefMapHandle 1792 -prefsLen 22722 -prefMapSize 228120 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - 736 socket
5⤵
- Executes dropped EXE
PID:4592

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="736.1.155248610\2034471474" -parentBuildID 20230702050101 -prefsHandle 2064 -prefMapHandle 2060 -prefsLen 23140 -prefMapSize 228120 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - 736 gpu
5⤵
- Executes dropped EXE
PID:1184

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="736.2.1448316187\2127890810" -childID 1 -isForBrowser -prefsHandle 2800 -prefMapHandle 2792 -prefsLen 25492 -prefMapSize 228120 -jsInitHandle 1256 -jsInitLen 277276 -a11yResourceId 64 -parentBuildID 20230702050101 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - 736 tab
5⤵
PID:4328

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="736.3.38201272\684902451" -childID 2 -isForBrowser -prefsHandle 3060 -prefMapHandle 2700 -prefsLen 25599 -prefMapSize 228120 -jsInitHandle 1256 -jsInitLen 277276 -a11yResourceId 64 -parentBuildID 20230702050101 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - 736 tab
5⤵
PID:4524

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="736.4.411134029\751202852" -childID 3 -isForBrowser -prefsHandle 3312 -prefMapHandle 3308 -prefsLen 25714 -prefMapSize 228120 -jsInitHandle 1256 -jsInitLen 277276 -a11yResourceId 64 -parentBuildID 20230702050101 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - 736 tab
5⤵
PID:4988

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="736.5.316628086\283798541" -parentBuildID 20230702050101 -prefsHandle 1680 -prefMapHandle 1580 -prefsLen 26582 -prefMapSize 228120 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - 736 socket
5⤵
PID:2464

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="736.6.1052080837\768593677" -parentBuildID 20230702050101 -prefsHandle 3204 -prefMapHandle 3208 -prefsLen 26676 -prefMapSize 228120 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - 736 rdd
5⤵
PID:1972

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="736.7.961447816\1347692202" -childID 4 -isForBrowser -prefsHandle 3836 -prefMapHandle 3056 -prefsLen 27073 -prefMapSize 228120 -jsInitHandle 1256 -jsInitLen 277276 -a11yResourceId 64 -parentBuildID 20230702050101 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - 736 tab
5⤵
PID:4868

C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe" --defaults-torrc "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc-defaults" -f "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc" DataDirectory "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor" ClientOnionAuthDir "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\onion-auth" GeoIPFile "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip" GeoIPv6File "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip6" HashedControlPassword 16:2cd5a09bb55bb72d605a18ee5a0a6b5eca80aed1de7c9a1bdae8aaa37f +__ControlPort 9151 +__SocksPort "127.0.0.1:9150 ExtendedErrors IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth" __OwningControllerProcess 736 DisableNetwork 1
5⤵
PID:1304

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="736.8.825681117\875906811" -childID 5 -isForBrowser -prefsHandle 4036 -prefMapHandle 4032 -prefsLen 28966 -prefMapSize 228120 -jsInitHandle 1256 -jsInitLen 277276 -a11yResourceId 64 -parentBuildID 20230702050101 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - 736 tab
5⤵
PID:696

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="736.9.1803097936\912566582" -childID 6 -isForBrowser -prefsHandle 4064 -prefMapHandle 4056 -prefsLen 28966 -prefMapSize 228120 -jsInitHandle 1256 -jsInitLen 277276 -a11yResourceId 64 -parentBuildID 20230702050101 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - 736 tab
5⤵
PID:3676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=4408 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:1
2⤵
PID:5432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=3376 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:1
2⤵
PID:2336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6172 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:8
2⤵
PID:232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5728 --field-trial-handle=1864,i,1794141397487272854,10479928609335048291,131072 /prefetch:8
2⤵
PID:860

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1000

C:\Program Files\Bitdefender Agent\redline\bdredline.exe
"C:\Program Files\Bitdefender Agent\redline\bdredline.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:680

C:\Program Files\Bitdefender Agent\ProductAgentService.exe
"C:\Program Files\Bitdefender Agent\ProductAgentService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5200

C:\Program Files\Bitdefender Agent\26.0.1.244\DiscoverySrv.exe
"C:\Program Files\Bitdefender Agent\26.0.1.244\DiscoverySrv.exe" install
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:628

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files\Bitdefender Agent\26.0.1.244\DiscoveryComp.dll"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:4744

C:\Program Files\Bitdefender Agent\26.0.1.244\DiscoverySrv.exe
"C:\Program Files\Bitdefender Agent\26.0.1.244\DiscoverySrv.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:5508

C:\Program Files\Bitdefender Agent\ProductAgentService.exe
"ProductAgentService.exe" login_silent
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3844

C:\Program Files\Bitdefender Agent\26.0.1.244\ProductAgentUI.exe
"C:\Program Files\Bitdefender Agent\26.0.1.244\ProductAgentUI.exe" show=progress event_retry=Global\7295237F-E98C-4C46-A4A4-07F0D66278C2 app_name="Bitdefender Security"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:3280

C:\Program Files\Bitdefender Agent\26.0.1.244\WatchDog.exe
"C:\Program Files\Bitdefender Agent\26.0.1.244\WatchDog.exe" install
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:4080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:4028

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.9d117154.TXT
1⤵
- Opens file in notepad (likely ransom note)
PID:1008

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
1⤵
PID:3668

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
2⤵
PID:1624

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1624.0.983947490\963535356" -parentBuildID 20230702050101 -prefsHandle 1572 -prefMapHandle 1564 -prefsLen 22300 -prefMapSize 228100 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - 1624 gpu
3⤵
PID:5068

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1624.1.730471289\1448993271" -parentBuildID 20230702050101 -prefsHandle 1784 -prefMapHandle 1780 -prefsLen 22300 -prefMapSize 228100 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - 1624 socket
3⤵
PID:1412

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2088

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\fe977577f81442ba86ae8b721b08cd34 /t 5484 /p 1624
1⤵
PID:2260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Bitdefender Agent\26.0.1.244\ProductAgentService.exe
Filesize
630KB

MD5
d8e14b49233695174087d4e6121e534a

SHA1
75782dee1d1e1bd6a9a921159d4588e4cbf5c123

SHA256
69ad516a4f9447ddd678a7fcd211107ac912c9ea1c2d06360acadba857a7b7af

SHA512
7f7c111f5b2b36a93093cdd03b040be7c2ec5b7c36e12a6c645f408067f7bfadf8f81d75fd6ca3e3b588ddd6bb8e9cc02856abadd85b8595fee6b9c4f3712d4a

Download Submit
C:\Program Files\Bitdefender Agent\26.0.1.244\bdch.dll
Filesize
2.0MB

MD5
5a700d5975a63a827d78c008f75168af

SHA1
5dfd9597c265eb8c95467f45c1e11ef3c6b8b27e

SHA256
65738dbed5c9998322385f9643649293563ae79f7fa1392ceb46d9d5341fb5bb

SHA512
a3759dbab4d273e20f76b69c17f677111aca7cddcb4d6dc12ebfe75f3f2c9fc95076a8b3832fdd51a07dd4b18214009b2910f47f957eb2d6e3f2020e6eacbc2e

Download Submit
C:\Program Files\Bitdefender Agent\26.0.1.244\bdch.xml
Filesize
1KB

MD5
3beda13b03a8c82d8a2a3f0be23212d1

SHA1
285a7fb33e6e5c9fa84fbb0d776575bb49f61e91

SHA256
e9cee860426fd480864b4fb43559bcb14e0cedc51e90abbd3d9d6e4cf4c02e01

SHA512
d1b8774fcbda19e10e660e27cecb49ef0c4a80c25e27a44035613a81e77fa5d77673222e222f41041cc1db3835a13673e58888140fa713c621b3dc8d3f5585ac

Download Submit
C:\Program Files\Bitdefender Agent\26.0.1.244\bdch.xml
Filesize
1KB

MD5
18c90b47956796d2293fd47ba023aeb4

SHA1
8fd0a6b2b4644b5887bda156e089c760366fcb93

SHA256
2e2bc7b58978228b7a84e2957c78fc9f36d984720f64dd452490665f6f213c4d

SHA512
f2d06ebe277ba0d64608af2e276436d5f2a7fb2b4f0ad85a6a1094d62611f378147ec1575fc82388d7cbcfe5572b22bc3a5eac47e3b08a5aa5bc645f703eb83f

Download Submit
C:\Program Files\Bitdefender Agent\26.0.1.244\bdch.xml
Filesize
1KB

