55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
2700s
max time network
2695s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
18-02-2024 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

6^/10

evasion trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	firefox.exe

Downloads MZ/PE file

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	AnyDesk.exe

Executes dropped EXE 25 IoCs

pid	Process
2532	tor-browser-windows-x86_64-portable-13.0.9.exe
2616	firefox.exe
820	firefox.exe
2536	firefox.exe
4524	firefox.exe
4384	tor.exe
2616	firefox.exe
4960	firefox.exe
5392	firefox.exe
5224	firefox.exe
5408	firefox.exe
5464	firefox.exe
3688	firefox.exe
3912	firefox.exe
5192	firefox.exe
2324	firefox.exe
5420	firefox.exe
1700	firefox.exe
3624	firefox.exe
4992	firefox.exe
4568	firefox.exe
4152	firefox.exe
4744	firefox.exe
2076	firefox.exe
4932	firefox.exe

Loads dropped DLL 64 IoCs

pid	Process
2532	tor-browser-windows-x86_64-portable-13.0.9.exe
2532	tor-browser-windows-x86_64-portable-13.0.9.exe
2532	tor-browser-windows-x86_64-portable-13.0.9.exe
2616	firefox.exe
820	firefox.exe
820	firefox.exe
820	firefox.exe
820	firefox.exe
820	firefox.exe
820	firefox.exe
820	firefox.exe
820	firefox.exe
820	firefox.exe
820	firefox.exe
820	firefox.exe
2536	firefox.exe
2536	firefox.exe
2536	firefox.exe
2536	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
2616	firefox.exe
2616	firefox.exe
2616	firefox.exe
2616	firefox.exe
4960	firefox.exe
4524	firefox.exe
4524	firefox.exe
4960	firefox.exe
4960	firefox.exe
4960	firefox.exe
2616	firefox.exe
2616	firefox.exe
5392	firefox.exe
5392	firefox.exe
5392	firefox.exe
5392	firefox.exe
4960	firefox.exe
4960	firefox.exe
5392	firefox.exe
5392	firefox.exe
5224	firefox.exe
5224	firefox.exe
5224	firefox.exe
5224	firefox.exe
5408	firefox.exe
5408	firefox.exe
5408	firefox.exe
5408	firefox.exe
5464	firefox.exe
5224	firefox.exe
5224	firefox.exe
5464	firefox.exe
5464	firefox.exe
5464	firefox.exe
5408	firefox.exe
5408	firefox.exe
5464	firefox.exe
5464	firefox.exe
3688	firefox.exe
3688	firefox.exe
3688	firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	tor-browser-windows-x86_64-portable-13.0.9.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3404610768-3912631216-307532709-1000\{62F71620-F59C-4E5A-9BB4-6E0E4D11F87F}	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 295572.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.0.9.exe:Zone.Identifier	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2144	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
976	AnyDesk.exe
976	AnyDesk.exe
976	AnyDesk.exe
976	AnyDesk.exe
976	AnyDesk.exe
976	AnyDesk.exe
3952	msedge.exe
3952	msedge.exe
456	msedge.exe
456	msedge.exe
3552	msedge.exe
3552	msedge.exe
3612	identity_helper.exe
3612	identity_helper.exe
4508	msedge.exe
4508	msedge.exe
4960	msedge.exe
4960	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2316	AnyDesk.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	976	AnyDesk.exe
Token: 33	4768	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4768	AUDIODG.EXE
Token: SeDebugPrivilege	820	firefox.exe
Token: SeDebugPrivilege	820	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2144	AnyDesk.exe
2144	AnyDesk.exe
2144	AnyDesk.exe
2144	AnyDesk.exe
2144	AnyDesk.exe
2144	AnyDesk.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
820	firefox.exe
820	firefox.exe
820	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
2144	AnyDesk.exe
2144	AnyDesk.exe
2144	AnyDesk.exe
2144	AnyDesk.exe
2144	AnyDesk.exe
2144	AnyDesk.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
2144	AnyDesk.exe
2144	AnyDesk.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2316	AnyDesk.exe
2316	AnyDesk.exe
820	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 976	1184	AnyDesk.exe	81
PID 1184 wrote to memory of 976	1184	AnyDesk.exe	81
PID 1184 wrote to memory of 976	1184	AnyDesk.exe	81
PID 1184 wrote to memory of 2144	1184	AnyDesk.exe	82
PID 1184 wrote to memory of 2144	1184	AnyDesk.exe	82
PID 1184 wrote to memory of 2144	1184	AnyDesk.exe	82
PID 456 wrote to memory of 2588	456	msedge.exe	90
PID 456 wrote to memory of 2588	456	msedge.exe	90
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3544	456	msedge.exe	93
PID 456 wrote to memory of 3952	456	msedge.exe	91
PID 456 wrote to memory of 3952	456	msedge.exe	91
PID 456 wrote to memory of 2612	456	msedge.exe	92
PID 456 wrote to memory of 2612	456	msedge.exe	92
PID 456 wrote to memory of 2612	456	msedge.exe	92
PID 456 wrote to memory of 2612	456	msedge.exe	92
PID 456 wrote to memory of 2612	456	msedge.exe	92
PID 456 wrote to memory of 2612	456	msedge.exe	92
PID 456 wrote to memory of 2612	456	msedge.exe	92
PID 456 wrote to memory of 2612	456	msedge.exe	92
PID 456 wrote to memory of 2612	456	msedge.exe	92
PID 456 wrote to memory of 2612	456	msedge.exe	92
PID 456 wrote to memory of 2612	456	msedge.exe	92
PID 456 wrote to memory of 2612	456	msedge.exe	92
PID 456 wrote to memory of 2612	456	msedge.exe	92
PID 456 wrote to memory of 2612	456	msedge.exe	92

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:976
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2316
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2144

