azorult | 74a87d1c3a1b9f64de31bbd7bdfb357975c83ca45ab4475bfb9a7c672f7ee64b

Resubmissions

02-03-2024 10:27

240302-mg7kkscg37 10

02-03-2024 10:26

240302-mgtzgscd6z 10

02-03-2024 10:26

240302-mgjhracd6y 10

28-02-2024 23:40

240228-3nt6tsgd7s 10

Analysis

max time kernel
585s
max time network
601s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
02-03-2024 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad2705a198cb64edbf12aa09fb984f88.exe
Size

3.1MB
MD5

ad2705a198cb64edbf12aa09fb984f88
SHA1

97fe0043aa142e0d59cade0a7dd0bf2f79246cbe
SHA256

74a87d1c3a1b9f64de31bbd7bdfb357975c83ca45ab4475bfb9a7c672f7ee64b
SHA512

5fb3eb85a6ac0dcf529fe6a0c659d802eb9fca94d59e58f57c6a99ab9a7743432d943cfd377b7dc2921e99ed808679a585f40f84ef45356ae1ea140c2aa9f66b
SSDEEP

98304:hdNIA2b8lIpIta0Icq+KPtYulORjiCSHwdlPtqM7RcS4FIKU21IEfrNdSf8x:hdNB4ianUstYuUR2CSHsVP8x

Score

10^/10

azorult netwire botnet evasion infostealer rat stealer trojan upx

Malware Config

Extracted

Family

netwire

174.127.99.159:7882

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
May-B
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Extracted

Family

azorult

https://gemateknindoperkasa.co.id/imag/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/556-27-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/556-40-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/556-31-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Downloads MZ/PE file

Executes dropped EXE 51 IoCs

Processes:

test.exeFile.exesvhost.exetmp.exesvhost.exetor-browser-windows-x86_64-portable-13.0.10.exefirefox.exefirefox.exefirefox.exefirefox.exetor.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exetor.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exe

pid	process
484	test.exe
3012	File.exe
556	svhost.exe
1924	tmp.exe
4100	svhost.exe
1372	tor-browser-windows-x86_64-portable-13.0.10.exe
4692	firefox.exe
1932	firefox.exe
4452	firefox.exe
1060	firefox.exe
2188	tor.exe
2992	firefox.exe
4916	firefox.exe
1072	firefox.exe
3964	firefox.exe
736	firefox.exe
3372	firefox.exe
4816	firefox.exe
4592	firefox.exe
2768	firefox.exe
4976	firefox.exe
1656	firefox.exe
3704	firefox.exe
1936	firefox.exe
2480	firefox.exe
1392	firefox.exe
736	firefox.exe
3572	firefox.exe
4760	firefox.exe
3360	firefox.exe
4076	firefox.exe
3032	tor.exe
4856	firefox.exe
1188	firefox.exe
4592	firefox.exe
3028	firefox.exe
2868	firefox.exe
1876	firefox.exe
3804	firefox.exe
3864	firefox.exe
3960	firefox.exe
4724	firefox.exe
4640	firefox.exe
3276	firefox.exe
3704	firefox.exe
1568	firefox.exe
5264	firefox.exe
5728	firefox.exe
6140	firefox.exe
5400	firefox.exe
5600	firefox.exe

Loads dropped DLL 64 IoCs

Processes:

tor-browser-windows-x86_64-portable-13.0.10.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exe