MD5
2227a11cac9c999fbc7d104b34012d73

SHA1
04e29c2a092f4bcbda17733675e9de38bbc33a60

SHA256
86f451507086991009b53dc986f1cc191c996b9b2310cb90ec163a9904823f3d

SHA512
92a755d47975ec05568c1a93ccf7e077d4ed284803e9fdafb28f44cc37a07e45548a4f5e3faae4c0f5a9f02c38bd99f8d9020b38d225c1c9a8cb5d59a09f29d4

Download Submit
C:\Program Files\Bitdefender Agent\26.0.1.244\bdch.xml
Filesize
1KB

MD5
96bea70bd753569775746d5b3f4ee209

SHA1
743454c212879e862d9bee464d31ad42ddac365f

SHA256
412e269c03a46faf638018724d3d0704866d0244b01d9ec1ee47871a1dcd2e00

SHA512
a8f138aed45b7833e0cc1c8fc21ed4041f07a692b049be97dcaf686a8fe2e3e64bd7456edf66336a723d545490a58d03b34e50bf5f451bf8e00b38606fdd05b6

Download Submit
C:\Program Files\Bitdefender Agent\26.0.1.244\bdch.xml
Filesize
1KB

MD5
7aec2b4f57ed9750a2e7bee08bd1b5fc

SHA1
e26b24f35aaca1ec5f21c103c160179526b68d22

SHA256
146e185e4bda593d757cbaa77260af3a3f0fca9ca649cef6eadf3fe7bc1b26d3

SHA512
49a50d5f7fefd8a0bf5352083417763b55e0fbd45dfa1829094f9705cf35bec61a13dbdf42b3c09090fc85a7416098f6336a5687ac6131b53d157fc23c1f71e3

Download Submit
C:\Program Files\Bitdefender Agent\26.0.1.244\bdch.xml
Filesize
1KB

MD5
b5949f30d77c73399db1caa5c920c4d0

SHA1
e029903d95547660e2988967bc497f33d2d4c19c

SHA256
94c21b06123271fe0e90b1d54402d85aa70b43b152e0032f723ec78ce18a923e

SHA512
bbdefafe66178af554507dabc606c22437ff7c6692e86a124eb41e82e42105eabc64273e09f5fdda8f34964583d5345e649dfdab921711d29d09ca045c894521

Download Submit
C:\Program Files\Bitdefender Agent\26.0.1.244\bdec.dll
Filesize
511KB

MD5
43d7ad3ca5b8648ed706b1160eab8d07

SHA1
815c0fc053e684c76355147f42124954861b4084

SHA256
3eba2ad28fca19d53ddb9b7dddb3cb4d817ae9b56f62c89cc41625c0f91105af

SHA512
15d7e9369e1278302c278ef317edcea2756a63fe5c9bdde2226bcb490d656be7c90ebdb779be36e24dc9339686ffa18a2b1910f501a0bb6e5021d41a8c438473

Download Submit
C:\Program Files\Bitdefender Agent\26.0.1.244\bdec.ini
Filesize
129B

MD5
96d15c4f3db04429631866751a1d2890

SHA1
61066ffead2b6859e4d3fd497a78b05343ccf25e

SHA256
e8d31c1de790f738ef75daa0402584560a0672402d0d3ded0899d2dbc95fb911

SHA512
2e5c94e2d92eadd28f604ed1f04d6e2dc9d9a4ffb3c2270e9d19792ad41c0c536260616a17b433f4f2bc57b31b116ffa06eefb61955b98029f15593db4122189

Download Submit
C:\Program Files\Bitdefender Agent\26.0.1.244\bdnc.dll
Filesize
1.9MB

MD5
b266f8e59e21973c541643a81f2ded3a

SHA1
a4cde72b0132cef99c569598ce0dd820174847de

SHA256
b0d8ee44600cd03a24dcdd954464d115a3912cf9911500dafd97d1792d18d35b

SHA512
977b58315d86d75b995b2562a38084ce4163569f2a51280f877366ed779ab04801bd8c9dc6feba2082b61f3d4c41cd84c2967eb6770af5f9417e3f5ddb6175bc

Download Submit
C:\Program Files\Bitdefender Agent\26.0.1.244\bdnc.ini
Filesize
164B

MD5
96b5e37e6494da2a8f09e98df5c58004

SHA1
dbbdd9d6dd0a685e6841efea364b547ac2172443

SHA256
dd5c7a764b9fea6f8c458d9b669b5764c46284dea68ce52b43136c4812d27fd7

SHA512
c35518b34e91dba5424e790398d9d1970bfa8baa99b164fad41b0f52b14b633e5846730a320d31f8b95d5fba9519e6a256915a71db412cc07411f6337f50610c

Download Submit
C:\Program Files\Bitdefender Agent\26.0.1.244\bdreinit.exe
Filesize
1021KB

MD5
612dc44297e0a763ff512777f45ade17

SHA1
7fc76f00bd30dcc015d07b27b8d9a8fce77ebced

SHA256
ae6b8865ae79ccff0a3362aa26f860ed6e145214a3a3a0fb2b04b87cf41023eb

SHA512
dfe00a32dec79809c5773e2046137f1bc53abfd52d714068a86e0631a27c7d2c026a7e14d42805fa12fb0b8fb59bc728178987a2ca777d7df5d1bfcf2d4ba875

Download Submit
C:\Program Files\Bitdefender Agent\26.0.1.244\installer\ProductAgentDP.dll
Filesize
500KB

MD5
6d5587cb412e38da2c6f67be5f91add7

SHA1
5ede786f1066a4d05ab11af91976cf182449931a

SHA256
78b8b89f43f51c890321fc2a32630542ada862a97385e1803fd4a502dc05287f

SHA512
0f152260a656346d9bc3731e5f4ed9f0bc4660fc6027834c055796e9afb3dca85855a1e75639ff17df3985dfa14b08f5ebae0bf400d727efaf89ff59c34942bb

Download Submit
C:\Program Files\Bitdefender Agent\26.0.1.244\installer\bdnc.client_id
Filesize
36B

MD5
f4c2784aa289f17d144a589751c7980d

SHA1
b414dd690863acf3614c25c911697f1b16c24c62

SHA256
e6e827f81840ce8975cd5e30467ddc1661c3f407cd9d342d00800f32c01dcc26

SHA512
3f3f8f8ae91d679745189722c88d97d19e8728ce3289deda2e89a79061ad06d0a627a9783a9ef2a833f6a7843d882bebdae77d178f3d810b581093b299f2b70e

Download Submit
C:\Program Files\Bitdefender Agent\26.0.1.244\installer\bdnc.ini.md5
Filesize
34B

MD5
b0305e5ee72ba268d281996038a6ee57

SHA1
80b974606576ac0c79cc5ba4364ca883e3644728

SHA256
5ace615a54dc4c1b094e7678b4793f15ca7f413b05985c433135e132e0137e96

SHA512
a09c61e5df2b9df0512dcc1227e3d9bd5b28e029eff6fe9da5029ffbff39548e3e5df67ca2a6b9aee05d4d073ecacadee3f6bf8b6488c72f44f66322610d83e9

Download Submit
C:\Program Files\Bitdefender Agent\26.0.1.244\settings\LoggerConfig.xml
Filesize
84B

MD5
35b27a030817d2e7c9dc87c76d0235b6

SHA1
099f532488949dd9adfaf6b18641c275a154b4bc

SHA256
5aa4fa764817f67f3993ab404bb65dd85abe05f7d4e0231311dd767f3bcaa215

SHA512
98cea255ccf933313a4277da6c95f9f0d15dda53d27421d76fbc0fb4306fe5db998a744d1c17f823aebf8b3f97b991254d9baa3fa9a5cc543a1a5d2a311c43da

Download Submit
C:\Program Files\Bitdefender Agent\ProductAgentUI.exe
Filesize
1.5MB

MD5
3c600ac1603836344d30a1914dae1df3

SHA1
c66db548931dbeb71b4428f27bfb57bef056b67c

SHA256
4886f834a7ee691326abc250966528595f3624317902ad9177e0890377c709c9

SHA512
102c0010792ae0cb0204d5bcb1da0b06233f9cede00d2f304cfb932f87464b6673a580fbecdbbe1fc0e622830e69903f35c56e0a494f93898180951e1186de69

Download Submit
C:\Program Files\Bitdefender Agent\redline\bdredline.bdch.xml
Filesize
1KB