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004D0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9f4d53cb8,0x7ff9f4d53cc8,0x7ff9f4d53cd8
  2⤵
  PID:2588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,8826701530565369539,18394074283873235844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,8826701530565369539,18394074283873235844,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2472 /prefetch:8
  2⤵
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,8826701530565369539,18394074283873235844,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8826701530565369539,18394074283873235844,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:3888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8826701530565369539,18394074283873235844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8826701530565369539,18394074283873235844,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8826701530565369539,18394074283873235844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4488 /prefetch:1
  2⤵
  PID:2124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8826701530565369539,18394074283873235844,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
  2⤵
  PID:1772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8826701530565369539,18394074283873235844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
  2⤵
  PID:568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8826701530565369539,18394074283873235844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4476 /prefetch:1
  2⤵
  PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,8826701530565369539,18394074283873235844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3584 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,8826701530565369539,18394074283873235844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8826701530565369539,18394074283873235844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8826701530565369539,18394074283873235844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1908,8826701530565369539,18394074283873235844,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5004 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1908,8826701530565369539,18394074283873235844,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  PID:944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8826701530565369539,18394074283873235844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
  2⤵
  PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8826701530565369539,18394074283873235844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8826701530565369539,18394074283873235844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8826701530565369539,18394074283873235844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,8826701530565369539,18394074283873235844,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6268 /prefetch:8
  2⤵
  PID:568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,8826701530565369539,18394074283873235844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3532 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4960
- C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.0.9.exe
  "C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.0.9.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  PID:2532
- - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
    "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2616
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
      4⤵
      Checks whether UAC is enabled
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:820
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="820.0.2006588057\542132556" -parentBuildID 20240115174022 -prefsHandle 1960 -prefMapHandle 2396 -prefsLen 19243 -prefMapSize 243588 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {8c820698-a3c9-4309-8b29-d7905f20c8c6} 820 gpu
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2536
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="820.1.2110905650\112063345" -childID 1 -isForBrowser -prefsHandle 3164 -prefMapHandle 3160 -prefsLen 20118 -prefMapSize 243588 -jsInitHandle 1308 -jsInitLen 240916 -parentBuildID 20240115174022 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {18b3091b-a81d-4bb7-b6d0-44a363f8d1c2} 820 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4524
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe" --defaults-torrc "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc-defaults" -f "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc" DataDirectory "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor" ClientOnionAuthDir "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\onion-auth" GeoIPFile "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip" GeoIPv6File "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip6" +__ControlPort 127.0.0.1:9151 HashedControlPassword 16:dc03f2487f8864a760a3044f10ac7c73636878ecc3f75f908c165e58d5 +__SocksPort "127.0.0.1:9150 ExtendedErrors IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth" __OwningControllerProcess 820 DisableNetwork 1
        5⤵
        Executes dropped EXE
        
        PID:4384
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="820.2.2123487996\1872292126" -childID 2 -isForBrowser -prefsHandle 2980 -prefMapHandle 3008 -prefsLen 20928 -prefMapSize 243588 -jsInitHandle 1308 -jsInitLen 240916 -parentBuildID 20240115174022 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {37a79d18-28d8-4701-8631-c6a70dab7eea} 820 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2616
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="820.3.1213052150\1748371715" -childID 3 -isForBrowser -prefsHandle 3336 -prefMapHandle 3340 -prefsLen 21005 -prefMapSize 243588 -jsInitHandle 1308 -jsInitLen 240916 -parentBuildID 20240115174022 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {b244ca8e-f19b-4e61-8f5c-dcd2841fd64f} 820 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4960
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="820.4.471509142\1739355485" -parentBuildID 20240115174022 -prefsHandle 3944 -prefMapHandle 3948 -prefsLen 22180 -prefMapSize 243588 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {ed33266e-55f6-4bb4-bb6b-281aa0ad45d5} 820 rdd
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5392
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="820.5.939293431\1813786452" -childID 4 -isForBrowser -prefsHandle 3236 -prefMapHandle 3252 -prefsLen 22426 -prefMapSize 243588 -jsInitHandle 1308 -jsInitLen 240916 -parentBuildID 20240115174022 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {78385140-a24d-4461-b7cf-3480abc71b22} 820 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5224
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="820.6.256002615\1201234171" -childID 5 -isForBrowser -prefsHandle 4272 -prefMapHandle 4268 -prefsLen 22426 -prefMapSize 243588 -jsInitHandle 1308 -jsInitLen 240916 -parentBuildID 20240115174022 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {5c2d65fe-2233-4d94-84e5-346d2b0fad8c} 820 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5408
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="820.7.1539722242\658699321" -childID 6 -isForBrowser -prefsHandle 2172 -prefMapHandle 3224 -prefsLen 22426 -prefMapSize 243588 -jsInitHandle 1308 -jsInitLen 240916 -parentBuildID 20240115174022 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {7f83f680-1ec0-45a8-a1fa-288deba74b2a} 820 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5464
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="820.8.1049559215\1132138612" -childID 7 -isForBrowser -prefsHandle 4596 -prefMapHandle 4684 -prefsLen 23004 -prefMapSize 243588 -jsInitHandle 1308 -jsInitLen 240916 -parentBuildID 20240115174022 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {4bfd8adc-941f-4897-ada3-82c18685ebd4} 820 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3688
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="820.9.2116376690\328299551" -childID 8 -isForBrowser -prefsHandle 4276 -prefMapHandle 2928 -prefsLen 23166 -prefMapSize 243588 -jsInitHandle 1308 -jsInitLen 240916 -parentBuildID 20240115174022 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {765f0b54-bdd4-4680-91c1-e07794e5fbf7} 820 tab
        5⤵
        Executes dropped EXE
        
        PID:3912
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="820.10.1127196534\1438556480" -childID 9 -isForBrowser -prefsHandle 4488 -prefMapHandle 1552 -prefsLen 23166 -prefMapSize 243588 -jsInitHandle 1308 -jsInitLen 240916 -parentBuildID 20240115174022 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {dcbaf998-a932-4247-8ec6-568ad9bb18fa} 820 tab
        5⤵
        Executes dropped EXE
        
        PID:5192
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="820.11.285116730\2058891487" -childID 10 -isForBrowser -prefsHandle 5104 -prefMapHandle 5060 -prefsLen 23166 -prefMapSize 243588 -jsInitHandle 1308 -jsInitLen 240916 -parentBuildID 20240115174022 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {99c433b2-d466-42c1-82e9-7cc5bc5ec2a2} 820 tab
        5⤵
        Executes dropped EXE
        