pid	process
1372	tor-browser-windows-x86_64-portable-13.0.10.exe
1372	tor-browser-windows-x86_64-portable-13.0.10.exe
1372	tor-browser-windows-x86_64-portable-13.0.10.exe
4692	firefox.exe
1932	firefox.exe
1932	firefox.exe
1932	firefox.exe
1932	firefox.exe
1932	firefox.exe
1932	firefox.exe
1932	firefox.exe
1932	firefox.exe
1932	firefox.exe
1932	firefox.exe
1932	firefox.exe
4452	firefox.exe
4452	firefox.exe
4452	firefox.exe
4452	firefox.exe
1060	firefox.exe
1060	firefox.exe
1060	firefox.exe
1060	firefox.exe
2992	firefox.exe
2992	firefox.exe
2992	firefox.exe
2992	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
1060	firefox.exe
1060	firefox.exe
2992	firefox.exe
2992	firefox.exe
1072	firefox.exe
1072	firefox.exe
1072	firefox.exe
1072	firefox.exe
1072	firefox.exe
1072	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
736	firefox.exe
3964	firefox.exe
3964	firefox.exe
736	firefox.exe
736	firefox.exe
736	firefox.exe
3372	firefox.exe
736	firefox.exe
736	firefox.exe
3372	firefox.exe
3372	firefox.exe
3372	firefox.exe
3372	firefox.exe
3372	firefox.exe
4816	firefox.exe
4816	firefox.exe
4816	firefox.exe
4816	firefox.exe
4816	firefox.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/4848-0-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx
behavioral1/memory/4848-59-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx
behavioral1/memory/4848-60-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	firefox.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	firefox.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

test.exeFile.exe

description pid process target process

PID 484 set thread context of 556 484 test.exe svhost.exe
PID 3012 set thread context of 4100 3012 File.exe svhost.exe

description	pid	process	target process
PID 484 set thread context of 556	484	test.exe	svhost.exe
PID 3012 set thread context of 4100	3012	File.exe	svhost.exe

Drops file in Windows directory 8 IoCs

Processes:

UserOOBEBroker.exeUserOOBEBroker.exe

description	ioc	process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 4 IoCs

Processes:

MiniSearchHost.exemsedge.exetor-browser-windows-x86_64-portable-13.0.10.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1637591879-962683004-3585269084-1000\{CCDB085F-A27A-4AFB-908A-7217EBAA351E}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	tor-browser-windows-x86_64-portable-13.0.10.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings	firefox.exe

NTFS ADS 4 IoCs

Processes:

cmd.exemsedge.exemsedge.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 880446.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.0.10.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

test.exeFile.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exe

pid	process
484	test.exe
3012	File.exe
484	test.exe
3012	File.exe
484	test.exe
3012	File.exe
484	test.exe
3012	File.exe
1544	msedge.exe
1544	msedge.exe
1016	msedge.exe
1016	msedge.exe
3672	identity_helper.exe
3672	identity_helper.exe
4896	msedge.exe
4896	msedge.exe
1240	msedge.exe
1240	msedge.exe
664	msedge.exe
664	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

3296 OpenWith.exe
Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid

4
4
4
4
4
648

pid	process
3296	OpenWith.exe

pid
4
4
4
4
4
648

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

Processes:

msedge.exe

pid	process
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

test.exeFile.exefirefox.exefirefox.exe

description	pid	process
Token: SeDebugPrivilege	484	test.exe
Token: SeDebugPrivilege	3012	File.exe
Token: SeDebugPrivilege	1932	firefox.exe
Token: SeDebugPrivilege	1932	firefox.exe
Token: SeDebugPrivilege	3360	firefox.exe
Token: SeDebugPrivilege	3360	firefox.exe

Suspicious use of FindShellTrayWindow 51 IoCs

Processes:

msedge.exefirefox.exefirefox.exe

pid	process
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1932	firefox.exe
3360	firefox.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

OpenWith.exeOpenWith.exeMiniSearchHost.exefirefox.exefirefox.exe

pid process

3296 OpenWith.exe
2624 OpenWith.exe
3428 MiniSearchHost.exe
1932 firefox.exe
3360 firefox.exe
3360 firefox.exe
3360 firefox.exe
3360 firefox.exe

pid	process
3296	OpenWith.exe
2624	OpenWith.exe
3428	MiniSearchHost.exe
1932	firefox.exe
3360	firefox.exe
3360	firefox.exe
3360	firefox.exe
3360	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ad2705a198cb64edbf12aa09fb984f88.execmd.exetest.exeFile.execmd.execmd.exemsedge.exe