MD5
931513be87602ea51a36a1ce63ed4e47

SHA1
fdc239cb0fa8fec6e1d021c106ca55b709545afb

SHA256
6389e387d97a312f87e6f785b7a2b7cf87961edc71ba212b35c71f744eef583a

SHA512
242e7a13ba35c9f4fc22c29d47ea8a49a2d99ec6cf4e1ea16d67def69657adc15e5d793545c2e7892f76ad000c630a31b71c7e17776072689dd5776cf8b2595b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
60fe01df86be2e5331b0cdbe86165686

SHA1
2a79f9713c3f192862ff80508062e64e8e0b29bd

SHA256
c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8

SHA512
ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CA4458E7366E94A3C3A9C1FE548B6D21_1593F3C3102A71FA61528AB81588ED09
Filesize
471B

MD5
e7c14f924154a9047fd09d178ca2fda3

SHA1
2a2fc44d9f1c8772f4cb7fc7b838e899ab19fb7c

SHA256
e59cc51d75d802eab22aeef2056d6ee5700fd715ca4ea82fc34d1b21634ee86a

SHA512
a39dad16dedc48b3e0975930be5bb205d23ee0343c4d85b0b90408a7ea392935ce7db1bf5f1733b00a100eec473c090affaec06054eb83e97d5b192b80404842

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EE44ECA143B76F2B9F2A5AA75B5D1EC6_847118BE2683F0C241D1D702F3A3F5F9
Filesize
471B

MD5
1356fb56636667919d0ab265c7bb7a1b

SHA1
26f322c48b4770279f3e5a5713f1e036cb095ee1

SHA256
cd89911e6335567b07db1d122c202e0361e06d0167169e955d7ec943854cccc3

SHA512
a040626f3a13a47bc498501d466344cb958f81d793770f32aaa00a0026a6c909494c931d58fd3b124c2e7b7b9caa63a0956d02f4e6d010b96debe35f4b22fa34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
3f0a99377bb0981724fba79c784dbe60

SHA1
253898999291ce3f0e38e966657106d6ba4120ad

SHA256
c968588fbcc15ae0f92f5e23f9268ad233d2ed894574536c1e1a5a1fdf1577d9

SHA512
24bcbd1cc5ddb18ecc3e5da833675342542f58c776b5887c203e7178060b815c40721023387976c8851daaa703788ee9aaf749b969a31d7e20670b8dd480d3d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CA4458E7366E94A3C3A9C1FE548B6D21_1593F3C3102A71FA61528AB81588ED09
Filesize
408B

MD5
97dc6a8a14dcb6d5f5d574051c21d7dd

SHA1
af7c1847dc944b42ffc70f91b2f833accb85d404

SHA256
906000a2ce6407a6d8582fdbc36ea86779e001ec7ad4041fe3b8226b216e1284

SHA512
ee49c72f19f1edfcb5f3c0ccc81446ca0100b2c538e97bbe2617da4664a06da10601a3b6350b9e1d9e5392f8ec4f7c1ea357c4448e0f7a7ff93c68ca7a9730c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EE44ECA143B76F2B9F2A5AA75B5D1EC6_847118BE2683F0C241D1D702F3A3F5F9
Filesize
408B

MD5
9fc20bfaf13ead40ea943e8a6518f4a3

SHA1
6c7be289eb94ab67b422952a119ce4f2846a4b35

SHA256
a6b28f8e0348c846b8718e5c49917d4844b7baaa3223f6d4671e1cba4d5e069c

SHA512
f819d6114c51b87f415439a2fddfc4174e5258b4e6d8e3462b4be3f6e4b00da5987505a7e860e88b328da625668a9313ac8bc089dd87836ca30206bdb4bde96d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\5a1086a7-2fd3-409e-ab57-f4a5d7d4168e.tmp
Filesize
6KB

MD5
a1a525c3fb1c5818e29ad9e65dd6f03f

SHA1
902b02a87ea773f84feed41de9c4f5b7404c180f

SHA256
29ecb113056fab7b7a6a0ad2339276fab0a49fc4287cd1e59b142d5f0976f257

SHA512
5e19749597396a8c06fa776ae12b3925564a5823e1328ca7d701dcfcfbf0f792a7f31880145bece0e0f1a32888c039ca24572890e70d6f2ce306139e8229fdc8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005
Filesize
48KB

MD5
bbbd271f3e5e0d894a4655c388b59796

SHA1
8a1882d0416738405a3984134e81011406ae0fcd

SHA256
86946bd58f593945696d6cea89f921f151048fdc1104d97d748a3a4812afc4e6

SHA512
a901488c4b0eb9362b2b03ed6ee7ee78233954aaa92665e8474aff72d1315546c4edbace156530a4224873be5527113936803242b90c6eb0b37a369c407a11e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006
Filesize
37KB

MD5
5b0c0d429185ff30e04c93f67116d98f

SHA1
8eb3286fe16a5bee5a0164b131bc534fd131f250

SHA256
f1a0b957050b529afc0e94c436976326124ed8968183859c413986487623294d

SHA512
6295bcd662325172b15c476d26f23c8794c4f1454e0e8cfd43bca79b45aa03e1ae721ebdada1c52fe7699027fa97699156280ff259ce3cc476e322ccc0337902

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000017
Filesize
32KB

MD5
6c879d786391ad79c0d0727d1a11d82c

SHA1
40a7b782bd290e3e03319c3575a43f88c2544693

SHA256
4ac11d1a652398a24ba8c456ad827f93bcf9ad6284845308338ca0ea8cacd0fe

SHA512
59bcacbfa6a8b713ebeefe19d2931c387afc0a9bb606858be474b693f7d8d5ff9d58e0bbdad7092984ce8786f2a45a43f5d1741dd4219eba4808a2469dd57ae9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000018
Filesize
114KB

MD5
bc2f2c23c3c273b4f61e12d6cb6e9e11

SHA1
625bc2694cc2e469ab54402ee6412b24e4a6c8cb

SHA256
1f2225dd12e7d65cfc38829a5df674fa3bc89abe7ecc264700732464fbde77fa

SHA512
db327fd10d79913cecd3f7398da164e5f794c61102e1c4a30213cd9000299b93c58d8825f6b934befc75a8b16401dfb81f46dd494159d8bc5680c8b4eeeb49ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000019
Filesize
99KB

MD5
ca2bbe05ec07ca9571c95852f36463df

SHA1
533c789c3389b1ac355d167fcd850d14111352d0

SHA256
9305adddf79a5db2390ac68c364ad6bd2110b8006bf5ac913710e82becf38157

SHA512
3f23fab21de393dbb484280461e28f8c61e127da851d1d2dbccbb33ccdd75c5c586c7bdfe21ce2aacf1b3d3a53c15b8d6439ac7cd13a6a737813bd8d520a91bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001a
Filesize
193KB

MD5
98dd479bd4a1adf386fb76d5e472a2e9

SHA1
66c574fb75e27e88631d0719262672da1fcc0e7e

SHA256
4ffba194ebbf4a92628dff1b3e4878028d53cc0ffaca6d4238772da5756e8b73

SHA512
4c03e19826f102594adbc1528a1b20004812fbd03726bfdfbcb9fc8a8d398fb3ac8d411c25dbc455b577aee75f2a3bb9b05919c9215a98ef71b90e4b3cd73625

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000024
Filesize
26KB

MD5
282867559cc99d4265c0b2dd6691a697

SHA1
5cb680f536163dfbbe14bbdfeaa1846309966145

SHA256
fa6fdc32737da1a588704cbdbc7fdc804d26d98bb233a25bba156f421c039da8

SHA512
a307cc86669133c68b6452b2fa6e29b25a2f88438a6c0ab5e85af9a1594461c1ffec88d785b84f86f9210c05d1591e43af3de8cbd718eb8ac650e5369d80b98d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000029
Filesize
20KB

MD5
4ab212d67df0d744f74a6f6a257b2653

SHA1
7844504c6b52741b4467b98856b2da4d2e276630

SHA256
6b5ed11f9d9bfad094e0177b6339804dbdccfece80ea0636343349543ca69c63

SHA512
49007eda96079f2a85bda5836ee21c5e9e1812e4b2f286551e6935bb61534981b4df7dbbdedc6c1fce487406b934a674ef4dc69308bca6579b93c9c220065e6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002a
Filesize
85KB