        PID:2324
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="820.12.1535488309\1956822409" -childID 11 -isForBrowser -prefsHandle 4212 -prefMapHandle 3252 -prefsLen 23166 -prefMapSize 243588 -jsInitHandle 1308 -jsInitLen 240916 -parentBuildID 20240115174022 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {f881ac5c-9db5-4678-a3b4-6f54a7c1f781} 820 tab
        5⤵
        Executes dropped EXE
        
        PID:5420
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="820.13.501240869\2143983961" -childID 12 -isForBrowser -prefsHandle 7676 -prefMapHandle 7688 -prefsLen 23166 -prefMapSize 243588 -jsInitHandle 1308 -jsInitLen 240916 -parentBuildID 20240115174022 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {96ea924c-19a3-4226-b6ba-b8136fd2c774} 820 tab
        5⤵
        Executes dropped EXE
        
        PID:1700
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="820.14.1465717342\1215294289" -childID 13 -isForBrowser -prefsHandle 8704 -prefMapHandle 8712 -prefsLen 23166 -prefMapSize 243588 -jsInitHandle 1308 -jsInitLen 240916 -parentBuildID 20240115174022 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {162fb103-1177-4eeb-ae01-f904dc3c41b6} 820 tab
        5⤵
        Executes dropped EXE
        
        PID:3624
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="820.15.1340140470\826159933" -parentBuildID 20240115174022 -sandboxingKind 1 -prefsHandle 4504 -prefMapHandle 1344 -prefsLen 25048 -prefMapSize 243588 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {cfed46e4-7230-4ae3-bfce-1d60b2b3d499} 820 utility
        5⤵
        Executes dropped EXE
        
        PID:4992
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="820.16.961855358\313141610" -childID 14 -isForBrowser -prefsHandle 3504 -prefMapHandle 2136 -prefsLen 23290 -prefMapSize 243588 -jsInitHandle 1308 -jsInitLen 240916 -parentBuildID 20240115174022 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {f8961aa5-6dfb-40a3-8b64-1dc6a3a5b8f7} 820 tab
        5⤵
        Executes dropped EXE
        
        PID:4568
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="820.17.1348584380\1930552989" -childID 15 -isForBrowser -prefsHandle 8288 -prefMapHandle 8300 -prefsLen 23290 -prefMapSize 243588 -jsInitHandle 1308 -jsInitLen 240916 -parentBuildID 20240115174022 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {65932dc5-751f-4327-8d07-0382c33cc0bf} 820 tab
        5⤵
        Executes dropped EXE
        
        PID:4152
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="820.18.361836950\1174536639" -childID 16 -isForBrowser -prefsHandle 4232 -prefMapHandle 7656 -prefsLen 23290 -prefMapSize 243588 -jsInitHandle 1308 -jsInitLen 240916 -parentBuildID 20240115174022 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {3ff2ba93-9a5f-4332-81f9-0b431110330f} 820 tab
        5⤵
        Executes dropped EXE
        
        PID:4744
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="820.19.2004027519\227925870" -childID 17 -isForBrowser -prefsHandle 4800 -prefMapHandle 4480 -prefsLen 23502 -prefMapSize 243588 -jsInitHandle 1308 -jsInitLen 240916 -parentBuildID 20240115174022 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {65e98342-bdb3-470d-8eca-240b00f13465} 820 tab
        5⤵
        Executes dropped EXE
        
        PID:2076
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="820.20.1653181799\42424976" -childID 18 -isForBrowser -prefsHandle 5144 -prefMapHandle 4828 -prefsLen 23502 -prefMapSize 243588 -jsInitHandle 1308 -jsInitLen 240916 -parentBuildID 20240115174022 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {d8da0c22-0850-4ef8-b282-ad1a4be4bf1c} 820 tab
        5⤵
        Executes dropped EXE
        
        PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,8826701530565369539,18394074283873235844,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4804 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4672

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4aa37444d26e81e6f3837eb15bcaa892

SHA1
3d00127097989429f311f33daa8380ad7af4cb56

SHA256
ab703e5dfb5b92527f094fad6ec479839375907700be9a2fd1c3cb9105f9e655

SHA512
f21a34c234433a688602b2b56d6844f224641bea45b8585f77f4853e192107a65c5e104e10cd86c1d97ff41a22fd05d65224993803b22113ed0b517e686c5176

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
c2d2d8b2682de81889a3049e2231f319

SHA1
31dbe71e61b542a1f71ca171e551d8cdd7505c20

SHA256
db0f8a48ae3f7a0f44f4773d92f29708a8c307c16c2a3df8ba69595822cc0731

SHA512
4d8813278e3714f374c93cb4fd17fc83f6910afae7755f5919aa6fb725e72d96a6279dd625211a1bf81cf91cf550d149cd7c18454ffb8feaa6226a67fc99f022

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
398B

MD5
3afe89e5d880c04758d9dbeb945cba07

SHA1
61f1a5d4a1112ce26c0d2731bfebc0d2e3bab56d

SHA256
6c028ff13095386c526f56159c6cccc6a9d33c0b1ededd9273bb31518e66244c

SHA512
445f63744bb9b86356d33c8908087bff08e773f210960cead5d214f26076659637c3a22396337677cfe0f4425bdac24564eeeaee3a8b46028f8c28d42135fbfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
764B

MD5
4fc90984cf92a73c60fa8b9b7e59dd15

SHA1
cbe17e2319d96b7ca25e9cd9f196c5d7edabd724

SHA256
57380d2e202addc87d6a7ae072d36c08363db292c527a8b596ab0aeafa022059

SHA512
f5ad93865c03e3ad9afa3bae200787ba16a63f0256a7f285326f8df42b2e529ee2432993cc0c6dff8e07b78fbf8c3aedcddba15d4d49a155265452c269627b9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cc68ff359a3d4e7b779702649a94611f

SHA1
f5c45ff1279b6b28b2db4aba51d0793791533be8

SHA256
a6d88f715deaa389b1ae8bb1984d85a9b48961e944837655511f89a47799f096

SHA512
370b1f63d4eac089ddadb67c1e38110a37ad7b59b78c5022e6b7d6a59f954f2d0cf6a3006a6a87a869290fa08c9c4f60503d34b6f3a7e4071c00e23b176d1215

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
00708f4d5a6f536059d25f121cf6c306