description	pid	process	target process
PID 4848 wrote to memory of 4832	4848	ad2705a198cb64edbf12aa09fb984f88.exe	cmd.exe
PID 4848 wrote to memory of 4832	4848	ad2705a198cb64edbf12aa09fb984f88.exe	cmd.exe
PID 4848 wrote to memory of 4832	4848	ad2705a198cb64edbf12aa09fb984f88.exe	cmd.exe
PID 4832 wrote to memory of 484	4832	cmd.exe	test.exe
PID 4832 wrote to memory of 484	4832	cmd.exe	test.exe
PID 4832 wrote to memory of 484	4832	cmd.exe	test.exe
PID 484 wrote to memory of 3012	484	test.exe	File.exe
PID 484 wrote to memory of 3012	484	test.exe	File.exe
PID 484 wrote to memory of 3012	484	test.exe	File.exe
PID 484 wrote to memory of 556	484	test.exe	svhost.exe
PID 484 wrote to memory of 556	484	test.exe	svhost.exe
PID 484 wrote to memory of 556	484	test.exe	svhost.exe
PID 484 wrote to memory of 556	484	test.exe	svhost.exe
PID 484 wrote to memory of 556	484	test.exe	svhost.exe
PID 484 wrote to memory of 556	484	test.exe	svhost.exe
PID 484 wrote to memory of 556	484	test.exe	svhost.exe
PID 484 wrote to memory of 556	484	test.exe	svhost.exe
PID 484 wrote to memory of 556	484	test.exe	svhost.exe
PID 484 wrote to memory of 556	484	test.exe	svhost.exe
PID 484 wrote to memory of 556	484	test.exe	svhost.exe
PID 3012 wrote to memory of 1924	3012	File.exe	tmp.exe
PID 3012 wrote to memory of 1924	3012	File.exe	tmp.exe
PID 3012 wrote to memory of 1924	3012	File.exe	tmp.exe
PID 3012 wrote to memory of 4100	3012	File.exe	svhost.exe
PID 3012 wrote to memory of 4100	3012	File.exe	svhost.exe
PID 3012 wrote to memory of 4100	3012	File.exe	svhost.exe
PID 3012 wrote to memory of 4100	3012	File.exe	svhost.exe
PID 3012 wrote to memory of 4100	3012	File.exe	svhost.exe
PID 3012 wrote to memory of 4100	3012	File.exe	svhost.exe
PID 3012 wrote to memory of 4100	3012	File.exe	svhost.exe
PID 3012 wrote to memory of 4100	3012	File.exe	svhost.exe
PID 3012 wrote to memory of 4100	3012	File.exe	svhost.exe
PID 484 wrote to memory of 3300	484	test.exe	cmd.exe
PID 484 wrote to memory of 3300	484	test.exe	cmd.exe
PID 484 wrote to memory of 3300	484	test.exe	cmd.exe
PID 484 wrote to memory of 3676	484	test.exe	cmd.exe
PID 484 wrote to memory of 3676	484	test.exe	cmd.exe
PID 484 wrote to memory of 3676	484	test.exe	cmd.exe
PID 3012 wrote to memory of 2056	3012	File.exe	cmd.exe
PID 3012 wrote to memory of 2056	3012	File.exe	cmd.exe
PID 3012 wrote to memory of 2056	3012	File.exe	cmd.exe
PID 3676 wrote to memory of 1312	3676	cmd.exe	reg.exe
PID 3676 wrote to memory of 1312	3676	cmd.exe	reg.exe
PID 3676 wrote to memory of 1312	3676	cmd.exe	reg.exe
PID 3012 wrote to memory of 3636	3012	File.exe	cmd.exe
PID 3012 wrote to memory of 3636	3012	File.exe	cmd.exe
PID 3012 wrote to memory of 3636	3012	File.exe	cmd.exe
PID 3636 wrote to memory of 3452	3636	cmd.exe	reg.exe
PID 3636 wrote to memory of 3452	3636	cmd.exe	reg.exe
PID 3636 wrote to memory of 3452	3636	cmd.exe	reg.exe
PID 484 wrote to memory of 2820	484	test.exe	cmd.exe
PID 484 wrote to memory of 2820	484	test.exe	cmd.exe
PID 484 wrote to memory of 2820	484	test.exe	cmd.exe
PID 3012 wrote to memory of 2744	3012	File.exe	cmd.exe
PID 3012 wrote to memory of 2744	3012	File.exe	cmd.exe
PID 3012 wrote to memory of 2744	3012	File.exe	cmd.exe
PID 1016 wrote to memory of 3772	1016	msedge.exe	msedge.exe
PID 1016 wrote to memory of 3772	1016	msedge.exe	msedge.exe
PID 1016 wrote to memory of 4084	1016	msedge.exe	msedge.exe
PID 1016 wrote to memory of 4084	1016	msedge.exe	msedge.exe
PID 1016 wrote to memory of 4084	1016	msedge.exe	msedge.exe
PID 1016 wrote to memory of 4084	1016	msedge.exe	msedge.exe
PID 1016 wrote to memory of 4084	1016	msedge.exe	msedge.exe
PID 1016 wrote to memory of 4084	1016	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\ad2705a198cb64edbf12aa09fb984f88.exe
"C:\Users\Admin\AppData\Local\Temp\ad2705a198cb64edbf12aa09fb984f88.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c test.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4832