MD5
eaf364bd52d44aba3df226cbc0aa72bb

SHA1
2b7f3c6cadb1725ef0f14ef2838691c470fc582d

SHA256
d1454c347a1c18ae68362708f934250a56309eb8eb84ee3035efc392bf044a5e

SHA512
017952649becb3bcfa143b2b597e731e1b80d194f4d3b4c342f6a9ee2487a7fc7ef79a6726433194d8bfe47ec5a11c32b8bb235e52af6212db54c55a6c24f64a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002c
Filesize
83KB

MD5
491ca64be867ca58e18f6a2bb22ab4aa

SHA1
cb0e4ff983f4b22ef60f579f7c859a0be5ee4145

SHA256
c2720a4d36cbd5ef64c3d60fae4c3364390b84aee1450578d3f4a9911d3b2561

SHA512
dad3e9f5c161fb21f8994fa07b6712f05c431f80f5bd16cc02e2568387ad50460e93cd13f1d3bf3f7f391a3bae6071b71ea7a5d0a1693dceac53d36969728895

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002e
Filesize
78KB

MD5
e5e00a22c6fc5605fd3c6993aa9d4ae3

SHA1
ca3d4ec6d892f749d564f853cd81b33c30834937

SHA256
64617fe2b1822f7db87b5c0b41c6571a9c451116690ee499dd6ccab2df2793eb

SHA512
1e9ef431459f53b12bc6f72bb848d61a8b82e5a9b25993761fa623949fc0857b0f692fee60a82f20b01265643bc7956a7beb6956b9a9d87d2a6632a74219020c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002f
Filesize
67KB

MD5
30d68c2089416d2cc695ef1dd123cb78

SHA1
3aef74eddbb0374fe8ec987a338ef35854de480b

SHA256
6c1f9a76598d651690e66acd8158c338051ca7f27ac7b499febf5c5c62b45b26

SHA512
7c7925d4723a0388c0fcf5055c4d54e9686bb926216e3d2009bfb4721cf1212cfcba8420212915ddf8680c0b470f92b6d538ef743d5b7b2f7e30185c790f7b49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000030
Filesize
22KB

MD5
c94ebee793b36f92671bba5f8fb92496

SHA1
208d86922eb5e4956ba3163482df21ff59f2542c

SHA256
6cee474a022ff1860e2486fee0d1201f6f6dcf86d739b29e05af2ff07fa753b1

SHA512
89e799ecdbadc28e6935e1f82675ed6c435159bf923d0861fffc12b1881ce39fa49c91c5c40811f9cb06af72d743068a8521c539c844147ee3e6a10525b2e35b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000031
Filesize
24KB

MD5
20b649419c820d95a1b623663b976531

SHA1
a74a221dd4a216932f6ad162e5d75400a5f169a0

SHA256
ac42ac9adbe8087a2ae03d90ed4cca606024f647881c06fa3b902f03e4a4a4e5

SHA512
89da0e14c95901240d13945f011494add523d72d63f9330c456b1e8edbbbfd48d08e5fc477187cc5bb2f6e3eef2adf3064f822c26ae710bdf71fa9f306bfd491

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000032
Filesize
19KB

MD5
08475cfd380edb2d2e9290e97b3da01b

SHA1
bf77aa35534cbe99d892a7e24391bed6447d01f0

SHA256
90143522192bd04a6c55e30fcad375a9e1c104a28d36246bf7562538dca40145

SHA512
988ecfba1140ce754cb1d47be2249000196dfc30dc405fc733c4aeef71ca1ad88d13f324ee91689bd20c70ddd702104abfd85b831d4ed3177a40fc77e1727bb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000033
Filesize
31KB

MD5
370c32626ed02be5cffc88a72d78aee6

SHA1
5c734be898a890f11c529c8c7515913a240f5b91

SHA256
5be23b4c7a36c9967459febd599892225fbbb8d6dded4c51a5084aef159cbd94

SHA512
875bfddc092c8c76d440d45f2f2902e20b40a876d3618ec3afe92e971b4ad91f736ecf4ac7093ca2b2e72c262f5c8fee6a6590560da5358fc34e89eaa8aac8f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
0316255c645d020b8d4fdc0a0f2e5c68

SHA1
83049a3a3c29f9982644f31c8a4e13297630ed0f

SHA256
c9f85206809f4e290c33ecacec828c4659f4fea9855feca81d059af26f1e5fc9

SHA512
2bc3f527f215b00aed366ca75609bb1501107255a8214a3479d6ea84696288dbbf589aaffcfa8b92d95ca7af4a82839fa9c7501dc52b203303a4ef6005efa6bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
6652ca1bdbc2fb27be3d903067058b0c

SHA1
879e5dd9ce47d536ea7da65332bbb63a297f526f

SHA256
46822ea90a1acb0ad5bcfb1ba3d6be373d99effa7fe7e7d902e0b5499daaf72c

SHA512
4458578c239704cd1ae422a91a2db3a92459f99269df563ea81d35d3ab2475e5db2a8219ac0bb2748a18a7a5bcd2cb096cf997504ae741a9e39ba6d797308bc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\8e8aac8b-4847-4e71-84ab-17a451b82a0d.tmp
Filesize
3KB

MD5
a05557204ea193de517be44874da6124

SHA1
ccd0684d36db02d348a3143ec50a0d91c7aa7695

SHA256
f182409e4a43daca7e8f2043cbfca9a574e5a6727deeb1ef74b1524469a49e2a

SHA512
5082c0963c5d04c4232d038614f11b06f6f36b4b4e05e82057ff9918779e7ff48651bd56c3fcf6f97b826519811ba6f4a61cb952845fc38786c11fc88f721d42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
6KB

MD5
61a25456e70d4f2eb63bf91dcb5f8db5

SHA1
48ce386c555013ff8266ee18c34bbcaaec128d12

SHA256
73f7a7f703632004c91e31cd1beb07aaa2167082ae6de9446267eb2e87e06da6

SHA512
1624d36ccc0b524976926da5e9434e651f79dd49a662b829c2e47a6b44f7353fda664eb2fca162917e920962e4d7a6eeebac631c2936546ff2056795cb482e33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
7KB

MD5
05280b58efb0619e6e5961c34d8e8ebd

SHA1
bcfb69ef7eb0d482e38fdd3c0d5d8ccc40292aaf

SHA256
fbe1f870eb137715fd89c1116a35a0da00be495b09a6c1fde8c70c61738e27be

SHA512
4d2611d9bc853dbe55ee19badbeb1d9360ee7345ad16b2f5f10c4cf7f02d44b72eb431199276efd48a66b79c086319716b8236f86a0f6d17c063f18631d3dc30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
7KB

MD5
b7e27f4c8632282c6fbdaaca945e8194

SHA1
f6334122fbdf457e15485ebe7c42b34ba0799ef6

SHA256
a91de51ef9ae572eaff70ef445ccc6f059c34c424e2f89405d3b367becf047e3

SHA512
f9d3a50ab4073503bdfade6317ecae2b937b213129582d1adad1930068315a6b3ef17fc719c26e8c1ec2f1b229377a98ced3a3fe44bc828c822eb0fdd6379152

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
a9dd1410a8cd3e336372be5a99fd3497

SHA1
aac9d6466e68ad1ac43c19bbd7223f5abd8c8bd0

SHA256
e90cf683d8a802f8a97b556cf10f6615cf0cc7ff1cc45cc7dc604b720cf8b74f

SHA512
a7b49953c1acf26a5b4dbdfcee375d72dfb8ef07fc084b42f74d94ec966d22ef7c3569fd6685f1922f127621b1f4e07191fbad942325b3e9ee026eb4079c2e6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
febafc0f6ff6f40c9938275de637ea64

SHA1
36e92a395ac6a69ed45e43abe8a529f902c44812

SHA256
13dab170ab0874d13a870492bb96c69bceb5064e7ce1d7f64fb68532663fac94

SHA512
ea57e81e2b867198c1d20e94f4138548a551b213083356f5fe1b969d69ef060cbcfe326e642af26bb18e3d1d20a500dfb0cd913573f69dd5f709312ba162ba2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
e16327ec6d0c6ad4b3743ca1f4493edf

SHA1
0066c1f8a01e2590fc72eb7df1cd3c7452fb9edc

SHA256
b50c2ec03ee0a89fe6ce22b80d549761618f0219a60fac046fd722a9c728b10b

SHA512
8eaac0e9c2316b5575cf26e02cfe575679b3b00aa85b5715c7a7de4e14c9472d85bf2766d5cde5b60f1bbf912ec42a9813f42e1842012efd2b50cb88747dc123

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
d1b42a490c3077f94780fefcb0e0799f

