Overview

overview

10

Static

static

3

66bddfcb52...ar.exe

windows7-x64

10

66bddfcb52...ar.exe

windows10-2004-x64

10

Resubmissions

05-01-2025 19:04

250105-xqxrvavngm 10

05-01-2025 18:50

250105-xhbveaspat 10

05-01-2025 18:38

250105-xaa8xasmby 10

04-01-2025 19:18

250104-xzzb2avmfq 10

02-01-2025 17:37

250102-v7bjtssnej 10

11-12-2024 17:42

241211-v97eaaspes 10

11-12-2024 17:40

241211-v9bbvaxleq 10

01-10-2024 21:39

241001-1h1ejs1hkq 10

29-08-2024 12:54

240829-p5n49avaqp 10

Analysis

  • max time kernel
    749s
  • max time network
    691s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-08-2024 12:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    66bddfcb52736_vidar.exe

  • Size

    190KB

  • MD5

    fedb687ed23f77925b35623027f799bb

  • SHA1

    7f27d0290ecc2c81bf2b2d0fa1026f54fd687c81

  • SHA256

    325396d5ffca8546730b9a56c2d0ed99238d48b5e1c3c49e7d027505ea13b8d1

  • SHA512

    6d1fa39560f4d7ca57905bc57d615acf96b1ef69ca2a4d7c0353278e8d4466298ed87f514463c49d671cb0e3b6a269a78636a10a1e463dba5c83fe067dc5df18

  • SSDEEP

    3072:XqsEJybpRHuJKKBardRei4UGvI96/ZO6RAkeOCeP9sZy28se:XqsMyNRHuKikUi42KZO6PffmZy2d

Score
10/10
vidaradwarecredential_accessdefense_evasiondiscoverypersistenceprivilege_escalationspywarestealer

Malware Config

Extracted

Family

vidar

C2

https://steamcommunity.com/profiles/76561199751190313

https://t.me/pech0nk
Attributes
  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36

Signatures

  • Detect Vidar Stealer 7 IoCs
    stealer
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Downloads MZ/PE file
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 51 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Checks system information in the registry 2 TTPs 18 IoCs

    System information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 11 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