SHA1
4e359283296170bb77ae099a6f609802ad1759fa

SHA256
f79e15186dff43634f0b0f24d5d3de807cd8cb432b53c56102bd01bf9cedbfb7

SHA512
ae4e00fa6a00cb0e5ad650e1ec6bc0f5666fe7e847057a64fd82f63bdfc14952c810908ff0b27cbc1f11aa69f54d7a7065be8a96017b6ceff1f0b1c4dfb176d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
47f89a40b9b3e39f2666b34e9b913567

SHA1
9869d1682756ff18d22ce7faacc1ae3460e2a9f8

SHA256
d86b1400e3d961d348682d7213354c741a7985e7453811b95ad1c30b5cae0002

SHA512
4bc6a5bc7564b32689b161d0bb594a06d79df93d6644f138283830adbf1a7f3ef1344d9da1e05450bc5f603dd64adaa0b7814623df217882cf573a5b5839ce7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
558065a3af48ba4b608d4b559a86b5b5

SHA1
5372db2f9a9484feec02e501e0fcb9464676ab6c

SHA256
fff072fa6015341b06e66ae09b2bc05ae16987f26e18999fe84bbf670fdf6598

SHA512
c7b26ebd83a9be7ffeba7f0711b6fe25de26579a8dc7eeac6d6886b062f7c35386fa9349c0fc42cb761838c47bffbe42b4c1ba080f9bbe61cbec50e47a5acad8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
40833cdbd5d7994ce8fa41b927a81b3c

SHA1
7d0113a707e380a6c12a7581af0184b6e49ba481

SHA256
857a656a5e259b4671d5778cf4c93bf038e060b195cb7e9fb3d9c5bf25c8f2f7

SHA512
38d77bf562e1abeffd91ada2832a160d29509ed748751f43de43c5846c9fffab53884fe31b19ee7336c36557d726b9ff17dcdda0f311d8f04407e44748f2f4e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b977f1bc1a5570e9b8aa20349c06d987

SHA1
c92721d0a68f5a184e5043b6c50960fb60a580e4

SHA256
c175000cccb32ea46cb213d877730d446ec737e0844455da186342f878189156

SHA512
8f814a79098a6e43ea46e527c201e472051f274432298bbe76f96ccf0a241f42d53a9844792aa173ac5fe74894b3b63a00114c05403ba7a715475100bdde72b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ad11f06706385bc794776d83a7639e3a

SHA1
96640c9ebb2d529740527a4b95b833fbcd787ca8

SHA256
72817f0f1a1feae1f166142d8b46e12fca27c63c1a0638b77212adef1198417b

SHA512
8069d9fda4405482ccedefb02d5df2986dd0810af16c2f939ca0abc5afb1321e214162abb0c54daed8f03ae510c1e57247b9e9842f361d5503b0b6ed392c00dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
24b5afb607f35d022ad505e42437302f

SHA1
5880a51c0a6d1e6d167929e108521dbd1c991330

SHA256
ec23f2c1e524704973700e8c26f3aed1e62899be0bf4072afda1eb09fc254fc0

SHA512
4f3030694e5b3fc65026a40ce1fe2b3a16da1e829af411ade03b88702f778fc5d373a4a7821747b42024e1890b2d9413d6676a092e934f061aab8bfa5f479831

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb2CC5.tmp\LangDLL.dll

Filesize
8KB

MD5
59888d7d17f0100e5cffe2aca0b3dfaf

SHA1
8563187a53d22f33b90260819624943204924fdc

SHA256
f9075791123be825d521525377f340b0f811e55dcec00d0e8d0347f14733f8a3

SHA512
d4ca43a00c689fa3204ce859fdd56cf47f92c10ba5cfa93bb987908a072364685b757c85febc11f8b3f869f413b07c6fcc8c3a3c81c9b5de3fba30d35495ff23

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb2CC5.tmp\System.dll

Filesize
25KB

MD5
480304643eee06e32bfc0ff7e922c5b2

SHA1
383c23b3aba0450416b9fe60e77663ee96bb8359

SHA256
f2bb03ddaeb75b17a006bc7fc652730d09a88d62861c2681a14ab2a21ef597ce

SHA512
125c8d2ccbfd5e123ce680b689ac7a2452f2d14c5bfbb48385d64e24b28b6de97b53916c383945f2ff8d4528fef115fbb0b45a43ffa4579199e16d1004cf1642

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb2CC5.tmp\nsDialogs.dll

Filesize
14KB

MD5
990eb444cf524aa6e436295d5fc1d671

SHA1
ae599a54c0d3d57a2f8443ad7fc14a28fe26cac3

SHA256
46b59010064c703fbaf22b0dbafadb5bd82ab5399f8b4badcc9eeda9329dbab8

SHA512
d1e4eb477c90803ddf07d75f5d94c2dacfdcd3e786a74ea7c521401e116abf036d9399e467d2d12bd1a7c1abda2f1d6d15b40c8039fd6ec79ba5fe4119674c27

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
b6c11f4d591641761b3e540b4a4597e4

SHA1
f23fb4f7a126157587384c983ac22330e933faa9

SHA256
d8a01dd999fd0262d662ac04a8e72068695f866beda4d0e10e4b69b147df3395

SHA512
65ecec238c2c2c28b9207fb00f76b2f20dce60b3be29d23638f57f809e6428e3d883620ee84d75e67879d0134e8fbace9c55181b212c462fb7e10e4e9c4c8714

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
36KB

MD5
9f63b15f0b6b5410bb65608288a12cf9

SHA1
ed3c3a394a20bce7be049c6225576a2851ef1abb

SHA256
7cd64f442ff123cfbc884ab249765852024a7ece352d3a0acb760c02355f5208

SHA512
134f84e52fbaeb15cf26adfaa37062c150576d74b9e361ae8e4e8cde895de440c2c4c2c515fe2355eccc2287f76ce80ebed9961055c061150ca0cb8920383194

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
0710651171515e808936a84eb061a4d8

SHA1
73a6ab6b550da8d79841e791488df0c2cdb5eb86

SHA256
a151c1ddbeea7f27fac8be26631ce367f6d95d4edb59cb3b8cc73f20602cc990

SHA512
72788d43a96371563bf029ba12f6f81c8e3959d935f95a4313f718216638c5a39abf7aed26358401b02ac42752290f7cd8eba038df1b4a9c69fb625172e82ad5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
eac31a7989ce871ae2222e4e9e211a9e