SHA1
05f68f11f6c3ae3a2cf39b6d6b1025d0a061907b

SHA256
05f1f9f10c81c3f713f868061c283c743d759c69244f35d46e06363a30ae1821

SHA512
71600545d52f3d47f8e4ca6dd3d52e953821821569d3da5c7c446dfa6fc950ef7844765d10b48d03d85a948b3e0372d15ed6d071ba018cf9fea4bd7fbdb2a9ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
df1adb6c7f34a8dae5aace42cee2bbcd

SHA1
8dd11a532f37b15e9297f2a28a5c5938c22390f6

SHA256
48829849ef6d03f77ad0d1a874213ac05680636f905e7694507dd1d6aba6de95

SHA512
f47ad2e3a0f50f57454903a1ccd5c03e52de0ee3e6fde2e4f109ab879c708b03a3287e346d558b4696212f7e6f3af6ce449097566d8162e38036d4473765b203

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
35427b4a06a56a5ff2ffaad524fa98fe

SHA1
9dd42fb4c1ef80c19e7175f032c8a72cf014a791

SHA256
8001ff911421f63d52cf77433dbca871d6acf88bff988611ae78ddddfc054b90

SHA512
0fcbd34b45a6483e32e74147673803f1b2ac545ba98a8602d9d84dd33d960b16cf6d57b24225cd865c14a28625cde59ab4377862ba51ba5f280d75929b920e4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
d7a8849b820686a23cb956c34b66d115

SHA1
0db673daf6b52e1669cbe2a4e97d69b90b460a65

SHA256
6526618ea030df12479aaff5fcdf9ec6bb313cd88a1bf09fbafe3596fe961bdd

SHA512
84d70020116d7cb4329edb8b1cc0465d20f682186d6885990cd65a3f70c29bb5beb7dbe99d0964075f003d7e8230c39138e1ff48ce3bb376b6b81e2ad52224a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
b394e4461a91498c803cee2c1e5eff50

SHA1
47eeaba1d91e0137d0af99a4f70db8d5183cf9db

SHA256
890b801b45c7deae5a8b034771b67d48eff20b865819ddec2a18aecf35cb27bd

SHA512
9a6d1112d9c59f436d975b9eecc76ada1d9d82184c43c0bcc79ebb0943b04ecc4993968e24e6aca924b782be34e32e16f3ec173adecec8d165475daf6033576b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
a9be791900ab4c13b58774e799c771ce

SHA1
531c543d34077650e4f7585b82df0769b7dee12e

SHA256
5c7387ff8ea11fe8b107e885865786cda802cd2b9577e2d62cb88056149333eb

SHA512
52ce33d6a6f710bd50df66b5fac78dc1e8bfb3273b743cb46c21cfdc39a4290ec5803d04932639ada5d6e38c56fc328e1dc0192949feaeeace4c14ba87cf4987

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
5db7ccc4fd8d2adf5f9f3b436b34b6b8

SHA1
d982e997c11912e115352a644779599ad333f9b8

SHA256
2a7cc5534c07c10be12c4cb2081b915a942de4dcb7944c41f108c53418a69ac3

SHA512
1503d54dea0a53aa2b31c1c808e1e73bb418d1b2546bc29aa374de5a8f8b06208c7d871eaf077439e1a8f5967febb6edcd494abcd472a76d77e86785a6a35b41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
b32fe7b2977b4bd1077d1ad116973e96

SHA1
2dc233406cd2d1e2bfb9a3850a60a431d1a232a3

SHA256
66e41fcc9593d8e1b2d43b050e7c8c973c906f26dbea8489b9d70735edbf0e0a

SHA512
1e157d8d71fbf1886b3e3c013d99297c5dd48954442b86d60418b137b0af8ea52f538071b101a469f4cd82d2bc9a5f38b8c2ec6a61b25d9b3b48d699314f17df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
d1a5c60d054bfd5f2979b1d538c4f4b9

SHA1
55c387beff05023050645514e2225acf2978a56f

SHA256
53ff59e0ef06e4c9fe07e1b6fe1d290616c94e9599218a1454c86a8f20d0f7da

SHA512
735558e17b1dd000941f6cb846a34e14e645163edf121e1c2f2930dca76ae5c763db5f8797f09863a1234e41c4ed734f8c1b792edfc3e504149c44ce3bb05821

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
f0562d2bd3be8761e07cafe890c832f8

SHA1
681a1c21d1ac196641453d402a2e0a84e072e7cc

SHA256
202130faf9ee1e440f459abcb851dec3bb457517500e5846709a2bd7a014496c

SHA512
d475cec94516fe4d143e5c108455c8ba7bfb1b6f08301bd7cc75aa85d67f84b08543d02e4d2df4c6d2a531beef078c1f5c94c46b96dbf3a6cc3b924cd9facdb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
ebb1dd5bdd6005948cae6a832275a426

SHA1
73077b1c2425ceb0d2d6af148bcb078fd34425e6

SHA256
212eb06c6a94e8d76db50355a2a180bd4579e902d2f2169c8c77c03dbba53a14

SHA512
229472cda3933ad12d132de4351e9bf043f039408ab2bc91f2d6ddb7a3035f4b4cc0d56fe7bfe5c503fc82974f5139bab5614907f72d780b20db2f092cd52af1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
de8dcd02db50cf86b46bc471ab88ee9c

SHA1
bd82f30ebc4b49c6c343da477321a904d47254ed

SHA256
c7ab73da31d4cadf268023ce0371112c8a837d60a651d95278327f24af4057bc

SHA512
8b0cdbaa51472f1b3a4e808ea12a440d3c2f9ff8e135cbc1c76b8ac9b0497b0cc0db458b732439980613c30878a112c35ece77a360c4b527bd93c9eaa00e35fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
158KB

MD5
f43fdb9a368680d4e71d36641690ea98

SHA1
5e207f2e202a42e43b90837ce28fabcbf3cbf2c8

SHA256
e48e85f465561c35201e18e7b38da0d4ac01da2c7b66630fbce6c1100bb72f8e

SHA512
6eb6c8c3f4c190d7e0ba02e2e3f733d4fa89bb416eeea47d834cb61630506edf8b471e2a44a07203bc65b66a9e2b0598eae9b210fc3a3488d19f5d861b5eb54a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
158KB

MD5
9e14d1aa68d31df42c92fdeaccbe1840

SHA1
6321ef5402fcc32acf684cd5ab31c65e5a744e8e

SHA256
888241b40630658315aab0762b6e76dd4f413d2159b35cb7c18efdecbc7ce65a

SHA512
8d004ed5e07a072b6d2032465d7d184f6da7200a531fdbaed284d50296546db6bf491b5595f166c2182377c1aabec4e13e47eb40ce35637ab0b5781e3425e344

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
158KB

MD5
ff37a26d04880c7c1b07927fce543673

SHA1
f2ff56c7b5a7897656a7f395fcfa66852b8e0eae

SHA256
7cabae30310827f00a2722632cdec8fbc0ceccd0c1d35d0825f63a67a7019f46

SHA512
a42df69b33fde4291cf28af0308b4196018e1ce08798a00b89c60fdf991be3fa15f8a3e71dcdc4059d124406cb47cecf8025d3ef1e45a754c6da5eaef3dc268a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
158KB

MD5
f73d662d0f4a6ea5a282ffa687404697

SHA1
265d0c571a7358c2c4b4aef2cc98cf8af4e1d36d

SHA256
574a061ac62c6965d03b34bad876b83cd22d7f50a108c03f4e66688bbbb518fc

SHA512
09006df5c714924de85d84b5bfd412f5d5bb8361dc3c9178d6ce011104a8f77255cbcf700eaa6eb5e4b67b4228391553fb9f3abfb47990947f060218a87554e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
113KB

MD5
ec439a5bd0cc8d51c81b5aeeb51ff49e

SHA1
a8950c10a9a851935a25f016d3ddbd620aa5194e

SHA256
9e3f294d0bb31ad17f4b8c0757d74939a9bcc89a006f4d72f170cf315fe15c93

SHA512
f14bc8dd8f8ea4ab06288bd65f4a6cacd7420fb3d8598d95b703250a8d067e097ec5f9bc77a8cad8ebd180e686d0cab3f06c121630710a92cf4d5fda610da5c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
100KB