    defense_evasion
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\66bddfcb52736_vidar.exe
    "C:\Users\Admin\AppData\Local\Temp\66bddfcb52736_vidar.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4652
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:2936
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4132
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Subvert Trust Controls: Mark-of-the-Web Bypass
      • Checks processor information in registry
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4484
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2020 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ffc57fa-118c-455c-8d58-716aee427abc} 4484 "\\.\pipe\gecko-crash-server-pipe.4484" gpu
        3⤵
          PID:4092
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2444 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dda8866e-0a8c-43ef-9727-6f6e62ff5839} 4484 "\\.\pipe\gecko-crash-server-pipe.4484" socket
          3⤵
            PID:3576
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2916 -childID 1 -isForBrowser -prefsHandle 3448 -prefMapHandle 3376 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0c8de20-0bc8-4d91-9f86-7d3b3c9dffe1} 4484 "\\.\pipe\gecko-crash-server-pipe.4484" tab
            3⤵
              PID:2184
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4004 -childID 2 -isForBrowser -prefsHandle 3996 -prefMapHandle 3992 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d9bbccd-7abc-496d-b567-1dc659cd6fca} 4484 "\\.\pipe\gecko-crash-server-pipe.4484" tab
              3⤵
                PID:4476
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4888 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4920 -prefMapHandle 4896 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7899519b-6ea9-490b-a5bf-399772ad572c} 4484 "\\.\pipe\gecko-crash-server-pipe.4484" utility
                3⤵
                • Checks processor information in registry
                PID:4736
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5364 -childID 3 -isForBrowser -prefsHandle 5328 -prefMapHandle 5332 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96ecd2ca-00c2-47db-8630-24d1f8c4032c} 4484 "\\.\pipe\gecko-crash-server-pipe.4484" tab
                3⤵
                  PID:3008
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5572 -childID 4 -isForBrowser -prefsHandle 5492 -prefMapHandle 5500 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1cc1cad4-537c-48b8-b509-ac66b65c9bef} 4484 "\\.\pipe\gecko-crash-server-pipe.4484" tab
                  3⤵
                    PID:3024
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5764 -childID 5 -isForBrowser -prefsHandle 5684 -prefMapHandle 5692 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {920272de-cf5a-4bfb-8900-d8799b347644} 4484 "\\.\pipe\gecko-crash-server-pipe.4484" tab
                    3⤵
                      PID:4828
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1452 -childID 6 -isForBrowser -prefsHandle 1312 -prefMapHandle 2872 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9b01063-2128-4a0e-a83a-573fd6462cb4} 4484 "\\.\pipe\gecko-crash-server-pipe.4484" tab
                      3⤵
                        PID:5164
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5864 -childID 7 -isForBrowser -prefsHandle 6092 -prefMapHandle 5940 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a49913d-6a5f-46bd-8303-a7ccb9bc5ccc} 4484 "\\.\pipe\gecko-crash-server-pipe.4484" tab
                        3⤵
                          PID:5792
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5940 -childID 8 -isForBrowser -prefsHandle 6336 -prefMapHandle 6340 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e63b3afd-e4fb-48eb-bde1-a8f3eb912bed} 4484 "\\.\pipe\gecko-crash-server-pipe.4484" tab
                          3⤵
                            PID:5528
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5792 -childID 9 -isForBrowser -prefsHandle 5804 -prefMapHandle 5780 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7499d120-0e34-4f7a-8a32-ce1d94e40f41} 4484 "\\.\pipe\gecko-crash-server-pipe.4484" tab
                            3⤵
                              PID:4948
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6672 -childID 10 -isForBrowser -prefsHandle 5800 -prefMapHandle 6664 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e581a90e-0704-4c5a-9ac7-1d6b69514de2} 4484 "\\.\pipe\gecko-crash-server-pipe.4484" tab
                              3⤵
                                PID:5328
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6728 -childID 11 -isForBrowser -prefsHandle 5212 -prefMapHandle 6664 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0341b7c-4680-4fd9-871d-f6fbcafdaa7d} 4484 "\\.\pipe\gecko-crash-server-pipe.4484" tab
                                3⤵
                                  PID:5084
                                • C:\Users\Admin\Downloads\bitdefender_avfree.exe
                                  "C:\Users\Admin\Downloads\bitdefender_avfree.exe"
                                  3⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4904
                                  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe
                                    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe"
                                    4⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    PID:3624
                                    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\bddeploy.exe
                                      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\bddeploy.exe"
                                      5⤵
                                      • Executes dropped EXE
                                      • System Location Discovery: System Language Discovery
                                      PID:2632
                                      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe
                                        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe"
                                        6⤵
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        PID:5868
                                      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\installer.exe
                                        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\installer.exe"
                                        6⤵
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        • Drops file in Program Files directory
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3192
                                        • C:\Program Files\Bitdefender Agent\ProductAgentService.exe
                                          "C:\Program Files\Bitdefender Agent\ProductAgentService.exe" protect
                                          7⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • System Location Discovery: System Language Discovery
                                          PID:2884
                                        • C:\Program Files\Bitdefender Agent\ProductAgentService.exe
                                          "C:\Program Files\Bitdefender Agent\ProductAgentService.exe" install
                                          7⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • System Location Discovery: System Language Discovery
                                          PID:4388
                                        • C:\Program Files\Bitdefender Agent\ProductAgentService.exe
                                          "C:\Program Files\Bitdefender Agent\ProductAgentService.exe" enable
                                          7⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • System Location Discovery: System Language Discovery
                                          PID:2496
                                        • C:\Program Files\Bitdefender Agent\ProductAgentService.exe
                                          "C:\Program Files\Bitdefender Agent\ProductAgentService.exe" start "C:\Users\Admin\Downloads\bitdefender_avfree.exe"
                                          7⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • System Location Discovery: System Language Discovery
                                          PID:2136
                            • C:\Program Files\Bitdefender Agent\redline\bdredline.exe
                              "C:\Program Files\Bitdefender Agent\redline\bdredline.exe"
                              1⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • System Location Discovery: System Language Discovery
                              PID:5924
                            • C:\Program Files\Bitdefender Agent\ProductAgentService.exe
                              "C:\Program Files\Bitdefender Agent\ProductAgentService.exe"
                              1⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Checks processor information in registry
                              • Modifies data under HKEY_USERS
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:5740
                              • C:\Program Files\Bitdefender Agent\27.0.1.285\DiscoverySrv.exe
                                "C:\Program Files\Bitdefender Agent\27.0.1.285\DiscoverySrv.exe" install
                                2⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • System Location Discovery: System Language Discovery
                                • Modifies data under HKEY_USERS
                                PID:5896
                                • C:\Windows\SysWOW64\regsvr32.exe
                                  regsvr32 /s "C:\Program Files\Bitdefender Agent\27.0.1.285\DiscoveryComp.dll"
                                  3⤵
                                  • Loads dropped DLL
                                  • System Location Discovery: System Language Discovery
                                  • Modifies registry class
                                  PID:2976
                              • C:\Program Files\Bitdefender Agent\27.0.1.285\DiscoverySrv.exe
                                "C:\Program Files\Bitdefender Agent\27.0.1.285\DiscoverySrv.exe"
                                2⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • System Location Discovery: System Language Discovery
                                • Modifies data under HKEY_USERS
                                PID:1452
                              • C:\Program Files\Bitdefender Agent\27.0.1.285\ProductAgentUI.exe
                                "C:\Program Files\Bitdefender Agent\27.0.1.285\ProductAgentUI.exe" show=progress event_retry=Global\7295237F-E98C-4C46-A4A4-07F0D66278C2 app_name="Bitdefender Security"
                                2⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • System Location Discovery: System Language Discovery
                                • Modifies data under HKEY_USERS
                                PID:5896
                              • C:\Windows\TEMP\bd_850C.tmp\bpf850D.tmp
                                "C:\Windows\TEMP\bd_850C.tmp\bpf850D.tmp" /silent /install
                                2⤵
                                • Executes dropped EXE
                                • Drops file in Program Files directory
                                • System Location Discovery: System Language Discovery
                                PID:1076
                                • C:\Program Files (x86)\Microsoft\Temp\EU9100.tmp\MicrosoftEdgeUpdate.exe
                                  "C:\Program Files (x86)\Microsoft\Temp\EU9100.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
                                  3⤵
                                  • Event Triggered Execution: Image File Execution Options Injection
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Checks system information in the registry
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:3232
                                  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
                                    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
                                    4⤵
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • System Location Discovery: System Language Discovery
                                    • Modifies registry class
                                    PID:1208
                                  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
                                    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
                                    4⤵
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • System Location Discovery: System Language Discovery
                                    • Modifies registry class
                                    PID:5304
                                    • C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe
                                      "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe"
                                      5⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • Modifies registry class
                                      PID:5160
                                    • C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe
                                      "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe"
                                      5⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • Modifies registry class
                                      PID:2624
                                    • C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe
                                      "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe"
                                      5⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • Modifies registry class
                                      PID:2904
                                  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
                                    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMTUiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMTUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NTg2RDY5MDItNDI4Qi00QjcyLUI5NjgtNDM4OEMwNTg1NkI3fSIgdXNlcmlkPSJ7NDk1MjVGNzAtNTA1My00NkE2LTg0MjAtRUE5RUE5QzVDM0IyfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InszMUM3QUQ5MC0zOTZELTQwMTktOTRDNi04QzYxRTRBRDg1NDJ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE5NS4xNSIgbmV4dHZlcnNpb249IjEuMy4xOTUuMTUiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU0MTU5NDE5MzYiIGluc3RhbGxfdGltZV9tcz0iMzQ4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
                                    4⤵
                                    • Executes dropped EXE
                                    • Checks system information in the registry
                                    • System Location Discovery: System Language Discovery
                                    • System Network Configuration Discovery: Internet Connection Discovery
                                    PID:3492
                                  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
                                    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{586D6902-428B-4B72-B968-4388C05856B7}" /silent
                                    4⤵
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    PID:4368
                              • C:\Windows\TEMP\bd_8383.tmp\spi8384.tmp
                                "C:\Windows\TEMP\bd_8383.tmp\spi8384.tmp" /source:web /attach
                                2⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                PID:3752
                                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\installer.exe
                                  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\installer.exe" /kitArchive
                                  3⤵
                                  • Executes dropped EXE
                                  • Drops file in Program Files directory
                                  • Suspicious use of SetWindowsHookEx
                                  PID:3180
                                  • C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-27-CF9FADE8-47F5-4D71-B1CC-EA381D98EFBC\Installer.exe
                                    "C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-27-CF9FADE8-47F5-4D71-B1CC-EA381D98EFBC\Installer.exe" /attach /source:web /setup-folder:"CL-27-CF9FADE8-47F5-4D71-B1CC-EA381D98EFBC" /step=new_install
                                    4⤵
                                    • Executes dropped EXE
                                    • Suspicious use of SetWindowsHookEx
                                    PID:892
                              • C:\Program Files\Bitdefender Agent\27.0.1.285\WatchDog.exe
                                "C:\Program Files\Bitdefender Agent\27.0.1.285\WatchDog.exe" install
                                2⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                • Modifies data under HKEY_USERS
                                PID:5456
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
                              1⤵
                              • Drops file in Windows directory
                              PID:4388
                            • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
                              "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
                              1⤵
                              • Executes dropped EXE
                              • Checks system information in the registry
                              • System Location Discovery: System Language Discovery
                              • Modifies data under HKEY_USERS
                              PID:6124
                              • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
                                "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMTUiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMTUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NTg2RDY5MDItNDI4Qi00QjcyLUI5NjgtNDM4OEMwNTg1NkI3fSIgdXNlcmlkPSJ7NDk1MjVGNzAtNTA1My00NkE2LTg0MjAtRUE5RUE5QzVDM0IyfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MTRFQTlBNjQtOTM1My00MTU5LUIxNjUtRDJDMzBCRTVGRUM2fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyNyIgaW5zdGFsbGRhdGV0aW1lPSIxNzIyNjAyNjYyIiBvb2JlX2luc3RhbGxfdGltZT0iMTMzNjcwNzUyODYxNDQyNzM1Ij48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjExNDMyNSIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTQxODY2NzA1MSIvPjwvYXBwPjwvcmVxdWVzdD4
                                2⤵
                                • Executes dropped EXE
                                • Checks system information in the registry
                                • System Location Discovery: System Language Discovery
                                • System Network Configuration Discovery: Internet Connection Discovery
                                PID:5664
                              • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5A1C4334-1236-41A8-B262-A8D896F34BDC}\MicrosoftEdge_X64_128.0.2739.42.exe
                                "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5A1C4334-1236-41A8-B262-A8D896F34BDC}\MicrosoftEdge_X64_128.0.2739.42.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
                                2⤵
                                • Executes dropped EXE
                                PID:5468
                                • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5A1C4334-1236-41A8-B262-A8D896F34BDC}\EDGEMITMP_B9A4B.tmp\setup.exe
                                  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5A1C4334-1236-41A8-B262-A8D896F34BDC}\EDGEMITMP_B9A4B.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5A1C4334-1236-41A8-B262-A8D896F34BDC}\MicrosoftEdge_X64_128.0.2739.42.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