SHA1
64b00ac59e8391a57b4d2e92c7816a2ea81d289f

SHA256
acf8a4f12ad4d55bc06dba1aa890b067fc8077b492cc228ecfd33239bcfeecb9

SHA512
ec051f59251dc556bb284752ba866fb7822ca6ccdef22466d67cc7b841be823c2b87ee1728fe6abdfa883373631718ca93086107afb14c381644199d9f45e573

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
a0de6ba25c3d95ba41928ee8100dff57

SHA1
348124fd62b6e11a2f433613cf02122a76b0edc9

SHA256
c1a75e10c9c800e9b6e266515a45a36e33f1bedbbebe5d847e1d9cbdabf4388b

SHA512
27546e131f04b07d03503a518145f2f83533e9506708170bf416e89d2ec1ad6128445fb42d4439373627c120182c80cf87cd59b116a57f973dcff0645d46ef6a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
864572c1a11349b19c3482581ce1e098

SHA1
5e10e77393855c12ef949e68e71d9622ad3c0541

SHA256
5dfda94e6fa75ee688d20ed0dad285a9f8d1b136bd18b0bac578767301170e26

SHA512
4471a97943ece7bc75001d27073b5a316939d3c4f299e145f51d7f77ddb0680505c98730ad5b1f8719c88ece3c9e8b505bbf09e791da7bf377359aa18c740560

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
69c56c047defc3fb9fab488894c7c1aa

SHA1
445fb73b2a5dfe7e701bdeb6fd0f7eaa2e3cde25

SHA256
699aa75373240bd039279096ec8f6d1578562eaeb820a72200d0f61ff161d333

SHA512
3a3bea7fb033d3d61e310dd4f7dfd4810276e519dcaa3a5ca25f56f8befed17f0b29fd89f77901a1da4521e0ef55eb2aa95f4fe131f7eeb2643dd4b69d11b62a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
e1e9a19ca0e7db3547667c1bb77c5359

SHA1
e351e8ec29adb8b14295d91b01b6360207b5e74f

SHA256
a2db941c677d373de8f4a3b109d10eb1e1596b5dd539b62b40309ae31d724c79

SHA512
c4a45c4eeffb750459a3fac5a9840d363ec79834c7971f4b81bf5012157f9fa8cd5b74c8b91a8ba34c0ef3674a25ed854ed478b7b95248b0d147c1e68cf0931b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
095037f72793b359421e1aa442ace2dd

SHA1
d8bee330a1d7e108c8b3a3124245f39b4d41f275

SHA256
b4b244ae7f1cedcce36a38ff650f27ddf9594326908bec55ab453abaaa549291

SHA512
b2bae203be1a28c5ebf1fdbcb2642fb7156080823663045984a425b37da4bc15205a04fb8de5a4ceb43a5e62143ea5801269213c2c773b4c7980d9756ad0e051

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
99d2f6e988568f6204752e0d588c8e3f

SHA1
af7220ad8d0feed329482f584262377553d23279

SHA256
09a457bb802e8c7329f197a29dd710906c45469be573b8470aafc9d5a0f277e6

SHA512
166fce12b903f3998aca26ee07a6cb90c782dc8dc1fd1440c7a3f517018ccc5bb100bc841366fcd7fc2f8f24a153d543b556b1203f576f7069fb529d60744287

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
fb5660e279642c5382e5c55b11739ee5

SHA1
fd43edefaff2c415eba6e235bc375686d81ba071

SHA256
e4bbdea994f94e0f8e913b2829abac0df3b52fce6d29f8bbf4b7211b024dc414

SHA512
7a25fa10caefa774cf7e0d12ec386fb518345eb75c3a19d8bc1940853d138c35ce7d493989eeb19fc4f329362691549df77c8b288426ba4eac5b9d2051618d20

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
afc773449dd3b84fcaefd7ca208db604

SHA1
5597f0861c688ec7db6b469c58299340dfc47463

SHA256
0b8974ba6ab66c46def7c2e995888a4036fc0116ab6f234203776a23648e1370

SHA512
fda95656b9165017509b7cf9561e8c56255f02c5eb287f79760f606981818d51a0aba03ad544e6c5e5caddbd88cd9315eb3451b5e224395690943d9b4d9f07cc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
42c126e9a112f397a3e659784043efe0

SHA1
266b1479ba7c45b811ba5c3730ee0a3e99112e0a

SHA256
70407ed7d4e790c8a173d806d298acdd05262beec873786864591d329bda54ca

SHA512
56818f4e6d588a129ac933f46797c9b123cd9cd3d7b7b53272bd32d5ab9396b5dddd6d86eadc74ed7a746a13bb6b362c95aa94311e4208596b5df2cb78cc86da

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
f30133914e1ec388c2853e82dfb547fc

SHA1
49d0ea98e2a7b917e0e2784ff905e05b68f25bec

SHA256
4f52b4bc8e61b784a43e83e0a161bfceda2e2bdfaca4ff82e20a3d426506147b

SHA512
dd0d2984e4947131aa1659c80094416d9a5703e7cee564d962f78d44af5418f76faa3f54bc990523f54d185f679660c58187c0bdf1e807b6d0e860367a5f46bb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
63b80d34f4fe3498a2215dcfa9ee3dbe

SHA1
e489a8974a29b13e51257ab2daeb3fd075ebb72d

SHA256
1f8f53acb9beecd0adfa8f64f017799d7964cb6ddde0a6e3dc0e5b1fa6682c17

SHA512
5562aecdfa312cbac34940ce02ceba323df4c1c52ef85c269cd69e8db1223f9c1d8686b8342d3a4db68c826753a8a7e649947edfff9257e9ac1d6f6882ac7386

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
664862152e587ee13e46e95d3dc2c441

SHA1
3faa6cf4df02adfec497444bfbdb35b822d65adb

SHA256
b2d0b8484ae3275906ea42c447cd34adc8eb15bdaf498cccd61887032f841f9c

SHA512
40f4ccfee972bccd3ac5ad20ae2bad6d31c7c24902d524b3bc2ae1ef873105f8d7ab5096d3ad6b267aa4908fa961336d51856e572aab75ef1db9f3606867207f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
ccb4e5c386a10a0a944aa17e45040446