MD5
2b1e5b3ce9c1aadd6a749b3bbccc9acb

SHA1
36ead3cf7d3821e87d927a18dbe78f49de317514

SHA256
eeb6fb4137e721d1e7ab0f9671deed030c6c785efcf0fb52ba8280f8ba0729de

SHA512
14d1efecdf26f4d87c8ebc0a12b80577e9a3778ca26dcac4e321a90a11c6007cd9d37bb6e1d5e135df68d7e39915735d5388ef9e0a3dd4dd5049763b09a50433

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57cc29.TMP
Filesize
96KB

MD5
9a01a454dadfc3460650730caef41e6b

SHA1
5bcfbe04bfc06ddd0be98636c07c9aeb4b753465

SHA256
c3a35a9e6220a3406def41527c2737d375fb197e66487299c892fd801efa2df9

SHA512
f7f03f8863b602e6f8f8f9adeb3da53947d25425204945b79c25985218a27e4c9cdb8ed308f5eec9edbca4fd0723706500290734291c9727c68b1be5ccc180f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d4ff23c124ae23955d34ae2a7306099a

SHA1
b814e3331a09a27acfcd114d0c8fcb07957940a3

SHA256
1de6cfd5e02c052e3475d33793b6a150b2dd6eebbf0aa3e4c8e4e2394a240a87

SHA512
f447a6042714ae99571014af14bca9d87ede59af68a0fa1d880019e9f1aa41af8cbf9c08b0fea2ccb7caa48165a75825187996ea6939ee8370afa33c9f809e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe
Filesize
249KB

MD5
4c11e93674d85857c4d7e4d784f27780

SHA1
5779144cc076d87f0cc207acf0a85887ed3ccc5e

SHA256
b07b7ebbcafae10ff97b4da6b78e38fcb9ac06c8480016a7913b7a2fc827d1a3

SHA512
278c6cafd136ed0ecd518f208e60b050861992422f02cebea784e7897668372f971fd72500a3e0ee02442ec1b5deb49bca3dacb46024f5f3b57286c436a6f619

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe
Filesize
249KB

MD5
4c11e93674d85857c4d7e4d784f27780

SHA1
5779144cc076d87f0cc207acf0a85887ed3ccc5e

SHA256
b07b7ebbcafae10ff97b4da6b78e38fcb9ac06c8480016a7913b7a2fc827d1a3

SHA512
278c6cafd136ed0ecd518f208e60b050861992422f02cebea784e7897668372f971fd72500a3e0ee02442ec1b5deb49bca3dacb46024f5f3b57286c436a6f619

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe
Filesize
249KB

MD5
4c11e93674d85857c4d7e4d784f27780

SHA1
5779144cc076d87f0cc207acf0a85887ed3ccc5e

SHA256
b07b7ebbcafae10ff97b4da6b78e38fcb9ac06c8480016a7913b7a2fc827d1a3

SHA512
278c6cafd136ed0ecd518f208e60b050861992422f02cebea784e7897668372f971fd72500a3e0ee02442ec1b5deb49bca3dacb46024f5f3b57286c436a6f619

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bddeploy.exe
Filesize
705KB

MD5
0792396a0fbfa625aa527e6db3c5c9c8

SHA1
060d0af8b990c4afdeb8a6dd0ceb955bf2ca01a7

SHA256
4d02fe556756b37923ff06f1a00ec706902225101caba670d7d0de70929c1399

SHA512
d43f152a70fbaa88cab8af319921ae51f35b418d24d4997118f80224b2d28047ee25e342ab3e7f0935a10e652962715f41d60234dae6c330689b422af52d9f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bddeploy.exe
Filesize
705KB

MD5
0792396a0fbfa625aa527e6db3c5c9c8

SHA1
060d0af8b990c4afdeb8a6dd0ceb955bf2ca01a7

SHA256
4d02fe556756b37923ff06f1a00ec706902225101caba670d7d0de70929c1399

SHA512
d43f152a70fbaa88cab8af319921ae51f35b418d24d4997118f80224b2d28047ee25e342ab3e7f0935a10e652962715f41d60234dae6c330689b422af52d9f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\deploy.dll
Filesize
26KB

MD5
f257dda3e31692bd938671d84dcc5f12

SHA1
ea113aa3a602466ceb02f94351ad818cf7bc930e

SHA256
32ca40f507509e8363978e465a0a599c94326ad3e7e22ea97db14ce87f064352

SHA512
fc376d3f0296003c496e927e9b8a167e61d83235fcc44111b994a8a72cd4734fc43da5e0cea31df838b81287078d74ae07bda54d192be4e9f7216b6802027a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\additional.dll
Filesize
1.4MB

MD5
59ab4e9281a5eaf891863bb56c84f32d

SHA1
f2669914fca709bc0fcc5a2f95914ab8d1de7dff

SHA256
a0a5151684797d26cf580c1a3042c2c562d717eef1a5d0033f03c8e035d8d06f

SHA512
aa23686d03c7f567b14186f5fe5e817d2767a4a544936dea3f1ebc451067eb1589b0d15e2f30fa775f7eb94e14aeee34de6072c56d9a074fb6591843ac8d7a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\additional.dll
Filesize
1.4MB

MD5
59ab4e9281a5eaf891863bb56c84f32d

SHA1
f2669914fca709bc0fcc5a2f95914ab8d1de7dff

SHA256
a0a5151684797d26cf580c1a3042c2c562d717eef1a5d0033f03c8e035d8d06f

SHA512
aa23686d03c7f567b14186f5fe5e817d2767a4a544936dea3f1ebc451067eb1589b0d15e2f30fa775f7eb94e14aeee34de6072c56d9a074fb6591843ac8d7a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\agentpackage.exe
Filesize
7.7MB

MD5
b60c02da1b133780d5457f8ff6a6ac70

SHA1
defcc5c437053080a12dc140b4cb93fc85e90158

SHA256
e31611de370afa08ad45b733ade36f6dbeb2ec9a6124eecf4fc98f02b37ec9a4

SHA512
2b9f961e84d9f94bb7f3af653ff30f95512997ebe08dd418390ed06c90bb414ae05305103237498ef59475a5853f47a75ab342bb596fdb9e07f401a074df3de6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\agentpackage.exe.md5
Filesize
32B

MD5
8cbf13538c4beda1a8954be746ceca9d

SHA1
4a7ed7fab3c91e3b23ba786a22325e78a68ab635

SHA256
fccc07c5033dddc5e31908228073230c46c98d4fa4ad1e43f376d522c96e572f

SHA512
98932254e777ee5129f83ba028f4f7205ac3de5fa6dad7ec77a36ae955fbf158399453308d24c9d343752fdb4db76bfce70050fbb62db91ebaa7e12546102b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\data\params.json
Filesize
76B

MD5
fd2ff955bc4291a433528157c195f57a

SHA1
c7444121a44c6d084f73c067c750b0ea04b563b9

SHA256
eed4f75204a965a1c99e082698c8b76b93c847e8a3982bfc563c26860ba8a179

SHA512
fdd80e27de5123f8189b00800786fd873be6c7ba44ed3911909661759b319040d05b6c36a9017bd8e3658350ff6be45262cb50ebe4a5ebfc535fb8cbaae2e065

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\installer.exe
Filesize
766KB

MD5
2b72e68318529f760aa5058fdf1f3b6f

SHA1
c061507c9e31f7bc4a67a94303ccda4588f04192

SHA256
18fc01fde3a00932a7313cf74c8e1cefa96b2c62346babdb24338726827ce6c2

SHA512
696185285b255a09ecf422d40ca8caacb0f4b452a406a9e7bd0e72673275392d17fe45e4fda761ea475582c5e3981f1be0b2c6602b056f26f9031d1f3852a3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\installer.exe
Filesize
766KB

MD5
2b72e68318529f760aa5058fdf1f3b6f

SHA1
c061507c9e31f7bc4a67a94303ccda4588f04192

SHA256
18fc01fde3a00932a7313cf74c8e1cefa96b2c62346babdb24338726827ce6c2

SHA512
696185285b255a09ecf422d40ca8caacb0f4b452a406a9e7bd0e72673275392d17fe45e4fda761ea475582c5e3981f1be0b2c6602b056f26f9031d1f3852a3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\lang\ltr\resources.dll
Filesize
102KB

MD5
6548eaa6ffd49855f7480a7bc5e99893

SHA1
c66f0ec14dd617a0d8ee513e6fa1389516c803ca

SHA256
c7e3a1b1446ed560350d0e31879fb4fc7c58a70f8d1068154136eaed05a26409

SHA512
6f7c90c31d298c7cd14253a2a5cf24d1cb24230398139b046747c4934cef569848abfa3ccf8f3cc779d4adbd3b331c73024ca2809d93abda6df8996c4b715811