                                  3⤵
                                  • Executes dropped EXE
                                  • Drops file in Program Files directory
                                  PID:5204
                                  • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5A1C4334-1236-41A8-B262-A8D896F34BDC}\EDGEMITMP_B9A4B.tmp\setup.exe
                                    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5A1C4334-1236-41A8-B262-A8D896F34BDC}\EDGEMITMP_B9A4B.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=128.0.6613.85 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5A1C4334-1236-41A8-B262-A8D896F34BDC}\EDGEMITMP_B9A4B.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=128.0.2739.42 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0x7ff6803606d8,0x7ff6803606e4,0x7ff6803606f0
                                    4⤵
                                    • Executes dropped EXE
                                    PID:5932
                              • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{46B0E96C-3610-4C34-975F-C51112E29B98}\MicrosoftEdge_X64_128.0.2739.42.exe
                                "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{46B0E96C-3610-4C34-975F-C51112E29B98}\MicrosoftEdge_X64_128.0.2739.42.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
                                2⤵
                                • Executes dropped EXE
                                PID:2252
                                • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{46B0E96C-3610-4C34-975F-C51112E29B98}\EDGEMITMP_2CC20.tmp\setup.exe
                                  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{46B0E96C-3610-4C34-975F-C51112E29B98}\EDGEMITMP_2CC20.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{46B0E96C-3610-4C34-975F-C51112E29B98}\MicrosoftEdge_X64_128.0.2739.42.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
                                  3⤵
                                  • Executes dropped EXE
                                  • Drops file in Program Files directory
                                  PID:3196
                                  • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{46B0E96C-3610-4C34-975F-C51112E29B98}\EDGEMITMP_2CC20.tmp\setup.exe
                                    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{46B0E96C-3610-4C34-975F-C51112E29B98}\EDGEMITMP_2CC20.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=128.0.6613.85 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{46B0E96C-3610-4C34-975F-C51112E29B98}\EDGEMITMP_2CC20.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=128.0.2739.42 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0x7ff647bb06d8,0x7ff647bb06e4,0x7ff647bb06f0
                                    4⤵
                                    • Executes dropped EXE
                                    PID:5436
                              • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
                                "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMTUiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMTUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NTg2RDY5MDItNDI4Qi00QjcyLUI5NjgtNDM4OEMwNTg1NkI3fSIgdXNlcmlkPSJ7NDk1MjVGNzAtNTA1My00NkE2LTg0MjAtRUE5RUE5QzVDM0IyfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins2QTNDQjk5OC01MERFLTQ1QzQtOUIyMS01MTVDMzQzNDFGMzZ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTI4LjAuMjczOS40MiIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9Ii0xIiBpbnN0YWxsZGF0ZT0iLTEiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iOSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTQ0NTUyNDQ4MiIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU0NDU1MjQ0ODIiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI4NTY5ODk2MjQxIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuZi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9iMGY3MzFjZS1mNzA2LTRjODEtOTA2ZS1hMDVhYTAzNDc1N2Q_UDE9MTcyNTU0MDk3OCZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1JR2RBMWlNaU5CRXFGNFFFQWRoVnV5NExzenVydWJkeFUwTzdBZ3d4S3lub2pqQW1pJTJiaDAlMmZ0aU91VDh2RTdFa3NjaVluQ1I0T0tpQ3I3RlcwQjUyJTJiUSUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE3Mzc1MDM0NCIgdG90YWw9IjE3Mzc1MDM0NCIgZG93bmxvYWRfdGltZV9tcz0iMzA2MTU1Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iODU2OTk5Nzc1MyIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjYiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijg1ODQ0NTQyNjUiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9IjkwMTYzNDMyNDIiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSIxNzczIiBkb3dubG9hZF90aW1lX21zPSIzMTI0NDUiIGRvd25sb2FkZWQ9IjE3Mzc1MDM0NCIgdG90YWw9IjE3Mzc1MDM0NCIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNDMxODkiLz48L2FwcD48L3JlcXVlc3Q-
                                2⤵
                                • Executes dropped EXE
                                • Checks system information in the registry
                                • System Location Discovery: System Language Discovery
                                • System Network Configuration Discovery: Internet Connection Discovery
                                PID:5832
                              • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
                                "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMTUiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMTUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NEYxOEYyRUYtN0I0RC00MDk1LThGQjctNzc3MDNERjkyQTkzfSIgdXNlcmlkPSJ7NDk1MjVGNzAtNTA1My00NkE2LTg0MjAtRUE5RUE5QzVDM0IyfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntCRjQ2RDk3RC0zMzJDLTQ1RjktOTBDQy0wRjUwQzU3MEMxNjZ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7SjdWaVpqYk55eDFHVnJIVytSZC9QZ1Zpem5GK3RxeGlVdFdYb0Z0SWhmVT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTI4LjAuMjczOS40MiIgbGFuZz0iIiBicmFuZD0iRVVXViIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSItMSIgaW5zdGFsbGRhdGU9Ii0xIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjkiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijg0MjMxNDE1MTMiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI4NDIzMTQxNTEzIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMjM4MzgiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijg4OTkzMzAyMDQiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImRvIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9iMGY3MzFjZS1mNzA2LTRjODEtOTA2ZS1hMDVhYTAzNDc1N2Q_UDE9MTcyNTU0MTI3NiZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1obE9hdEdBNlE2SkJCMmc0ZTBySVBuOE9mSnEzRHpxMEN1TnphS2g3SFhkMXJyMU5DbFNnNTc4QnRMSU9uZnBKRjVqbkwlMmJycEhuZkFhTlhqN3p5UVdnJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMCIgdG90YWw9IjAiIGRvd25sb2FkX3RpbWVfbXM9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI4ODk5MzMwMjA0IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9iMGY3MzFjZS1mNzA2LTRjODEtOTA2ZS1hMDVhYTAzNDc1N2Q_UDE9MTcyNTU0MTI3NiZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1obE9hdEdBNlE2SkJCMmc0ZTBySVBuOE9mSnEzRHpxMEN1TnphS2g3SFhkMXJyMU5DbFNnNTc4QnRMSU9uZnBKRjVqbkwlMmJycEhuZkFhTlhqN3p5UVdnJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTczNzUwMzQ0IiB0b3RhbD0iMTczNzUwMzQ0IiBkb3dubG9hZF90aW1lX21zPSI0NjEwNyIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijg4OTk0ODY3NTEiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI2IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI5MDE2MzQzMjQyIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NzU3IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI5MzY1MzA4NDUzIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iODA2IiBkb3dubG9hZF90aW1lX21zPSI0NzYyOCIgZG93bmxvYWRlZD0iMTczNzUwMzQ0IiB0b3RhbD0iMTczNzUwMzQ0IiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSIzNDg5NiIvPjwvYXBwPjwvcmVxdWVzdD4
                                2⤵
                                • Executes dropped EXE
                                • Checks system information in the registry
                                • System Location Discovery: System Language Discovery
                                • System Network Configuration Discovery: Internet Connection Discovery
                                PID:3016
                            • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
                              "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
                              1⤵
                              • Executes dropped EXE
                              • Checks system information in the registry
                              • System Location Discovery: System Language Discovery
                              • Suspicious behavior: EnumeratesProcesses
                              PID:1320
                            • C:\Windows\system32\taskmgr.exe
                              "C:\Windows\system32\taskmgr.exe" /4
                              1⤵
                              • Checks SCSI registry key(s)
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious behavior: GetForegroundWindowSpam
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of SendNotifyMessage
                              PID:4088
                            • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
                              "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
                              1⤵
                              • Executes dropped EXE
                              • Checks system information in the registry
                              • System Location Discovery: System Language Discovery
                              • Modifies data under HKEY_USERS
                              PID:3632
                              • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{03DDC63A-631A-4052-B45F-30C9209A988C}\MicrosoftEdge_X64_128.0.2739.42.exe
                                "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{03DDC63A-631A-4052-B45F-30C9209A988C}\MicrosoftEdge_X64_128.0.2739.42.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
                                2⤵
                                • Executes dropped EXE
                                PID:4536
                                • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{03DDC63A-631A-4052-B45F-30C9209A988C}\EDGEMITMP_0644F.tmp\setup.exe
                                  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{03DDC63A-631A-4052-B45F-30C9209A988C}\EDGEMITMP_0644F.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{03DDC63A-631A-4052-B45F-30C9209A988C}\MicrosoftEdge_X64_128.0.2739.42.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
                                  3⤵
                                  • Boot or Logon Autostart Execution: Active Setup
                                  • Executes dropped EXE
                                  • Installs/modifies Browser Helper Object
                                  • Drops file in Program Files directory
                                  • Modifies Internet Explorer settings
                                  • Modifies registry class
                                  • System policy modification
                                  PID:3968
                                  • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{03DDC63A-631A-4052-B45F-30C9209A988C}\EDGEMITMP_0644F.tmp\setup.exe
                                    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{03DDC63A-631A-4052-B45F-30C9209A988C}\EDGEMITMP_0644F.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=128.0.6613.85 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{03DDC63A-631A-4052-B45F-30C9209A988C}\EDGEMITMP_0644F.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=128.0.2739.42 --initial-client-data=0x1f4,0x220,0x23c,0x1b4,0x240,0x7ff7854d06d8,0x7ff7854d06e4,0x7ff7854d06f0
                                    4⤵
                                    • Executes dropped EXE
                                    PID:5324
                                  • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{03DDC63A-631A-4052-B45F-30C9209A988C}\EDGEMITMP_0644F.tmp\setup.exe
                                    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{03DDC63A-631A-4052-B45F-30C9209A988C}\EDGEMITMP_0644F.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
                                    4⤵
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    • Drops file in Program Files directory
                                    • Modifies data under HKEY_USERS
                                    PID:4204
                                    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{03DDC63A-631A-4052-B45F-30C9209A988C}\EDGEMITMP_0644F.tmp\setup.exe
                                      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{03DDC63A-631A-4052-B45F-30C9209A988C}\EDGEMITMP_0644F.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=128.0.6613.85 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{03DDC63A-631A-4052-B45F-30C9209A988C}\EDGEMITMP_0644F.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=128.0.2739.42 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0x7ff7854d06d8,0x7ff7854d06e4,0x7ff7854d06f0
                                      5⤵
                                      • Executes dropped EXE
                                      PID:3480
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.42\Installer\setup.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.42\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
                                    4⤵
                                    • Executes dropped EXE
                                    PID:3776
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.42\Installer\setup.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.42\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=128.0.6613.85 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.42\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=128.0.2739.42 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0x7ff7b53606d8,0x7ff7b53606e4,0x7ff7b53606f0
                                      5⤵
                                      • Executes dropped EXE
                                      PID:5472
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.42\Installer\setup.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.42\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
                                    4⤵
                                    • Executes dropped EXE
                                    • Drops file in Program Files directory
                                    PID:1684
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.42\Installer\setup.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.42\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=128.0.6613.85 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.42\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=128.0.2739.42 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0x7ff7b53606d8,0x7ff7b53606e4,0x7ff7b53606f0
                                      5⤵
                                      • Executes dropped EXE
                                      PID:216
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.42\Installer\setup.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.42\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
                                    4⤵
                                    • Executes dropped EXE
                                    PID:2368
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.42\Installer\setup.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.42\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=128.0.6613.85 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.42\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=128.0.2739.42 --initial-client-data=0x238,0x23c,0x240,0x234,0x210,0x7ff7b53606d8,0x7ff7b53606e4,0x7ff7b53606f0
                                      5⤵
                                      • Executes dropped EXE
                                      PID:4888
                              • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
                                "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMTUiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMTUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7ODZGOTVGMzgtQTNERi00QUEwLTlCMTYtRjU3QTEzQ0ZEQTQ5fSIgdXNlcmlkPSJ7NDk1MjVGNzAtNTA1My00NkE2LTg0MjAtRUE5RUE5QzVDM0IyfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins5RDYxNURGQy00RDFFLTRCRUYtQTIzMC1DMzBERDc5QUFGNDF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7SjdWaVpqYk55eDFHVnJIVytSZC9QZ1Zpem5GK3RxeGlVdFdYb0Z0SWhmVT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE5NS4xNSIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJJc09uSW50ZXJ2YWxDb21tYW5kc0FsbG93ZWQ9JTVCJTIyLXRhcmdldF9kZXYlMjIlNUQiIGluc3RhbGxhZ2U9IjI3IiBjb2hvcnQ9InJyZkAwLjQ3Ij48dXBkYXRlY2hlY2svPjxwaW5nIHI9IjI3IiByZD0iNjQyMyIgcGluZ19mcmVzaG5lc3M9Ins0M0Y5NEE4MS1GNjY4LTQ2NzAtODQ4Qy1EMzJGMjI2REU5QjV9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjkyLjAuOTAyLjY3IiBuZXh0dmVyc2lvbj0iMTI4LjAuMjczOS40MiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSIyNyIgaXNfcGlubmVkX3N5c3RlbT0idHJ1ZSIgbGFzdF9sYXVuY2hfY291bnQ9IjEiIGxhc3RfbGF1bmNoX3RpbWU9IjEzMzY3MDc3NzIyNTM1NTg3MCI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSIxMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iOTU2NjQxMjY1NiIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI5NTY2NDEyNjU2IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijk1OTQ0ODIzNjgiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iOTYwODY5NDg5MyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5Njc1NyIgc3lzdGVtX3VwdGltZV90aWNrcz0iOTk3OTMxMzgzMSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9Ijg4NyIgZG93bmxvYWRlZD0iMTczNzUwMzQ0IiB0b3RhbD0iMTczNzUwMzQ0IiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMiIgaW5zdGFsbF90aW1lX21zPSIzNzA2MiIvPjxwaW5nIGFjdGl2ZT0iMSIgYT0iMjciIHI9IjI3IiBhZD0iNjQyMyIgcmQ9IjY0MjMiIHBpbmdfZnJlc2huZXNzPSJ7QkYyNzI2MDUtREVENy00MDUzLUEwRkItMDkwMUIyMDg5RUM2fSIvPjwvYXBwPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIxMjguMC4yNzM5LjQyIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgaW5zdGFsbGRhdGU9IjY0NDciIGNvaG9ydD0icnJmQDAuNDciPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iLTEiIHJkPSItMSIgcGluZ19mcmVzaG5lc3M9InsxMDQ3MUNDNC01NERGLTRENUUtQjJGMS0zNTNENDNFRThGNjZ9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
                                2⤵
                                • Executes dropped EXE
                                • Checks system information in the registry
                                • System Location Discovery: System Language Discovery
                                • System Network Configuration Discovery: Internet Connection Discovery
                                PID:7108
                            • C:\Windows\System32\svchost.exe
                              C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
                              1⤵
                                PID:1672
                              • C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe
                                "C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch
                                1⤵
                                  PID:6160
                                • C:\Windows\system32\wwahost.exe
                                  "C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
                                  1⤵
                                  • Modifies Internet Explorer settings
                                  • Modifies registry class
                                  • Suspicious use of SetWindowsHookEx
                                  PID:6308