SHA1
461fe314419da4e13d9051a0c05cb71cfad503b5

SHA256
e16dc9d728504e0082e3a1eb6bd21343ca95eff792b18334e867dd0f10316206

SHA512
1b9c8baf8161f371cb3522d3b4a5b3840f52ad1a2b7b19aa5fe3b5a1a269af4d45f4c26b1e03748dd307fb749335536e33082c37b00a9edd88a61ed893aea36a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
f61d24f78342ceaef540fd4b0dc20327

SHA1
600dc53f35fccb3314295e1a47deaf30368154f6

SHA256
dfcd1e1608c880dc0ad2edbdd000483d70cea2cbf077e8812f53109c15704fcb

SHA512
36a6d9d9ba7ac0c37d425f3b74b8ea5235170b8c04b436def8d90a2a9300e7b30527f1e021e3e1964a8193dc8e52ffa2dcc2cca2d2a3dbbbe0775b37e0c5b8ff

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
187504c650df14dce083599a23108992

SHA1
862698392f88b1d7679e1d2eb89f1ea3d2041bae

SHA256
4b6e3e493b84a9e6a570efeeb27fdeef1712d60c2aefb6314ee9dd22eed5be6f

SHA512
cb0399f579fff903027e69b7c6dbca21fc14ee35d956e4c89b163b50e02ac6ba05008cc819033b778fe4dfa83f1892688a11e9fed17bd71668cba2c96cb574f1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8728d6969124e4919db13d38dc30a8e4

SHA1
a5b5426211c6430932b84989fab796bfb8529bd1

SHA256
ebb0135fcaae5f0757c2c4d62cf332258f8d170da870a4da08d01dc8f8317fd1

SHA512
abb77fdb725d0957429e4d3d6df3054b8826e085616add5cbee05bacc3023aca9cf581f8a9fd4aae1f3949c915da8ea639dc9bc359525f0295b09d7547be73b2

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\bookmarkbackups\bookmarks-2024-02-18_14_ZctuIBxpJz4f5iycG9rChA==.jsonlz4

Filesize
1KB

MD5
9a32aaeccb2dc3302219e1126132bec0

SHA1
d53e5a1309b93d8baeec1f48b71c3876fd0cfeca

SHA256
4b5b264df9c97bb42cc9113ff09189e093e54f482f635043e4af2053794f88d5

SHA512
b675fe3d17f3ad35bed24f1c47169da527947b5fa236b14e3c870811000bcb48401b5ee0d03b601236b453d871f7adc2ee7ab93e6819c4c0a38a942cd360d344

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\datareporting\glean\db\data.safe.tmp

Filesize
182B

MD5
c58234a092f9d899f0a623e28a4ab9db

SHA1
7398261b70453661c8b84df12e2bde7cbc07474b

SHA256
eaec709a98b57cd9c054a205f9bfa76c7424db2845c077822804f31e16ac134c

SHA512
ae2724fc45a8d9d26e43d86bcc7e20f398d8ab4e251e89550087ace1311c4d2571392f2f0bed78da211fcb28766779c1853b80742faa69f722b2c44c283569fd

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\datareporting\glean\db\data.safe.tmp

Filesize
182B

MD5
b1c8aa9861b461806c9e738511edd6ae

SHA1
fe13c1bbc7e323845cbe6a1bb89259cbd05595f8

SHA256
7cea48e7add3340b36f47ba4ea2ded8d6cb0423ffc2a64b44d7e86e0507d6b70

SHA512
841a0f8c98dd04dc9a4be2f05c34ecd511388c76d08ca0f415bfb6056166d9a521b8bc2c46b74697f3ecdac5141d1fe6af76dd0689350caca14e9f849ee75a8b

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\datareporting\glean\db\data.safe.tmp

Filesize
182B

MD5
7d3d11283370585b060d50a12715851a

SHA1
3a05d9b7daa2d377d95e7a5f3e8e7a8f705938e3

SHA256
86bff840e1bec67b7c91f97f4d37e3a638c5fdc7b56aae210b01745f292347b9

SHA512
a185a956e7105ad5a903d5d0e780df9421cf7b84ef1f83f7e9f3ab81bf683b440f23e55df4bbd52d60e89af467b5fc949bf1faa7810c523b98c7c2361fde010e

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\extensions.json

Filesize
12KB

MD5
b3d5ea49bdf0930971e38c236b9c98f4

SHA1
abd8bfd416315d132727997e4242d938628fe2b8

SHA256
01caf4fabd4d606f0a9e9ff38e2936e142023069cb7d87c85b83002ac5015c9a

SHA512
1623de685c7427018b28b893fd501884eae0d982a9720a975523b7a593588c40842837bb0ed7ac890f8766543ae739dfb703dc4d69e7006617ac490ff02e7f39

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

Filesize
5KB

MD5
0519e573634c54fa14746588fc84f5e1

SHA1
5fd0e0896a2e3a8ff2e926cffa9305a033c3f72d

SHA256
c92c4d12197297469431135d5e92529ff7c1bed3361a5e896a9648de1567dc5f

SHA512
1ca95d1eaea019aabedc9907b197ea37f7c8362a3b4b4e4a84df004450648ef97c85bc3504935a7c0e4672d6c475cd1e5f6a59213ba7df1e0a49e8dfef8703c0

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

Filesize
5KB

MD5
9f2da7936a33225d7f97ccb68618f4d7

SHA1
2b0052c334e550c436f66b2d72fee93995d4033f

SHA256
a2bf7bdd127e917310ecef8edc22759c8695bd510c860123423db96a8ecade49

SHA512
9849b8776c99f547efde148a255883c98b99eb3a6135aa9226e5a4578422757bf18c6e12033f93ede2c5d3e9f160eecb5c22e927327bf7a3b08016cfdbd59ade

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js

Filesize
1KB

MD5
ac69d6d7747bef21ca9e007701571166

SHA1
20e9e4da1ac7991f2522d1dbe48ec9c65c063d8d

SHA256
96952870ea524ff16fedb1ff1a1a043cb0a273d74ee23dc869d792b620a9775b

SHA512
56ce7f67e3d63c38bf24d584937833cfd72916bda74c77cfbb083146126bf8198fc0a8a2a50d0b4846514e9dfd7c928f13717aa473ae3340ce3cf6567bf45d7a