C:\Users\Admin\AppData\Local\Temp\test.exe
test.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:484

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012

C:\Users\Admin\AppData\Roaming\tmp.exe
"C:\Users\Admin\AppData\Roaming\tmp.exe"
5⤵
- Executes dropped EXE
PID:1924

C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
5⤵
- Executes dropped EXE
PID:4100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y
5⤵
PID:2056

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
5⤵
- Suspicious use of WriteProcessMemory
PID:3636

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
6⤵
PID:3452

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
5⤵
- NTFS ADS
PID:2744

C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
4⤵
- Executes dropped EXE
PID:556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/test.exe" "%temp%\FolderN\name.exe" /Y
4⤵
PID:3300

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
5⤵
PID:1312

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
4⤵
- NTFS ADS
PID:2820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4512

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:3456

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:4592

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3296

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2624

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:2820

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff830133cb8,0x7ff830133cc8,0x7ff830133cd8
2⤵
PID:3772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,12992595195876570886,10192542365661087597,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1976 /prefetch:2
2⤵
PID:4084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1848,12992595195876570886,10192542365661087597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1848,12992595195876570886,10192542365661087597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2568 /prefetch:8
2⤵
PID:1720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,12992595195876570886,10192542365661087597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
2⤵
PID:1656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,12992595195876570886,10192542365661087597,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
2⤵
PID:1440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,12992595195876570886,10192542365661087597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
2⤵
PID:2944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,12992595195876570886,10192542365661087597,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4448 /prefetch:1
2⤵
PID:3088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,12992595195876570886,10192542365661087597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4484 /prefetch:1
2⤵
PID:1708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,12992595195876570886,10192542365661087597,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
2⤵
PID:4576

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1848,12992595195876570886,10192542365661087597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3248 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,12992595195876570886,10192542365661087597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
2⤵
PID:3296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,12992595195876570886,10192542365661087597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
2⤵
PID:3300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1848,12992595195876570886,10192542365661087597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3368 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,12992595195876570886,10192542365661087597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
2⤵
PID:3340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1848,12992595195876570886,10192542365661087597,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3440 /prefetch:8
2⤵
PID:3456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1848,12992595195876570886,10192542365661087597,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3308 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,12992595195876570886,10192542365661087597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
2⤵
PID:4460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,12992595195876570886,10192542365661087597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1
2⤵
PID:1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,12992595195876570886,10192542365661087597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
2⤵
PID:844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,12992595195876570886,10192542365661087597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
2⤵
PID:3708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1848,12992595195876570886,10192542365661087597,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6228 /prefetch:8
2⤵
PID:1240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,12992595195876570886,10192542365661087597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:1
2⤵
PID:628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1848,12992595195876570886,10192542365661087597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:664