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\sciter.dll
Filesize
4.5MB

MD5
86383904bbda6bb6e6e59d9a9aac6197

SHA1
cac0d59789f7006689a3106812a3f4bdc0b25205

SHA256
d552e9eeccd49d1ec35762f552404fc426fa06f374da998e219e5e5fb91673bf

SHA512
84945f0db133cc47606e31afd9ca7da9f325a8d23578a7de32df6afe2abd26ef2c8c5113a16e85f768e11588d95d28d8a195764498a7502b7699571cddedb7c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\sciter.dll
Filesize
4.5MB

MD5
86383904bbda6bb6e6e59d9a9aac6197

SHA1
cac0d59789f7006689a3106812a3f4bdc0b25205

SHA256
d552e9eeccd49d1ec35762f552404fc426fa06f374da998e219e5e5fb91673bf

SHA512
84945f0db133cc47606e31afd9ca7da9f325a8d23578a7de32df6afe2abd26ef2c8c5113a16e85f768e11588d95d28d8a195764498a7502b7699571cddedb7c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe
Filesize
5.3MB

MD5
6fd71123c8815f64dd912dba4401a5c0

SHA1
9e47d4f210ad7608644b9c8fa06017fe0ce84dba

SHA256
3240d52ee8f887162bc8a384d1b081a1ae575b045825aa0ab244c3b806318059

SHA512
6e0baa903f1ebc52ab8280d877e944aceeea5ee689704c694e13c35de3d8a82b65ff7b389427b2fd27cf8c1a1584c34058e89da9f00099df59c7fe0519519f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe
Filesize
5.3MB

MD5
6fd71123c8815f64dd912dba4401a5c0

SHA1
9e47d4f210ad7608644b9c8fa06017fe0ce84dba

SHA256
3240d52ee8f887162bc8a384d1b081a1ae575b045825aa0ab244c3b806318059

SHA512
6e0baa903f1ebc52ab8280d877e944aceeea5ee689704c694e13c35de3d8a82b65ff7b389427b2fd27cf8c1a1584c34058e89da9f00099df59c7fe0519519f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe.md5
Filesize
32B

MD5
c254ca4c22bc00f6ca0e1b82d225b668

SHA1
5e5cc48efd15348229cc3527a99fd3ce3a171172

SHA256
7a76a11f22e7f12efa8ef4a173d284b8ae82bba5e564458be4a82669f9a57fd4

SHA512
16173caae89b455f8b3f67077e2ca996ded69b4eb7b36b097e51b764022c00cd86605dc3a4b26fdc7a8e678f13a4486ef96d3fa44dae920b0e80a6d4f4d201e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\unrar.dll
Filesize
262KB

MD5
ae9c5338d8495eea829e79799cea0357

SHA1
3491d6c2ce04f49b92b3eb424148432fb179bcdb

SHA256
799232852e8813bcbf846e3d78abfbddf62eb59a639f0a74350a738204e5ab91

SHA512
452c39a89023e840a095d2ef754712d61e1c02e5f7f1ab52958e2ee4359f06f9f3055901ddf9318c0fe771e31a62c354f6bbcd8065c61ff4563f71afc3660d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\unrar.dll
Filesize
262KB

MD5
ae9c5338d8495eea829e79799cea0357

SHA1
3491d6c2ce04f49b92b3eb424148432fb179bcdb

SHA256
799232852e8813bcbf846e3d78abfbddf62eb59a639f0a74350a738204e5ab91

SHA512
452c39a89023e840a095d2ef754712d61e1c02e5f7f1ab52958e2ee4359f06f9f3055901ddf9318c0fe771e31a62c354f6bbcd8065c61ff4563f71afc3660d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sspf20th.qlh.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\datareporting\glean\db\data.safe.bin
Filesize
182B

MD5
c58234a092f9d899f0a623e28a4ab9db

SHA1
7398261b70453661c8b84df12e2bde7cbc07474b

SHA256
eaec709a98b57cd9c054a205f9bfa76c7424db2845c077822804f31e16ac134c

SHA512
ae2724fc45a8d9d26e43d86bcc7e20f398d8ab4e251e89550087ace1311c4d2571392f2f0bed78da211fcb28766779c1853b80742faa69f722b2c44c283569fd

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\extensions.json.tmp
Filesize
29KB

MD5
396caf474d22f10fd01df7c5335bc691

SHA1
568b3a4c9c63fbe673a3e0525c17c41febe554ff

SHA256
29c1796724acdcb18a8800a152a21222f2dc4c5022e062215b0d1bdc63628076

SHA512
a8919b8f0ea4eca95bb427ce2d7e97f5645056bc0a789907a65dee4ee6ace88c8617069e6b137ba17985d5542cccfff12ffecf05ea2dc98cda02e8b49ce506aa

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js
Filesize
4KB

MD5
5f79e6134187e9f4577e5386395e6e64

SHA1
05d94d04eb037612b9b049abdea327a77327617c

SHA256
92e25a62285df95286b65862298136fefdf9020f3104865dc604d7baecbdb00f

SHA512
18566eae3ba10e5cb9d2203c4077e91b09cc1f8113838b470a40264a4d0e8fe3748979d7f064a6dff287dc45c3c6c322fa7f6a1f9839bd23c11a24b57c185a5d

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js
Filesize
4KB

MD5
26bfa2c46e4396f44adffc3b26a7bbb6

SHA1
bbcbcca91da80769ce359af8dd83792aaa0dddaa

SHA256
aee8798f2c5eacc239cf39b7bffc656c3c18784bcf9db4833417956886d86d9e

SHA512
22b5e66522a037b7edb7b2f198277179d2215c5c52dfb3ef77f1e271dd97cc35c9a1903d7daf6e92593545cf3895bc6acc3694742b1132ba29abf4998eb02c35

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js
Filesize
5KB

MD5
9dc9ceeae737788e848b2ae271456af8

SHA1
b1e863f9afca05f6adbf0f34a72ec6a57beef37d

SHA256
4d1fc2d2f7fb42d18851f88490bc1bcb220b8e3699108c35050c813acd3c6c3d

SHA512
6ab0c5f28446ae42770cdcb0b0119225532a720d9be3c9db4d1caf72790a28de096c07efd0a0b287abd55117ce88450f235d5e6175edbee9f61a943aa0f1e28f

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js
Filesize
5KB

MD5
24e383b2a4aa0f4711417b668b67e94b

SHA1
e8ee9d31b227b6ae3f8b909eecee58f1cad02cb8

SHA256
e0f307be31bf9a023a7cb47cdde67a71733805c7ac67ee85448f37e8e5ee7416

SHA512
aef7002dee7109aa1d9939fe56200ca971a626202c08b805906d107ee42085589e3e76f472558c7f25d96329cecb056c47201d48fdc45e8ed10eb1c354ebdf43

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js
Filesize
5KB

MD5
abc3e6eb26102918887bc2b2f2eb8e7e

SHA1
8423adf93d6ff111d9645820280fc7649eb733aa

SHA256
e27922eedafef1168d7ee39ccc7153e9123d99a2eaaafd516b50d6506f6bb616

SHA512
343e7c43d6ed38e01f8b3b933804edb1c1df6a89ade28c071ad2beed42304818dec48a6076431135c832437902f6b1a02f49ae87f541b51a253c82dbecec0afe

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js
Filesize
961B

MD5
25f8cbacfb1664b360f35f22df2c480f

SHA1
9f303dda359b30718da2ad2da8afd34faf1a9428

SHA256
adb956e1a3575eaeb87f36ceec61f8d05c9ed52321225c7d4105c512f2f1713e

SHA512
157c35beebcc3db6624751c45b083ff4174d92a495004cbdea932f6b12c0d0b0d555c985f54ffe7f5829a9cc1f597c5479de922f46574f22e85cdf6cd69f4967

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js
Filesize
471B

MD5
e161f62112d4410a57796ab59f502cd4

SHA1
83b41a53373c56ed1baf17eaf4301c17f95bb9e7

SHA256
78624bf9fdac975820049456c01e2756fe2abdb84ded479a78f298cda9722ecc

SHA512
2467126feb1ad090f53daa842e20fa638fdedf570c6e0bb0b2c5f2baf095bcb3ac3261c72e3839a975d9df936b587748b69bb9c9b8eed07aed8aaf5f0fe7ae73