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js

Filesize
865B

MD5
fbef6e02d3704d827ef825a8bb928b83

SHA1
cbefff8caeb029b6ac97e935d3ed25aa4d8c186d

SHA256
0f673c4277ad09987dfe1b71a5934ce1bc57db69e5cd4210bcae14342c9e1ac2

SHA512
3f6ae07abfe8ff0b95b19e808d98d6466805d7080ff96594cd68ecc5eeddb67e556453243ca3f57a02fe32f5447219daa4a8cb2f0fd76000a5a48297f3a25786

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js

Filesize
5KB

MD5
33da65630076eb802f6d45ccbbcc7a0c

SHA1
800b501052536e3bb69257fa7ddde17ead0371e9

SHA256
8503f47f79657ad113a2bfe8002617616fab68e8cf43695d44dac390db115110

SHA512
1efd41c8ed506d3ad97d933ee3235ecab48f38c6e373e86304fea22bc9992de3e062061f4a170d78f0c7f4c6bf12d7cd17bbccf062e7df1f0ad089d3b62c6ca6

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js

Filesize
5KB

MD5
21c20bf5e326a958d8705bf0a5caa7ea

SHA1
de39cf3a5e69d667a8ff6f7b26bc4faefaeeaf03

SHA256
2b57c403402934adb961d0b321cc9044e35e348be41e62f597215e6b70593210

SHA512
b3d712a25653f36c5539a1da7b236f1c43aaf910a7c3f2de08c6de5fe2a8ec328b6f368a28bf8360d78aeafcc6e1a4db68c1a3c52bac5dd8df2046f67ce2cabf

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
216KB

MD5
c3243015847df436089d5b97ed1150e5

SHA1
113b3982484e3634ca167bf79f5e7968850b7451

SHA256
961ff3dd686ff89d70e62be0d7f65c9b6eed45e56c6c07ac8c09ad238ee3d59d

SHA512
decb94407012ae2cc1eac0df4836dc21b55d450d9ddb678e6e7de173d2dc520e5ae00adbc752a3bdee652ff123c688275646ea2fb8276142e9ac78d13b2c0bfc

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\cached-microdesc-consensus

Filesize
2.6MB

MD5
93150c0e550338a1e78821d8a1cd1e97

SHA1
5efd34eb118bdc21f97c6c5302750c3174dfc2e1

SHA256
207951a8c87d5cb105834cc2c3bb316b1877fc7c10bb54998d124a485acee8ca

SHA512
a4574782623b87676bb5a4a4a90b6c2eb5b47fa81b870a25c85b1935ec36af285f2dacea7dba3993744675b774df94735a2c4d070d656257789f73e4c77560dd

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\cached-microdescs.new

Filesize
11.0MB

MD5
73afc53cdd474133177d20c70d5a36b4

SHA1
1d04a59fc9ced43306429696505dac6082e9a5d8

SHA256
954b26a5448acf71c846515d59df59645ad3caf888a5cc5c4087590c268ad1d6

SHA512
416763a9e2a1aab8be4ac02769986126d86b454f35dbe216b32810c970e2c33f8683d96d17296cecfe5d26928dfe8882df6edb268b81d431fbb50e8639a5d73b

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe

Filesize
1.7MB

MD5
8657a4a8317072b9add9c91431f09de4

SHA1
415406bb72114572d689aa09c19d4c6c60673eb5

SHA256
77fe9d57114def479f661e8813f2d48aef9aec1eb62081999f0c482bf205dcc2

SHA512
89325fdd3ec217674a5b59f16b4e7b8a56cb69207f27bddc59b84e6842962f517f69560ba33181efe70095016b45e31138276c11885a80596b5f5077e35967a1

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Start Tor Browser.lnk

Filesize
829B

MD5
fc9a4db4e3794ab33bd246504052f301

SHA1
19c3b77c544caccde38b45038374c57753c5a80b

SHA256
7e03d3def7719b479c41e204a66cdc21a3b56a33f6c2630465946e1f58996080

SHA512
a20a7f6dde968be232adcf12146c4cf80275dae4b16c8b51613c533100d163758667a6990d6a3db8f3cd33a33801bbc260368551e747f24adfe7c988c5536e02

Download Submit
C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.0.9.exe

Filesize
75.7MB

MD5
8f2b35b43a750a9afcf92c43aed8c735

SHA1
a3c40a22338f81a890d28aeb99c5b45701b929d4

SHA256
1531f2f5b9735fdc0a9a24a0360f44b4f35ed823bcd9c93d9bd01e16c9a4205e

SHA512
b14c2cb26e34dd2b102bfd483681b9b172c4bab6a6272c87a79623fa87eb63dda8aa5dface7c6cb8c76a09bb255a6541fe47da217fc97165e4c361b9c3f3e4b9

Download Submit
C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.0.9.exe

Filesize
98.2MB

MD5
50dc710482ab307d2b410dab7b69b9c7

SHA1
6bb0bb2fe5c72315793588d7dec8e21c94dec2fd

SHA256
73b3d43f1d7940714e19e0f58c55682d46cf7e1c062a95b9327244b9894eddf9

SHA512
ea21b3bccde43e6ba90e6acd9d3c6d9e45490d54b914ef5dfc64e173e9a22c564185122522ae416d1830a093375ded7077389312084ed5f1a27f08ead0f23694

Download Submit
C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.0.9.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/976-337-0x0000000000400000-0x0000000001B37000-memory.dmp

Filesize
23.2MB

Download
memory/976-585-0x0000000000400000-0x0000000001B37000-memory.dmp

Filesize
23.2MB

Download
memory/976-381-0x0000000000400000-0x0000000001B37000-memory.dmp

Filesize
23.2MB

Download
memory/976-295-0x0000000000400000-0x0000000001B37000-memory.dmp

Filesize
23.2MB

Download
memory/976-630-0x0000000000400000-0x0000000001B37000-memory.dmp

Filesize
23.2MB

Download
memory/976-241-0x0000000000400000-0x0000000001B37000-memory.dmp

Filesize
23.2MB

Download
memory/976-282-0x0000000000400000-0x0000000001B37000-memory.dmp

Filesize
23.2MB

Download
memory/976-16-0x0000000000400000-0x0000000001B37000-memory.dmp

Filesize
23.2MB

Download
memory/976-403-0x0000000000400000-0x0000000001B37000-memory.dmp

Filesize
23.2MB

Download
memory/976-12-0x0000000000400000-0x0000000001B37000-memory.dmp

Filesize
23.2MB

Download
memory/976-35-0x0000000003CF0000-0x0000000003CF1000-memory.dmp

Filesize
4KB

Download
memory/976-291-0x0000000000400000-0x0000000001B37000-memory.dmp

Filesize
23.2MB

Download
memory/1184-4-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/1184-240-0x0000000000400000-0x0000000001B37000-memory.dmp