                                Network

                                MITRE ATT&CK Enterprise v15

                                Reconnaissance

                                Resource Development

                                Initial Access

                                Execution

                                Persistence

                                Boot or Logon Autostart Execution

                                1
                                T1547

                                Active Setup

                                1
                                T1547.014

                                Browser Extensions

                                1
                                T1176

                                Event Triggered Execution

                                2
                                T1546

                                Component Object Model Hijacking

                                1
                                T1546.015

                                Image File Execution Options Injection

                                1
                                T1546.012

                                Privilege Escalation

                                Boot or Logon Autostart Execution

                                1
                                T1547

                                Active Setup

                                1
                                T1547.014

                                Event Triggered Execution

                                2
                                T1546

                                Component Object Model Hijacking

                                1
                                T1546.015

                                Image File Execution Options Injection

                                1
                                T1546.012

                                Defense Evasion

                                Modify Registry

                                4
                                T1112

                                Subvert Trust Controls

                                1
                                T1553

                                SIP and Trust Provider Hijacking

                                1
                                T1553.003

                                Credential Access

                                Credentials from Password Stores

                                1
                                T1555

                                Credentials from Web Browsers

                                1
                                T1555.003

                                Unsecured Credentials

                                1
                                T1552

                                Credentials In Files

                                1
                                T1552.001

                                Discovery

                                Browser Information Discovery

                                1
                                T1217

                                Peripheral Device Discovery

                                1
                                T1120

                                Query Registry

                                6
                                T1012

                                System Information Discovery

                                5
                                T1082

                                System Location Discovery

                                1
                                T1614

                                System Language Discovery

                                1
                                T1614.001

                                System Network Configuration Discovery

                                1
                                T1016

                                Internet Connection Discovery

                                1
                                T1016.001

                                Lateral Movement

                                Collection

                                Data from Local System

                                1
                                T1005

                                Command and Control

                                Exfiltration

                                Impact

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.42\Installer\setup.exe
                                  Filesize

                                  6.6MB

                                  MD5

                                  11a19165aa72e46ad47200ca46760c87

                                  SHA1

                                  2fe4616eadaf543846571564ca325e772ea5375c

                                  SHA256

                                  eaac114b05373d005f91c2824c3b907d01842056468018b95a688e82ffcc95b1

                                  SHA512

                                  5b4074ba1598c7441fd3dffed54cf0cea540a8e58ace339254b9a29bd6709a8e64458c10e9797a75ba8e0e84566e8c5935bf4891b0115dc02017396d70f47b27

                                  Download Submit

                                • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{46B0E96C-3610-4C34-975F-C51112E29B98}\EDGEMITMP_2CC20.tmp\SETUP.EX_
                                  Filesize

                                  2.6MB

                                  MD5

                                  cff584c1f684de00ba2152b0040e2338

                                  SHA1

                                  a4e3f3b59faf021d628f2f3b7e754de56e8d3eef

                                  SHA256

                                  3376df9180a4a35723477319ae2bcb0db8ef5e067c8f8fd0b13558d3d4270fe7

                                  SHA512

                                  b5513700bae7971b3e70f50ec45ff2992290dc3967f55b54dba5bb472c48a2dd8142fd1ada2959986428b8c448968a3877fad7bb0d7b598d85ddea8cb2b6c213

                                  Download Submit

                                • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
                                  Filesize

                                  201KB

                                  MD5

                                  136e8226d68856da40a4f60e70581b72

                                  SHA1

                                  6c1a09e12e3e07740feef7b209f673b06542ab62

                                  SHA256

                                  b4b8a2f87ee9c5f731189fe9f622cb9cd18fa3d55b0e8e0ae3c3a44a0833709f

                                  SHA512

                                  9a0215830e3f3a97e8b2cdcf1b98053ce266f0c6cb537942aec1f40e22627b60cb5bb499faece768481c41f7d851fcd5e10baa9534df25c419664407c6e5a399

                                  Download Submit

                                • C:\Program Files\Bitdefender Agent\27.0.1.285\ProductAgent.dll
                                  Filesize

                                  2.0MB

                                  MD5

                                  9efa4f707b69ffa5c327961f413692a7

                                  SHA1

                                  d4ea2b0cf1f64dab5e05ceee6b0a7e732adecabb

                                  SHA256

                                  7c88ee24f6dd139391f820d0dcc71bf494f2e8ef2f66da79aa82726ef77c6910

                                  SHA512

                                  9d132eb36a04a3980266db44a8df7ed2cbeada963fdc5ce9b52bb5f6e25dd7abd538f5d2136975efd9fab9500e59e4a42522577b8d8d34743c3ca4635c588b6b

                                  Download Submit

                                • C:\Program Files\Bitdefender Agent\27.0.1.285\ProductAgentService.exe
                                  Filesize

                                  685KB

                                  MD5

                                  addcdde6f49ba10dfe5e2697263899e5

                                  SHA1

                                  fb37d378baed7b6e4db084b84ec3fdc067bad7a9

                                  SHA256

                                  472752dbbc4c8d5ef8ccd187d40253943307d6d43bb9000d8e1e3c830e477671

                                  SHA512

                                  d4e7120609d21c0f0a7b5a068b49653c906f8e4c64aacdd92a2218fa49eea8b20f88ec855e06a1128e3086eaa4808ed2d6b03cd3e4ce7e8c206888dd2f4a3841

                                  Download Submit

                                • C:\Program Files\Bitdefender Agent\27.0.1.285\bdch.dll
                                  Filesize

                                  1.7MB

                                  MD5

                                  c1581ab767a606113d005e6de6083a92

                                  SHA1

                                  021c80bacbb315662cae41a7aba85172309ff437

                                  SHA256

                                  8db91533bf373aeb3101a38b0e92d09bc047bf0ef60b7a9c24c03f382927be8b

                                  SHA512

                                  24aab9a88c36364cfd2543664a6eda6367daaf00cf27fa812addf2ef8227359a36c059f8de6d2b8a873f571ac84a6d3d683c23d228d4cd7dbe7833a0e8340135

                                  Download Submit

                                • C:\Program Files\Bitdefender Agent\27.0.1.285\bdch.json
                                  Filesize

                                  1KB

                                  MD5

                                  3a3301c608fd7c6e32a84a4fbc5faeea

                                  SHA1

                                  d8b9cbd3b91bacaa7ba542ff6eb4fcf69aa0c07e

                                  SHA256

                                  30d84602bf32eb39243c35b7ac20451081102b5b04bc1069488f1ff11ced2bd6

                                  SHA512

                                  2df8e828ef841e30dd6412be76965dfa689ca3af9dbd04c0cd9643d187b61d3de74f5035e8947d3de41835198d97fa37cf6e9a0ed4efc04a5b0e30188a25b04f

                                  Download Submit

                                • C:\Program Files\Bitdefender Agent\27.0.1.285\bdec.dll
                                  Filesize

                                  510KB

                                  MD5

                                  2ea9d7969c3ce78a3e88a704c7793584

                                  SHA1

                                  7a80672c8a7dfa8b299a80d7eb999f0bacc66287

                                  SHA256

                                  265313ec211d8dbd89c7149e22be3e4a9ee99f02f87a0d8a0a05fa82142c0cce

                                  SHA512

                                  c4c4d8a86988c952cab2fdfd626092c909cd4f740550b0b9df0dd8c0fd9383b8a90391abafe87f195d361e129701cee7096c9add3e7b96ade901e1611c7efe46

                                  Download Submit

                                • C:\Program Files\Bitdefender Agent\27.0.1.285\bdec.ini
                                  Filesize

                                  129B

                                  MD5

                                  96d15c4f3db04429631866751a1d2890

                                  SHA1

                                  61066ffead2b6859e4d3fd497a78b05343ccf25e

                                  SHA256

                                  e8d31c1de790f738ef75daa0402584560a0672402d0d3ded0899d2dbc95fb911

                                  SHA512

                                  2e5c94e2d92eadd28f604ed1f04d6e2dc9d9a4ffb3c2270e9d19792ad41c0c536260616a17b433f4f2bc57b31b116ffa06eefb61955b98029f15593db4122189

                                  Download Submit

                                • C:\Program Files\Bitdefender Agent\27.0.1.285\bdnc.dll
                                  Filesize

                                  2.7MB

                                  MD5

                                  03f319663106b81d7986c4bb63d5f742

                                  SHA1

                                  974055a0970f2265b66020318783d8ceb1c7e9fb

                                  SHA256

                                  19503f0170fd8ef18bcb2dfed63a1213840ebc6c198bf46b167a8627cf4bd673

                                  SHA512

                                  271a766f68cb0aa3d40e17c5cb4a5f1182b1c31bfe70a84cd9c64943ed64c408cd20d7d8528e054b2da8ecf6346a022a7eb2db58751e768a2606404e67b4bced

                                  Download Submit

                                • C:\Program Files\Bitdefender Agent\27.0.1.285\bdnc.ini
                                  Filesize