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
128KB

MD5
fd125355d8ac667c2358d022f92e620c

SHA1
7b823cdff009c2c1de7a8b8a9ed2a624f75454a7

SHA256
72d5165dd951bfa86764b01708bad87badcae0cc0886ba599bedb6d4b2ec6bbe

SHA512
74540753d27978d35fdae3ac76fd0a7346c35569fb9ab58f210cbf969e02cd8e5cad33af1d4d3f597624f27c6eb707f27d659c45198e8fdbbd723005e8abc973

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
Filesize
1.7MB

MD5
4edcbf0bb8694d894e47e6e893d89496

SHA1
98448c2dfa09c82112e7f7187bf5de7f9d29ab40

SHA256
93f38156eb3dbbe3562dfe7fe80ff62cab75c2fbbd9bfb5ff8259027e1ba241d

SHA512
58af2adf49c5cbcc1832b3c95ec0ca81099fb07cb65e143f7a56e3dab3e912c2b8027cef139070bad75f0facec6d522ff529db5c7eb440e7279c2acd8375cf46

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Start Tor Browser.lnk
Filesize
845B

MD5
3a6b52091d6031b7a4d6a85dafd73f24

SHA1
9bbf78f989298552912d49cc26845c94e3507f2f

SHA256
859cdd47ad3e09516fe96b1327c10253d8ee4e6de16c1e996fe119c02684bf57

SHA512
76831f270d6d78d841cd2af6d841b29a61cf5107757f56ab07489152c2c630f8c10c93ccbc7623db2f073672c0414582dc020c405e4ea259eae13367fba5613b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 891922.crdownload
Filesize
13.2MB

MD5
f81455e63d05835898de8e8cb9403328

SHA1
ea54a7af11564f6f39a25db97b11a7045a7a48a1

SHA256
333a4fb67136829ab34083dfb8180379a9e93fe4d5e64fd82eda44dc5b1640b8

SHA512
356b02196fa0b4ff17bc347e6429de9b223782ed34e62b827700497ed1a8fe6db09eee4234e8e16ab182bd8c431c6dd0bb40224d032ad937ef6ee18bfd33b947

Download Submit
C:\Users\Admin\Downloads\bitdefender_avfree.exe
Filesize
13.2MB

MD5
f81455e63d05835898de8e8cb9403328

SHA1
ea54a7af11564f6f39a25db97b11a7045a7a48a1

SHA256
333a4fb67136829ab34083dfb8180379a9e93fe4d5e64fd82eda44dc5b1640b8

SHA512
356b02196fa0b4ff17bc347e6429de9b223782ed34e62b827700497ed1a8fe6db09eee4234e8e16ab182bd8c431c6dd0bb40224d032ad937ef6ee18bfd33b947

Download Submit
C:\Users\Admin\Downloads\bitdefender_avfree.exe
Filesize
13.2MB

MD5
f81455e63d05835898de8e8cb9403328

SHA1
ea54a7af11564f6f39a25db97b11a7045a7a48a1

SHA256
333a4fb67136829ab34083dfb8180379a9e93fe4d5e64fd82eda44dc5b1640b8

SHA512
356b02196fa0b4ff17bc347e6429de9b223782ed34e62b827700497ed1a8fe6db09eee4234e8e16ab182bd8c431c6dd0bb40224d032ad937ef6ee18bfd33b947

Download Submit
C:\Users\Admin\Downloads\torbrowser-install-win64-12.0.4_ALL.exe
Filesize
91.5MB

MD5
c516a833ca713c1ea4e84e7f505f9435

SHA1
c5834f96df0bf215f33e2f1c4053988954ab997e

SHA256
ddad37d7324cc8ba3633528f8df1e7a27c0df11aa48d27c202a925bfefb4b390

SHA512
9955fa792db38f1fb7dfc5ede00e179d508f26d487f2667876f98ff2a91aacb6d674e96ca19669ce81e2661e5c1c2a0b4f995f1dee1d745e11781ca2f82f6eea

Download Submit
C:\Users\README.9d117154.TXT
Filesize
3KB

MD5
b58e2411168bbdbec635cf4001635db0

SHA1
c130cd9caaaa514a6b98c1168e10d44a989d191a

SHA256
652a74736e10402013fae584c967fc5ea3b7c2eac0a436d41759963b3d42e37a

SHA512
87e2c3ecf3805a7b3945eed4472548a63cbaee7c004c3bce220524e1c6733b3eb780812b4d336f6b72a365c161c02e18b8101e405d00507ff902e88dd49ba30a

Download Submit
\??\pipe\crashpad_5580_EHTSRKMFXPQGOUHM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/220-149-0x0000010AA5400000-0x0000010AA5410000-memory.dmp

Filesize
64KB

Download
memory/220-147-0x0000010AA5400000-0x0000010AA5410000-memory.dmp

Filesize
64KB

Download
memory/220-148-0x0000010AA5400000-0x0000010AA5410000-memory.dmp

Filesize
64KB

Download
memory/220-139-0x0000010ABFBA0000-0x0000010ABFBC2000-memory.dmp

Filesize
136KB

Download
memory/628-1494-0x000000006E530000-0x000000006E540000-memory.dmp

Filesize
64KB

Download
memory/1412-3257-0x0000025BA3900000-0x0000025BA3C55000-memory.dmp

Filesize
3.3MB

Download
memory/1412-3253-0x0000025BA3420000-0x0000025BA34CD000-memory.dmp

Filesize
692KB

Download
memory/1624-3044-0x0000025BCEFA0000-0x0000025BCF12C000-memory.dmp

Filesize
1.5MB

Download
memory/1972-3079-0x000001C4F1D00000-0x000001C4F2028000-memory.dmp

Filesize
3.2MB

Download
memory/2464-2949-0x000002149B7B0000-0x000002149BB05000-memory.dmp

Filesize
3.3MB

Download
memory/2464-2939-0x000002149B700000-0x000002149B7AD000-memory.dmp

Filesize
692KB

Download
memory/3280-1537-0x000000006E530000-0x000000006E540000-memory.dmp

Filesize
64KB

Download
memory/4080-1694-0x000000006E530000-0x000000006E540000-memory.dmp

Filesize
64KB

Download
memory/4328-2995-0x00000180AAF20000-0x00000180AAFCD000-memory.dmp

Filesize
692KB

Download
memory/4328-2999-0x00000180AB900000-0x00000180ABC55000-memory.dmp

Filesize
3.3MB

Download
memory/4328-3006-0x00000180AFC30000-0x00000180AFF58000-memory.dmp

Filesize
3.2MB

Download
memory/4468-1819-0x0000000140000000-0x0000000140066000-memory.dmp

Filesize
408KB

Download
memory/4468-1817-0x0000000140000000-0x0000000140066000-memory.dmp

Filesize
408KB

Download
memory/4468-1845-0x0000000140000000-0x0000000140066000-memory.dmp

Filesize
408KB

Download
memory/4468-1785-0x0000000140000000-0x0000000140066000-memory.dmp

Filesize
408KB

Download
memory/4468-1786-0x00007FF9B9B10000-0x00007FF9B9B1F000-memory.dmp

Filesize
60KB

Download
memory/4468-1995-0x0000000140000000-0x0000000140066000-memory.dmp

Filesize
408KB

Download
memory/4468-1997-0x00007FF9B9660000-0x00007FF9B966D000-memory.dmp

Filesize
52KB

Download
memory/4468-2020-0x0000000140000000-0x0000000140066000-memory.dmp

Filesize
408KB

Download
memory/4524-3012-0x000001EAF8450000-0x000001EAF84FD000-memory.dmp

Filesize
692KB

Download
memory/4524-3017-0x000001EAF8E00000-0x000001EAF9155000-memory.dmp

Filesize
3.3MB

Download
memory/4592-2401-0x00007FF9C0650000-0x00007FF9C0651000-memory.dmp

Filesize
4KB

Download
memory/4592-2418-0x0000023DEF900000-0x0000023DEF9AD000-memory.dmp

Filesize
692KB

Download
memory/4592-2404-0x00007FF9C0B70000-0x00007FF9C0B71000-memory.dmp

Filesize
4KB

Download
memory/4592-2422-0x0000023DEF9B0000-0x0000023DEFD05000-memory.dmp

Filesize
3.3MB

Download
memory/4988-3039-0x0000029C643B0000-0x0000029C64705000-memory.dmp

Filesize
3.3MB

Download
memory/4988-3031-0x0000029C64300000-0x0000029C643AD000-memory.dmp

Filesize
692KB

Download