Filesize
23.2MB

Download
memory/1184-34-0x0000000005D40000-0x0000000005D41000-memory.dmp

Filesize
4KB

Download
memory/1184-90-0x0000000007B40000-0x0000000007B41000-memory.dmp

Filesize
4KB

Download
memory/1184-93-0x0000000007400000-0x0000000007401000-memory.dmp

Filesize
4KB

Download
memory/1184-229-0x0000000007410000-0x0000000007411000-memory.dmp

Filesize
4KB

Download
memory/1184-33-0x0000000005D30000-0x0000000005D31000-memory.dmp

Filesize
4KB

Download
memory/1184-0-0x0000000000400000-0x0000000001B37000-memory.dmp

Filesize
23.2MB

Download
memory/1184-1-0x0000000000400000-0x0000000001B37000-memory.dmp

Filesize
23.2MB

Download
memory/2144-242-0x0000000000400000-0x0000000001B37000-memory.dmp

Filesize
23.2MB

Download
memory/2144-15-0x0000000000400000-0x0000000001B37000-memory.dmp

Filesize
23.2MB

Download
memory/2144-11-0x0000000000400000-0x0000000001B37000-memory.dmp

Filesize
23.2MB

Download
memory/2144-28-0x0000000003CA0000-0x0000000003CA1000-memory.dmp

Filesize
4KB

Download
memory/2144-292-0x0000000000400000-0x0000000001B37000-memory.dmp

Filesize
23.2MB

Download
memory/2316-264-0x0000000005AF0000-0x0000000005AF1000-memory.dmp

Filesize
4KB

Download
memory/2316-246-0x0000000000400000-0x0000000001B37000-memory.dmp

Filesize
23.2MB

Download
memory/2316-267-0x0000000005B50000-0x0000000005B51000-memory.dmp

Filesize
4KB

Download
memory/2316-272-0x0000000005BA0000-0x0000000005BA1000-memory.dmp

Filesize
4KB

Download
memory/2316-266-0x0000000005B30000-0x0000000005B31000-memory.dmp

Filesize
4KB

Download
memory/2316-260-0x0000000005AA0000-0x0000000005AA1000-memory.dmp

Filesize
4KB

Download
memory/2316-268-0x0000000005B60000-0x0000000005B61000-memory.dmp

Filesize
4KB

Download
memory/2316-262-0x0000000005AD0000-0x0000000005AD1000-memory.dmp

Filesize
4KB

Download
memory/2316-263-0x0000000005AE0000-0x0000000005AE1000-memory.dmp

Filesize
4KB

Download
memory/2316-261-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

Filesize
4KB

Download
memory/2316-259-0x0000000005A10000-0x0000000005A11000-memory.dmp

Filesize
4KB

Download
memory/2316-258-0x00000000059F0000-0x00000000059F1000-memory.dmp

Filesize
4KB

Download
memory/2316-276-0x0000000005BE0000-0x0000000005BE1000-memory.dmp

Filesize
4KB

Download
memory/2316-2542-0x0000000000400000-0x0000000001B37000-memory.dmp

Filesize
23.2MB

Download
memory/2316-277-0x0000000005BF0000-0x0000000005BF1000-memory.dmp

Filesize
4KB

Download
memory/2316-279-0x0000000005B10000-0x0000000005B11000-memory.dmp

Filesize
4KB

Download
memory/2316-257-0x00000000059D0000-0x00000000059D1000-memory.dmp

Filesize
4KB

Download
memory/2316-251-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/2316-247-0x0000000000400000-0x0000000001B37000-memory.dmp

Filesize
23.2MB

Download
memory/2316-265-0x0000000005B20000-0x0000000005B21000-memory.dmp

Filesize
4KB

Download
memory/2316-269-0x0000000005B70000-0x0000000005B71000-memory.dmp

Filesize
4KB

Download
memory/2316-270-0x0000000005B80000-0x0000000005B81000-memory.dmp

Filesize
4KB

Download
memory/2316-271-0x0000000005B90000-0x0000000005B91000-memory.dmp

Filesize
4KB

Download
memory/2316-274-0x0000000005BC0000-0x0000000005BC1000-memory.dmp

Filesize
4KB

Download
memory/2316-303-0x0000000000400000-0x0000000001B37000-memory.dmp

Filesize
23.2MB

Download
memory/2316-273-0x0000000005BB0000-0x0000000005BB1000-memory.dmp

Filesize
4KB

Download
memory/2316-293-0x0000000000400000-0x0000000001B37000-memory.dmp

Filesize
23.2MB

Download
memory/2316-289-0x000000000B930000-0x000000000B931000-memory.dmp

Filesize
4KB

Download
memory/2316-288-0x0000000000400000-0x0000000001B37000-memory.dmp

Filesize
23.2MB

Download
memory/2316-287-0x0000000007F10000-0x0000000007F11000-memory.dmp

Filesize
4KB

Download
memory/2316-275-0x0000000005BD0000-0x0000000005BD1000-memory.dmp

Filesize
4KB

Download
memory/2316-280-0x0000000005B40000-0x0000000005B41000-memory.dmp

Filesize
4KB

Download
memory/2316-278-0x0000000005C00000-0x0000000005C01000-memory.dmp

Filesize
4KB

Download
memory/2532-929-0x00007FFA0D790000-0x00007FFA0D79D000-memory.dmp

Filesize
52KB

Download
memory/2532-927-0x0000000140000000-0x0000000140070000-memory.dmp

Filesize
448KB

Download
memory/2532-746-0x00007FFA0A040000-0x00007FFA0A04F000-memory.dmp

Filesize
60KB

Download
memory/2532-744-0x0000000140000000-0x0000000140070000-memory.dmp

Filesize
448KB

Download