                                  155B

                                  MD5

                                  758591d297b16ee7b5127f2fe3e67a27

                                  SHA1

                                  d782a572579a9f52e31bef5377997c7f9be28790

                                  SHA256

                                  2c6224951714e685114b51c4e598c2bad8c7bc16975f7401ac51e101afcab837

                                  SHA512

                                  808f47903ee90c68939aca97ca06b1523bc5355d7de6c1b3ec14d0cd560b3bf77abe7c429964176711b91bf6a9bb2a1a9fe22206daa465ff2ec55e55ccc2eff3

                                  Download Submit

                                • C:\Program Files\Bitdefender Agent\27.0.1.285\bdreinit.exe
                                  Filesize

                                  1.3MB

                                  MD5

                                  1f981c4b91f030dd58b32eb268d45e4a

                                  SHA1

                                  e600dafaa672adf0059469fcd3115350eb08adc1

                                  SHA256

                                  83701e2d0fe769bcc2c870f4de033bb89a8c304c45ae21151e66aebe8bbe4211

                                  SHA512

                                  ddfe8d876906b1f9d63605079d35b4f6c52ec63ceb7bd264eb2efeb5babc00219980687b2c434f81db5986f279e25fb3f049509ad18b0ab54354512cf8646f85

                                  Download Submit

                                • C:\Program Files\Bitdefender Agent\27.0.1.285\installer\bdnc.ini.md5
                                  Filesize

                                  34B

                                  MD5

                                  3a0a7d7823833be6e8af5ab1af295139

                                  SHA1

                                  1895dea63fb05e7e6f90e052936de086874c4c75

                                  SHA256

                                  a5f15ba3b16384b584780f2bbb0ef3e7fd49ccabd0b9ca10437882f65f49c7f2

                                  SHA512

                                  0d1377acaf8c5062e4ed7b3ad3fe0fbae594b6ce234aa9339471a31c63d6ea768c6cb2ca24820fc7726282c7fbbd41da29242cd3c288d7a0e8cc6b7e49c9835d

                                  Download Submit

                                • C:\Program Files\Bitdefender Agent\27.0.1.285\log.dll
                                  Filesize

                                  304KB

                                  MD5

                                  37cf22012405d109cfffd46883b96dc2

                                  SHA1

                                  1fb13853c963278857fbeff4b9701ee882c1c7c4

                                  SHA256

                                  3435a559b087ba529c18445e3d23248acf669b598701f2ef10675ced279becc8

                                  SHA512

                                  2672112e7fc2f1de0e6879a5c11714ab3361c7690544a855dd74f7aff80e8206bd96d687957eb358111594eb0e0a87e7c5627fd98f3fdf763130ede8a96997ce

                                  Download Submit

                                • C:\Program Files\Bitdefender Agent\27.0.1.285\settings\LoggerConfig.xml
                                  Filesize

                                  78B

                                  MD5

                                  bda7be337da35949bb617c42de5fd811

                                  SHA1

                                  bf5e6c6a7dc9f9ccdb6207ac0d31a1aa76ec93e6

                                  SHA256

                                  54e2f0d07609a40a45bb12d3a271eec1fb9021f62b756a4bdbdc42191fd79dcd

                                  SHA512

                                  19b96b62a4055bdf254b13acba70fb8a4ec606a45abfe4fbf97c29aeb16a9e12d4e2529339f7571f62558559111f493bc52797388bfe629194cc89fb9d1b275e

                                  Download Submit

                                • C:\Program Files\Bitdefender Agent\27.0.1.285\settings\ProductAgent.json
                                  Filesize

                                  1KB

                                  MD5

                                  c40251554544c9f8632da819da1db9c9

                                  SHA1

                                  8422bf0fe7a98f700a3243ed4849d317a52a9ed8

                                  SHA256

                                  7abc6e1e5f1c99dc70a888bc1a7f962e7d0d7f886fdce6ec300674c6e86a82fe

                                  SHA512

                                  d1eda516e2a30936a724fe59fc890471fc1c20fbfb72963f8a75f74010124eb34a39988180ea338958c9ed996645dffce437de2b798fb230aa447aafd73071f2

                                  Download Submit

                                • C:\Program Files\Bitdefender Agent\27.0.1.285\x64\bdnc.client_id
                                  Filesize

                                  36B

                                  MD5

                                  f4c2784aa289f17d144a589751c7980d

                                  SHA1

                                  b414dd690863acf3614c25c911697f1b16c24c62

                                  SHA256

                                  e6e827f81840ce8975cd5e30467ddc1661c3f407cd9d342d00800f32c01dcc26

                                  SHA512

                                  3f3f8f8ae91d679745189722c88d97d19e8728ce3289deda2e89a79061ad06d0a627a9783a9ef2a833f6a7843d882bebdae77d178f3d810b581093b299f2b70e

                                  Download Submit

                                • C:\Program Files\Bitdefender Agent\ProductAgentUI.exe
                                  Filesize

                                  1.9MB

                                  MD5

                                  939c4ec71d95922a80d49607a19788e4

                                  SHA1

                                  94cd3949a4f5196c9a5fbe3ab44c15d932b571f0

                                  SHA256

                                  82a797a0ff1206dd5e5af2e6da348f231b8366f87e53e05894eb7f7ab4c24b94

                                  SHA512

                                  3d056dc215ba68c5654344771b10d21f821167067ca7b5e768984b3b8c43f1f5db8d2ada908fa3166ddd331800563e2fe3da28a8c5df7d2bba0493bf5d0374ee

                                  Download Submit

                                • C:\Program Files\Bitdefender Agent\redline\bdredline.bdch.json
                                  Filesize

                                  943B

                                  MD5

                                  789550fc8b95d306379e4d952450886a

                                  SHA1

                                  2da4e25e88a11754cfe74e9e0baa5d686a101b6f

                                  SHA256

                                  ea380adc4a762a137782cecc2a5ffdd2f7c4c234f7861b7b127df6c0b40fe0b8

                                  SHA512

                                  eb7efae7db73a7e8d07b35d2dc4197194fb0f6d7b0ee384a1ffec7f22421b86761c1c401e62ef49bc3565f02ee31ec0033ca4943d8cdf126aaa29160e98a962d

                                  Download Submit

                                • C:\Program Files\Bitdefender Agent\redline\bdredline.conf
                                  Filesize

                                  357B

                                  MD5

                                  359c00356b7b0e3a871dccf4f5b7e17b

                                  SHA1

                                  2d12be84f3db7a11becc6838b13764103809924f

                                  SHA256

                                  6017a4af984473cb2c626419304c79f1dc33b1632e9601510a5c85323b319a55

                                  SHA512

                                  c6891cbb382983f605457f0ab11d33971b53eb305eb3ce9f518cb329a7f042da6f7634c13e9a8fc02c696e4295d95b5f2a2eb8ce3492b50654740617c900d1b3

                                  Download Submit

                                • C:\Program Files\Bitdefender Agent\version.json
                                  Filesize

                                  44B

                                  MD5

                                  d34263396a84b801ef47ef3495e4739b

                                  SHA1

                                  6d9ce0c16ed6560c67c25f079b99d7171bfee06a

                                  SHA256

                                  3866fac3aedcdbb41b25319d051dd72051c54df664fa323c57f759e97d274f59

                                  SHA512

                                  0696b4b3269fb5de0498eaf14826cd795d51563da967e1a062b49f93aab328a6ced4e3e0af867b52b8b9b51caa7ffbbfb9e8d84a3699e8c7433e74d535907795

                                  Download Submit

                                • C:\Program Files\MsEdgeCrashpad\settings.dat
                                  Filesize

                                  280B

                                  MD5

                                  621543fd0027b5b05a5e76f2851e104c

                                  SHA1

                                  8e1cbe742fc20c33a4e8bbff9a173f1c59f79408

                                  SHA256

                                  dd0c9b2643c9e86e7ffe977a52b69b4524ae17281d18cdae372fbee8f7871b45

                                  SHA512

                                  f794a0aa30f8df820c8f01de5cc5d94ebb688ab2c123b0f4619097e8142f3e0e5289973128ab4fe0fa7b9bef799b289f47dfb7a4617baa54753d8338e7a02aba

                                  Download Submit

                                • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
                                  Filesize

                                  181KB

                                  MD5

                                  aaa439ff233638ef961bab57c679b1d6

                                  SHA1

                                  05d97a74469a0cca0765935bb16766b3056858fb

                                  SHA256

                                  b7e88f8641db2604d10254b0149fc2cf637e7907444bf8d20598859740eed008

                                  SHA512

                                  73cde0bb69c45dbef25cefd25035d9a7afb02e2bf7f227dd0f27042ad66728016ab5f5c723ef1520d6e9bd667c599c903eee2381925adebbd48cc793394d60b3

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\activity-stream.discovery_stream.json
                                  Filesize

                                  43KB

                                  MD5

                                  34fbe15ac3cb5043d64f51a6b630b1f4

                                  SHA1

                                  398d5e5aa003fad230a9b59706ea003e64a4a699

                                  SHA256

                                  e6cd2030124b9f661ba6f7bab5463f77ddd15b063641fd93627737ac805bcb0d

                                  SHA512

                                  be1959f353ac2db49bb333ce6cf6cbf6002b625facd9891c117e655508d39ba87445a43529c4f09714dd8f4ae492c5d8db58636fd70c12892d09be73f1311e0b

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\DB1742FABE0A7197269CB1791F8541A76CBE1308
                                  Filesize

                                  220KB

                                  MD5

                                  80b07f2ac9c89be3e9bdea7f115e3c2a

                                  SHA1

                                  15e68b597afaddf4b2aef6253049c390c1a8a4c6

                                  SHA256

                                  4a8efb0a57d046c9ec08bd6b7a22dc4bd9375b2dbc0bb4a01e9ff2ee890e5d43

                                  SHA512

                                  8e6658ec9289e7f98c2838416fe1cfacbc5eb35d669db3851e1725b4129e615434a02821cc084fa58e9d1479ce72f7ecb7e2cfea81241da4718ad78c3d08c20d