C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.0.10.exe
"C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.0.10.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1372

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4692

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1932

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1932.0.344379680\561265389" -parentBuildID 20240213172118 -prefsHandle 2024 -prefMapHandle 2264 -prefsLen 19244 -prefMapSize 243693 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {6f50a977-6dd8-495d-a9a5-e09fc6e5d867} 1932 gpu
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4452

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1932.1.1930748352\1594989148" -childID 1 -isForBrowser -prefsHandle 2744 -prefMapHandle 1888 -prefsLen 20081 -prefMapSize 243693 -jsInitHandle 1328 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {0af88f3c-ea0d-49bb-83f6-57d32918e748} 1932 tab
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1060

C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe" --defaults-torrc "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc-defaults" -f "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc" DataDirectory "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor" ClientOnionAuthDir "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\onion-auth" GeoIPFile "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip" GeoIPv6File "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip6" +__ControlPort 127.0.0.1:9151 HashedControlPassword 16:b743ab9f9f488e4760d9cfaec433ba7b04d7ceff423c371ce9625f1bd9 +__SocksPort "127.0.0.1:9150 ExtendedErrors IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth" __OwningControllerProcess 1932 DisableNetwork 1
5⤵
- Executes dropped EXE
PID:2188

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1932.2.1300986462\1091848494" -childID 2 -isForBrowser -prefsHandle 3232 -prefMapHandle 3228 -prefsLen 20893 -prefMapSize 243693 -jsInitHandle 1328 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {8cc4fa4b-0c37-49ec-ae41-736f9cf1b348} 1932 tab
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2992

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1932.3.1348509997\914467791" -childID 3 -isForBrowser -prefsHandle 3900 -prefMapHandle 3896 -prefsLen 20970 -prefMapSize 243693 -jsInitHandle 1328 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {10d3228f-51e3-454d-8379-003bc318e2af} 1932 tab
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4916

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1932.4.1969688331\1337290448" -parentBuildID 20240213172118 -prefsHandle 3696 -prefMapHandle 3692 -prefsLen 22145 -prefMapSize 243693 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {3e90bba7-2c91-4168-b7f1-4233bd0fe1b6} 1932 rdd
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1072

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1932.5.2026279177\453616810" -childID 4 -isForBrowser -prefsHandle 4124 -prefMapHandle 4120 -prefsLen 22347 -prefMapSize 243693 -jsInitHandle 1328 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {bc098a6d-60e5-40b2-8552-17afc8b4f289} 1932 tab
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3964

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1932.6.1355060297\1475502724" -childID 5 -isForBrowser -prefsHandle 3096 -prefMapHandle 2880 -prefsLen 22426 -prefMapSize 243693 -jsInitHandle 1328 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {f9312463-7c4d-416c-90ee-2ea8e10abc1e} 1932 tab
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:736

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1932.7.424161441\913584881" -childID 6 -isForBrowser -prefsHandle 4428 -prefMapHandle 4432 -prefsLen 22426 -prefMapSize 243693 -jsInitHandle 1328 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {d98fe168-094d-49c6-9a99-4b2592a31734} 1932 tab
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3372

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1932.8.236508306\243865729" -childID 7 -isForBrowser -prefsHandle 2864 -prefMapHandle 4708 -prefsLen 22478 -prefMapSize 243693 -jsInitHandle 1328 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {794677b3-2db4-4777-8d27-34bf8f35e878} 1932 tab
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4816

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1932.9.995384633\1151316015" -childID 8 -isForBrowser -prefsHandle 3012 -prefMapHandle 4148 -prefsLen 22647 -prefMapSize 243693 -jsInitHandle 1328 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {9cfa06c5-232a-4707-ac25-30a8fe2d1e0d} 1932 tab
5⤵
- Executes dropped EXE
PID:4592