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalState\ThirdPartyNotice.html.~tmp
                                  Filesize

                                  104KB

                                  MD5

                                  effecce1b6868c8bd7950ef7b772038b

                                  SHA1

                                  695d5a07f59b4b72c5eca7be77d5b15ae7ae59b0

                                  SHA256

                                  003e619884dbc527e20f0aa8487daf5d7eed91d53ef6366a58c5493aaf1ce046

                                  SHA512

                                  2f129689181ffe6fff751a22d4130bb643c5868fa0e1a852c434fe6f7514e3f1e5e4048179679dec742ec505139439d98e6dcc74793c18008db36c800d728be2

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe
                                  Filesize

                                  249KB

                                  MD5

                                  af0552d9dadf4ae9682589cfb90a0128

                                  SHA1

                                  65719cda91c1a3b169a491da4b30961556886d40

                                  SHA256

                                  f088c87744cebca0761fe3d4bd18cb73e39f56eeea58712791a0108bd7e3c7d6

                                  SHA512

                                  a2e40df194f9b37aa26e30d2d7175de4152480d27bf98c30d91ecee24b6165d7510d8baec96e375df5de5cb734ed6163d8b15f8b5cea736d0afc987a3915ed9e

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\bdch.json
                                  Filesize

                                  960B

                                  MD5

                                  1dbe6bd18cb22b26d57e21ff4d9547f0

                                  SHA1

                                  2e6ee5c52c68f282d75320c4fc98519da89536f3

                                  SHA256

                                  7726cba273d4ce8cb1b015c3f159a629c5a8801d56ee9ac617145983a40b2990

                                  SHA512

                                  97be9053ceea8d6cc6748a1215ce3b66be842f4c6c37bf58094605e4c9b477ab84b8ead1dcfa7dfe8a4f6804c6571fad85326d783e266a4722af3b3396a2724d

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\bddeploy.exe
                                  Filesize

                                  401KB

                                  MD5

                                  628b34ba0a1bc3f7b5c361730921bb0c

                                  SHA1

                                  5112b5f4af81651b19477cd994fce6fa64e5e18b

                                  SHA256

                                  c7a5c1dbb06fd1d3e419a4441dfc735858f0404e45bcc0cc7887f515e3b0c6b8

                                  SHA512

                                  b2f879f3772366c2f0386862642bc0cbe276953f1d05873e6115e833ec4ebd7b0ed01a80adca620838afa39d76b2a58446004dcead3f3676192c5f388cfbb13c

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\deploy.dll
                                  Filesize

                                  20KB

                                  MD5

                                  907c7f7f933cce6494d138f5081c07a4

                                  SHA1

                                  8d21225edd014e16b7d0fdd6ce2aea36fc603412

                                  SHA256

                                  3cb6f5aada6cccb4e63beac16a4b9d065a78648896f4f1e47204eeaf0bc8feb1

                                  SHA512

                                  9ecad41322759a68958a9f741dc83143c1de35cb814d7a198a8d4911ef54971b1a7654a2b0c6d5e9fef753dcf4d663a6f76c4309407f46e422636266d024b405

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\installer.exe
                                  Filesize

                                  948KB

                                  MD5

                                  10a3ee1568e87b00b4709d8fa803130f

                                  SHA1

                                  9ea2754570a76d75851e3a85cad42dbf15fb7162

                                  SHA256

                                  4079fa18b9a40f5c3db4b9c8d81bc564a924844f7c0d990ffda085d94dae20ff

                                  SHA512

                                  b1758da68b172e6937d83d6167bff585f4085b000baaf2e2373c272f6ee32722f9c5aa900b8c6ac3c2496f4623003cb14b9694fd14f649f551b993443e055477

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\additional.dll
                                  Filesize

                                  1.5MB

                                  MD5

                                  820f66140cb9e68c5df1fac1e161a8ba

                                  SHA1

                                  91539a787fb66f9cb7a2d4c4ea1164d2c4bd3574

                                  SHA256

                                  bc6e14cf9a317c1c90303e0c2023221946bc07077b75c03b4da4aa39173760e0

                                  SHA512

                                  4f7363356e35234332f3445739ca82eca0e9db0c9abebac412c737652d7e2ab65613b1ffcec7cd047fca91361cf106537270b63d8033fa9df620c5a403450df7

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\agentpackage.exe
                                  Filesize

                                  11.8MB

                                  MD5

                                  4318eb64a0c848eaef021d659134f329

                                  SHA1

                                  e4ec66c1fc257fd710d978076fb251772d14d2ce

                                  SHA256

                                  3b00f02d1390180232f8801c91afacfb79a646885f7119bdac226a9c876335ff

                                  SHA512

                                  33cb0b6e7f85484677708ff5da82fb3ecf3753f18bc3f5c6a860e5932b39b022e1d1ed5e6acb251844eb23f4446199606d5415afa6451d2a1352a4f5ac814aee

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\agentpackage.exe.md5
                                  Filesize

                                  32B

                                  MD5

                                  6b37790334bbbee85fbc44f017cd8049

                                  SHA1

                                  f3e2cb28b0df20780a18290ef4aea37a6590c0b4

                                  SHA256

                                  e345831aa79318490dba530afab6a180fa542ff5ef06288368e1e38144db77a2

                                  SHA512

                                  3c6fb072d63456c46fac99a961547bd23371a3266f469a9cb4843cbcfc6f21759532ec457bdf521d8f22d2046415836eb1a3e37df95f532fd38b7db263f02db8

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\bdredline.bdch.json
                                  Filesize

                                  730B

                                  MD5

                                  3266bd308834ee8d251433b44ee0a48d

                                  SHA1

                                  c271fbb539824ff577752d2f82b1b498a9ac91b7

                                  SHA256

                                  a773cf585925921309cc117e59ee87c56ae7e9f7e7532b4fb153e4ac72dac76e

                                  SHA512

                                  edcba4498e553b4e6d9eb28b7c29e880b04ab531435c50685d638769ac5ae74c6e3de8c02ecdcb385d05f347b27f2e1e6bab72ff45a16642013b28b44fe85321

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\bdredline.exe
                                  Filesize

                                  2.5MB

                                  MD5

                                  d42f9eb267cbeeb28d88d7297fb76d94

                                  SHA1

                                  b2e851b47201d38a0c3f05cb9551a6ffe22bbb53

                                  SHA256

                                  1e95aac8a139ce2532bf871e5207fb4f1a07b2e10895874c3c29a443d3b1734e

                                  SHA512

                                  3a796f4e64570946ceee7809464d0068ac52720612c64a0e5f70bd83a0ecfdbf290be82c1278f8e6d8f9b34bcc1461b69558e885db6a083029aefea6f234eb4a

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\data\params.json
                                  Filesize

                                  76B

                                  MD5

                                  fd2ff955bc4291a433528157c195f57a

                                  SHA1

                                  c7444121a44c6d084f73c067c750b0ea04b563b9

                                  SHA256

                                  eed4f75204a965a1c99e082698c8b76b93c847e8a3982bfc563c26860ba8a179

                                  SHA512

                                  fdd80e27de5123f8189b00800786fd873be6c7ba44ed3911909661759b319040d05b6c36a9017bd8e3658350ff6be45262cb50ebe4a5ebfc535fb8cbaae2e065

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\installer.exe
                                  Filesize

                                  786KB

                                  MD5

                                  7bfbbd8f6057367a6acf4f2a7b695032

                                  SHA1

                                  ada4dd20361ffb4bf93f69543fefc8e17406595a

                                  SHA256

                                  1e9d538dc1fcc9fca8e1539df599bc1f1d2eb8170a17e190e744871a826a695f

                                  SHA512

                                  a711aa9bf0e3846d22a6b9958115e77d4e48ad714f8640d190e38c96ae7b055e4811cc3507db751a9bc8306758ab13bd52e152f2393a982dbb9eb54590763092

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\lang\ltr\resources.dll
                                  Filesize

                                  97KB

                                  MD5

                                  8a13a9777bb3461c0070f9a733b83047

                                  SHA1

                                  9108bdebad36dd7844f7266682b5b535499b75f9

                                  SHA256

                                  59e65ef466336317a0fc714163b44f8fcb778dfd2a25edf2db9e3bdf0dbce3ec

                                  SHA512

                                  4ce08c83c05f38b7b8d1976e24de72e2bf2f726b97292ff19f9f3f917af6e5fef8fe8f71738a032d52b8aaee81c369b160bb36d89aa96fff88377ea6725261d7

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\productagentdp.dll
                                  Filesize

                                  570KB

                                  MD5

                                  c1f307339e84180d3b87b71b99908200

                                  SHA1

                                  f47f07e7df3178e4ec6a8cf66fcc8633ba2739d0

                                  SHA256

                                  1353ba5f9f6bebe648ff9743c3506701d991203d7fc3f694e6156f0e2af77655

                                  SHA512

                                  16d6cf5b0df0fc6df809cc6327d833a848db2c7e3ab2c20ca57beda29d0f7e34eef01d5437c70bcce0ccc8a275738ad2d1978e2498ae563f0823b55a31c83921

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\sciter.dll
                                  Filesize

                                  4.6MB

                                  MD5

                                  0727f70fe6443e5b326e75535a3294f7

                                  SHA1

                                  3975fbc951571b722ea910d69b835f11f5218e20

                                  SHA256

                                  48722029167de0d67e538847a240f9a6dea84658fd7b53a375cb06bf1b558a14

                                  SHA512

                                  8997265786ac86326495cd6e40d41b007c78e5e3de2f86345f53232aa9fea2dcf94552ea38a12a22dde5d40a2ad601f360c2c81f4139ee660cff111471b61e74

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe
                                  Filesize

                                  5.6MB

                                  MD5

                                  e0d1c2da552578b75e931e67b5211cf1

                                  SHA1

                                  e4faf7ed23b22330aba7e4f7aa714a1a948f04c6

                                  SHA256

                                  7f6e606e04b95936084c6bbd0b43857766249c6e2afcf27d22f715331b79d6fa

                                  SHA512

                                  840102704453d6eeebc04bb878008daff5088aae866f9a20cf75df926a75afc6064c754b89a150bf3b3136b9d099714628fd7fe22b7d9f25d05e6ab593b5e242

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe.md5
                                  Filesize

                                  32B

                                  MD5

                                  d5833be216c5ecd4e5502aa9d63c45bb

                                  SHA1

                                  981cd22d00a4f36e8f25fd17aba11ce7f3d39601

                                  SHA256

                                  a35807d2437919814404868a0a2fcc5ed3cd3ea3a5721f1f5f028a61edf03d6f

                                  SHA512

                                  d692b3b1242bd91295d26d5be14d77fd4a63773a02293fb963c05e06603848b1c707be8d926607101131cfe96f4e28866bea6110d2053a3b02f5a55c9e160a5d

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\unrar.dll
                                  Filesize

                                  278KB

                                  MD5

                                  99d3eb4a60ee0b9b989ca18195b2461e

                                  SHA1

                                  8ac08e5ed4efe61c5343e07fd3302ff6828a1a2b

                                  SHA256

                                  b5b8be58764798ed4ae42d45d7d853356c93a4825926c6bc9caecafda56bbc84

                                  SHA512

                                  56a093940ad24eeb3a377279bf7b08e0770c176bce10662b84c373eab57145bc4cf2e606b1177b70337c94d4b1cad5fe8220d028e245623782599f1d74b2427a

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                                  Filesize

                                  479KB

                                  MD5

                                  09372174e83dbbf696ee732fd2e875bb

                                  SHA1

                                  ba360186ba650a769f9303f48b7200fb5eaccee1

                                  SHA256

                                  c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                                  SHA512

                                  b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                                  Filesize

                                  13.8MB

                                  MD5

                                  0a8747a2ac9ac08ae9508f36c6d75692

                                  SHA1

                                  b287a96fd6cc12433adb42193dfe06111c38eaf0

                                  SHA256

                                  32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                                  SHA512

                                  59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
                                  Filesize

                                  20KB

                                  MD5

                                  93caba11f7409430e38514b664f45764

                                  SHA1

                                  e0365122d5e5c012378e78369d1e0ec86d64dee5

                                  SHA256

                                  ba0d4f9ca4842564ec1a43ff6d5ba66c7490ab17f635c60b9d5523cbecf09ff5

                                  SHA512

                                  a2f25120325b41989fd4af88df091457d0f2e689dfd60126d166bef55eec0701e51a2969578a6afb663d293c8dfc491bd816d7ccbc400d242dced164a9a1c6b5

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
                                  Filesize

                                  20KB

                                  MD5

                                  2b56ce2d8138c21ff8f60061e0377748

                                  SHA1

                                  b0c4ce8e5dc99882195b9c1bf0b0fbd54417b98e

                                  SHA256

                                  ce14fdbca4e0cf4902384693c59b0f5291d02002ed4b6b4f01fdc83e02375772

                                  SHA512

                                  aa97579380f9beac27146e66ced79b2789e4d68fe8020e981cfba0698eed484901041f30340c51fbb753f37523a36bfab1fbb4a69b80077378947a91c369bcd1

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AAVABLM4H79PR976BKMW.temp
                                  Filesize

                                  20KB

                                  MD5

                                  03bc15bd234c643365ce58c05766252b

                                  SHA1

                                  6f6094633124e94753221693b2d251b5bfb9aebf

                                  SHA256

                                  d3098277dcc5629d8a091b7c9dddc064a3d8fe92d0be066c3b34c2227b66af1d

                                  SHA512

                                  743a81670de70244bc0a1578b3c116face3b1fdd4a1117ca21d102f68eab1e40e7250c64fc63381311667fb11c6b4f8e7b00cf5394cac101e8aaeb9d03d4e5cf

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin
                                  Filesize

                                  8KB

                                  MD5

                                  3972ce2c542a332001465f1d6dac0879

                                  SHA1

                                  9aab9cd222285de47f35371972fbafdaa17f66c9

                                  SHA256

                                  5c49a08d75f6b0d3198403ef95a12076677245d55f8e7c8f01fc2cae8e945e2e

                                  SHA512

                                  0a98f7151a818209c612e026ec1e4944d98c23b3f15671ae792162fa49c270f677d93ddfe162ea25c59a57ba9b53f112a4de7a5f7654e46fb9d561a3e9586ef1

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin
                                  Filesize

                                  20KB

                                  MD5

                                  fe0205dc9de36c3f53a7e849f73f34b4

                                  SHA1

                                  4b92ee1ca2113fa3e4f7519600c15d5dc2bdcad7

                                  SHA256

                                  561f6abf9c053aa99e7bf8446678f9091174b9de3000a1694c29fcd02d4779f1

                                  SHA512

                                  50b09412c69a6eb82897a6b0cc5f5af28afd8628c8b2b5e4de1ba957afb39ba4a8fb5af264335c8b6afdec6e5bd046e76105bec1c2d65a6e3981069a7e4fbb85

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp
                                  Filesize

                                  5KB

                                  MD5

                                  5b898b0170822cd95e1a31bba472bf7a

                                  SHA1

                                  9d56b9492edb04b4cd6a331066f5073f0bb69189

                                  SHA256

                                  6a054108c20397e46acd6d1983d3d975db4337afa923ad89cb8efc9ae805a8f9

                                  SHA512

                                  da5860d275e34d259cf675eaac6c590ac2a5ffa9529588c153f45d305ce1d953b31228913f0fc770d55610e8583219145505f7b9b18b1be1b1e20190b79ed834

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp
                                  Filesize

                                  72KB

                                  MD5

                                  99d8e23b404bca195811ec9bd84339ea

                                  SHA1

                                  f387e6f22be812baf7cc0f444fc1755e9405b73e

                                  SHA256

                                  469144e3a9c12f58d817fd639a352c6b7f741c97cf27b0a7d39af5e9c5fd8a70

                                  SHA512

                                  b239577d428bb9c99b23d861af3ce6d7e419a65ab63ca93df4864f4f124a224457d5ae60e29ee5b4d93dd18ef9d9c276d17b49f79f9c436f17e6daddd76106cc

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp
                                  Filesize

                                  71KB

                                  MD5

                                  71997c631307577883bc3df26f50abf9

                                  SHA1

                                  2ffb15f784bf88256a89b669bc129c6558ac493e

                                  SHA256

                                  4a05535dc209754affb0defaeecff65521dfe26703db0d3a3a7eb4fac36f3da9

                                  SHA512

                                  63ee60a41ac57c766bab80bcd8e3303e4189638284b1d3b44827f7c33280e6812c44152d21938297c66bd53c36317459361cdd53050aeba49f692d2e7bd2824e

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp
                                  Filesize

                                  6KB

                                  MD5

                                  4de39b6e78b9676b4eb60813b523bb0c

                                  SHA1

                                  2321e566bbd73efa2d1367d07a161e4877827e7f

                                  SHA256

                                  d015da701ddd657554b06ee97577f98956d41e115d9e1ecdf1d1417f93f79e28

                                  SHA512

                                  2caa94b8e0e1ae6c73a9e171bb0ad0db5475e8aeac9f26925ac13fc56659b7e85219675f5b0f4505fd794c129be90a6e416b925708fa9c714c6e3b6d24e9909f

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp
                                  Filesize

                                  6KB

                                  MD5

                                  b09acdb5c9408408dde861ec76d5ae81

                                  SHA1

                                  601e76d1c6279bbf57aadea144713c4bae4c2f95

                                  SHA256

                                  c1481ce3e9373e4e81172e5a012521391e19eddd43112a8efa665096c28d5a32

                                  SHA512

                                  bc1ea8eb57512cd28842efc0533ea490857d07ffe229d3be0451b9f77f32c340d118e6a4c5410c63f00fae399ebd4131a2849cf3f194441ea2ace2db99172803

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\072deaa8-6d62-4a53-87cc-38fc593afeb1
                                  Filesize

                                  671B

                                  MD5

                                  f68a7769da029eaa23cf34decd5ec7e9

                                  SHA1

                                  4f87be8409af2145275c43abe082da04ffbc0850

                                  SHA256

                                  85499d01c9b6c1657b2aa3e44bf717f95cefc06465b93a9501dc35608eae83fa

                                  SHA512

                                  f66601ee02c6b023d56f3393d7cac0b38a52fc8c8d66c98d2a3aa8791ce93405c249c7fe6c419432cfcb0e9928e524892c09678b0dc73a8706f9b1fc18fc2c09

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\6906e4ea-efe5-4432-8cae-02215b2a497e
                                  Filesize

                                  982B

                                  MD5

                                  4acc28c63978e1010fd6a29e0de8b154

                                  SHA1

                                  875f18cfc9fec58bf2a3c5302cbf52f7a7adae05

                                  SHA256

                                  eee442a22d52af7e9d5e2924842c93a7d83c746af2f80dad6dec5063dbe86cd7

                                  SHA512

                                  480c1b4d2dc59bb5bc85a544538335bd45e379ed44a4d313fb92d1d7dc17da2477e15c2de011ebe92b0792403695e8d17f688ee10069fd09e4052c127378fcb6

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\70481a7e-7ce8-4573-9a38-09c3d022bb34
                                  Filesize

                                  26KB

                                  MD5

                                  8fc3cbebddb2eb93f134016d1dbf59f8

                                  SHA1

                                  ecb6dd11fc6298ffb08e2a88a627e52ffc5ca8af

                                  SHA256

                                  3331455f0b32bacfac61e10552057b12a67776fcede3bfbd0ecf7a9a462535b1

                                  SHA512

                                  6601f81b96cb89c4ec0e432700421d0294962a338b133de8d3afe9cbbaffbcc56055385a58d05f0b2d185573b3d792e6b6446328db6b009bad8d399dfbca61b4

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                                  Filesize

                                  1.1MB

                                  MD5

                                  842039753bf41fa5e11b3a1383061a87

                                  SHA1

                                  3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                                  SHA256

                                  d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                                  SHA512

                                  d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                                  Filesize

                                  116B

                                  MD5

                                  2a461e9eb87fd1955cea740a3444ee7a

                                  SHA1

                                  b10755914c713f5a4677494dbe8a686ed458c3c5

                                  SHA256

                                  4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                                  SHA512

                                  34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                                  Filesize

                                  372B

                                  MD5

                                  bf957ad58b55f64219ab3f793e374316

                                  SHA1

                                  a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                                  SHA256

                                  bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                                  SHA512

                                  79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                                  Filesize

                                  17.8MB

                                  MD5

                                  daf7ef3acccab478aaa7d6dc1c60f865

                                  SHA1

                                  f8246162b97ce4a945feced27b6ea114366ff2ad

                                  SHA256

                                  bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                                  SHA512

                                  5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs-1.js
                                  Filesize

                                  13KB

                                  MD5

                                  685b73bd4ff87539d701a37b43d97ae7

                                  SHA1

                                  fd602cdd69db2dcce1f50431353dd81aac8a27cd

                                  SHA256

                                  843fa98d10ca44e237a90644dac2df5d39b19d2c55aca90d6419f3164259c826

                                  SHA512

                                  b03d100c86c60a80d65d3748a1781c92f26ee268413a4466e2e9d0076e0f05ad3578afbabe65cea42ad3072d446eb577647ef96510be027a65f67bf1619818f8

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs-1.js
                                  Filesize

                                  12KB

                                  MD5

                                  e554adeb075d44c2435e4c7161050b11

                                  SHA1

                                  ff9e7cf296831ef0e8823a9aae233323387bd571

                                  SHA256

                                  36aef059cb6dd20502fd4ad273701661e9770bf6dc49f162687f08ab16fc3ef3

                                  SHA512

                                  c91205f390df69fac8288e1f3ef68d2c23b8a2fc0e4f2dc3a00ed26460a8ee355f1d08ad7f9c86900be75266742553997849b81dec04851ff9aaed47e6f4b514

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs-1.js
                                  Filesize

                                  11KB

                                  MD5

                                  02376076697eff113a4a989fa25c8849

                                  SHA1

                                  216ce3fe1af0613889224c71c633d2ac7f9511bc

                                  SHA256

                                  bca7d49f3fc5c13d8e82d37d6c1f66374ef1990a0b59991c31f079cc2aadf7f5

                                  SHA512

                                  0ce2ee2fe0d1a80b636729995c5c4cd76d2b5baa0b93459d147f234d6e23c2ccea6301a8c8658a43c17b9a2f00cb083ab49c6292d37dc40ea4f325b76a4ebf3c

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs.js
                                  Filesize

                                  11KB

                                  MD5

                                  fa3ee5c0c322eb71167e9186e41b5eac

                                  SHA1

                                  a31d2e178bfdbe1fcf27c0052577712017afbbe1

                                  SHA256

                                  3e54806f059a6bf4c120ce7affed00cd3c2222913fd37f41deb87d2094807b03

                                  SHA512

                                  56f27fdff5eeb0896146bbedc7d5afe9513afe47f4a705b1804ac1936f010d090081a84e333456da610539ec0a32bbf5516577bfc43b098e47ca6b81797836aa

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs.js
                                  Filesize

                                  12KB

                                  MD5

                                  20a37fea9ae0685d9d5f85c31bc9c0bd

                                  SHA1

                                  83baa5ac2e286bd49c8523e021255571f3ba7488

                                  SHA256

                                  9f022d7f7dd82d0d54ee17e6b6ea72dbccdf184d8020bed09f94f0c309153e14

                                  SHA512

                                  2673f540601d4e9b0480d7ed8f9a52bdb88bad42fd0f77999e2b8350ac33460e08d217edccf43bf0ffdfe76e8827ef12423929e86da94df7947e0d7d91687be3

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\sessionstore-backups\recovery.baklz4
                                  Filesize

                                  5KB

                                  MD5

                                  980ff9a660d772c500a49415d6101761

                                  SHA1

                                  83672fb3d78d9a9180311d372976aed23d9f76bf

                                  SHA256

                                  a75d16cadc2bb73bf6d3f65b82e9cdf666e3c2d20d49a7574348c9321914c80c

                                  SHA512

                                  b5f6f1f092c4a5ef12fc79fd4547609e60e93ec10f55cafd430835647817f8b365bd6765ae93b2d187114f0c7a1fc8e4dd37d727a0430e61c0c5f113dbb2692a

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\sessionstore-backups\recovery.baklz4
                                  Filesize

                                  7KB

                                  MD5

                                  536fe657751b43934c8c54e02f399ada

                                  SHA1

                                  b5d1fe71f30c25e30cfd19c7d4cbf2482678d9d9

                                  SHA256

                                  b64bf0b7f785cb81a0c7a72071d6673c293ab5f94f2dc734950f737e130ed325

                                  SHA512

                                  2e1da1d5bef2e2f88000a1f8962ca6d80b9dda742731f30b0fb9c4dc9d24a611ae52487efa9c6e86049c86227fcf1920f63396d47febda9e6441d03e37e50679

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\sessionstore-backups\recovery.baklz4
                                  Filesize

                                  10KB

                                  MD5

                                  8027ab8fd879d28a151d2f5e0ceabd25

                                  SHA1

                                  0f5c3511fb15786284e0514a1cc5e6e523c231d8

                                  SHA256

                                  34ded49e4dd0dd4e083536def040b99bf99c44c3eb45474cbd614bfe0ebafbc7

                                  SHA512

                                  b749550b05ce4b24bb0b0ab564d277810e860cacd462acea87ab8def9142978a14b1fd6d38d3da1d9db7281bc25f2949ff7c6d29aae1372a8114888687c2fb44

                                  Download Submit

                                • C:\Users\Admin\Downloads\bitdefender_avfree.exe
                                  Filesize

                                  17.6MB

                                  MD5

                                  50d54b49c0ffbf37d74da5606b498764

                                  SHA1

                                  932045139da1741c64db497c5b0618dd30bf19ae

                                  SHA256

                                  219d8b067a9b861900841e7385dfa6ce7ff66344e9ac3514bcd18cca8994513f

                                  SHA512

                                  af7313090447395e0e4f41e32438053506e9dcd51051e1706492daae040bb2ed958c66512d9a8fdc66705ccaa82ba71fa888920b246e0f7ed7fc29c4795a4a65

                                  Download Submit

                                • memory/2936-343-0x0000000000400000-0x0000000000643000-memory.dmp

                                  Filesize

                                  2.3MB

                                  Download

                                • memory/2936-293-0x0000000000400000-0x0000000000643000-memory.dmp

                                  Filesize

                                  2.3MB

                                  Download

                                • memory/2936-326-0x0000000000400000-0x0000000000643000-memory.dmp

                                  Filesize

                                  2.3MB

                                  Download

                                • memory/2936-312-0x00000000220A0000-0x00000000222FF000-memory.dmp

                                  Filesize

                                  2.4MB

                                  Download

                                • memory/2936-294-0x0000000000400000-0x0000000000643000-memory.dmp

                                  Filesize

                                  2.3MB

                                  Download

                                • memory/2936-9-0x0000000000400000-0x0000000000643000-memory.dmp

                                  Filesize

                                  2.3MB

                                  Download

                                • memory/2936-7-0x0000000000400000-0x0000000000643000-memory.dmp

                                  Filesize

                                  2.3MB

                                  Download

                                • memory/2936-4-0x0000000000400000-0x0000000000643000-memory.dmp

                                  Filesize

                                  2.3MB

                                  Download

                                • memory/3180-2041-0x000002193F070000-0x000002193F5E6000-memory.dmp

                                  Filesize

                                  5.5MB

                                  Download

                                • memory/3180-2035-0x000002193F070000-0x000002193F5E6000-memory.dmp

                                  Filesize

                                  5.5MB

                                  Download

                                • memory/3232-2053-0x0000000075610000-0x0000000075835000-memory.dmp

                                  Filesize

                                  2.1MB

                                  Download

                                • memory/3232-1738-0x0000000075610000-0x0000000075835000-memory.dmp

                                  Filesize

                                  2.1MB

                                  Download

                                • memory/3232-1774-0x0000000075610000-0x0000000075835000-memory.dmp

                                  Filesize

                                  2.1MB

                                  Download

                                • memory/3232-1737-0x00000000005B0000-0x00000000005E5000-memory.dmp

                                  Filesize

                                  212KB

                                  Download

                                • memory/4652-0-0x000000007517E000-0x000000007517F000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/4652-371-0x0000000075170000-0x0000000075920000-memory.dmp

                                  Filesize

                                  7.7MB

                                  Download

                                • memory/4652-1-0x0000000000AD0000-0x0000000000B06000-memory.dmp

                                  Filesize

                                  216KB

                                  Download

                                • memory/4652-11-0x0000000075170000-0x0000000075920000-memory.dmp

                                  Filesize

                                  7.7MB

                                  Download

                                • memory/5456-2045-0x000000006F970000-0x000000006F980000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/5896-1568-0x000000006F970000-0x000000006F980000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/5896-1590-0x000000006F970000-0x000000006F980000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/6160-2313-0x00000217EE480000-0x00000217EE488000-memory.dmp

                                  Filesize

                                  32KB

                                  Download

                                • memory/6160-2314-0x00000217EE800000-0x00000217EEA49000-memory.dmp

                                  Filesize

                                  2.3MB

                                  Download

                                • memory/6160-2312-0x00000217EC3F0000-0x00000217EC3FA000-memory.dmp

                                  Filesize

                                  40KB

                                  Download

                                • memory/6160-2311-0x00000217EBF30000-0x00000217EBF3E000-memory.dmp

                                  Filesize

                                  56KB

                                  Download