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1932.10.1854928250\95412957" -childID 9 -isForBrowser -prefsHandle 4260 -prefMapHandle 4308 -prefsLen 22647 -prefMapSize 243693 -jsInitHandle 1328 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {8d9dbee0-f2bb-47ab-b953-c5c8d1413093} 1932 tab
5⤵
- Executes dropped EXE
PID:2768

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1932.11.116159855\794100706" -childID 10 -isForBrowser -prefsHandle 2888 -prefMapHandle 3140 -prefsLen 22846 -prefMapSize 243693 -jsInitHandle 1328 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {2a6de924-dc8a-4e83-b7a7-0091464a0f27} 1932 tab
5⤵
- Executes dropped EXE
PID:4976

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1932.12.636033516\1161230987" -childID 11 -isForBrowser -prefsHandle 5016 -prefMapHandle 4676 -prefsLen 22846 -prefMapSize 243693 -jsInitHandle 1328 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {73fd1c28-8089-498a-ad58-f9c273bbc3c3} 1932 tab
5⤵
- Executes dropped EXE
PID:1656

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1932.13.1731795741\832410638" -childID 12 -isForBrowser -prefsHandle 4272 -prefMapHandle 4796 -prefsLen 22846 -prefMapSize 243693 -jsInitHandle 1328 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {3330a111-2cf3-4176-a072-14096ae1338a} 1932 tab
5⤵
- Executes dropped EXE
PID:3704

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1932.14.758963464\256495712" -childID 13 -isForBrowser -prefsHandle 5032 -prefMapHandle 4156 -prefsLen 22846 -prefMapSize 243693 -jsInitHandle 1328 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {e606a8ae-a66f-40b8-b3aa-920f13dabbe3} 1932 tab
5⤵
- Executes dropped EXE
PID:1936

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1932.15.749832253\322961636" -childID 14 -isForBrowser -prefsHandle 1784 -prefMapHandle 1500 -prefsLen 22846 -prefMapSize 243693 -jsInitHandle 1328 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {8de5e905-24bb-4645-877b-d9e0b908bfaf} 1932 tab
5⤵
- Executes dropped EXE
PID:2480

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1932.16.168799257\1102877714" -childID 15 -isForBrowser -prefsHandle 1792 -prefMapHandle 2944 -prefsLen 22846 -prefMapSize 243693 -jsInitHandle 1328 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {c25b50c6-ea2c-4570-9520-f3a5f7fb48ed} 1932 tab
5⤵
- Executes dropped EXE
PID:1392

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1932.17.1522671660\1532548710" -childID 16 -isForBrowser -prefsHandle 4596 -prefMapHandle 5020 -prefsLen 22846 -prefMapSize 243693 -jsInitHandle 1328 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {1003a3f1-1572-488a-b193-36b3b3749404} 1932 tab
5⤵
- Executes dropped EXE
PID:736

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1932.18.1113633863\1904514180" -childID 17 -isForBrowser -prefsHandle 5020 -prefMapHandle 2744 -prefsLen 22846 -prefMapSize 243693 -jsInitHandle 1328 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {3a21b70d-ee39-4f6a-b0c0-7e761ff24c2d} 1932 tab
5⤵
- Executes dropped EXE
PID:3572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4468

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4176

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
1⤵
- Executes dropped EXE
PID:4760

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3360

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3360.0.285659363\1583046612" -parentBuildID 20240213172118 -prefsHandle 2028 -prefMapHandle 1988 -prefsLen 21498 -prefMapSize 245085 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {042fb085-9093-49a3-b07a-e64ef48eba9b} 3360 gpu
3⤵
- Executes dropped EXE
PID:4076

C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe" --defaults-torrc "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc-defaults" -f "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc" DataDirectory "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor" ClientOnionAuthDir "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\onion-auth" GeoIPFile "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip" GeoIPv6File "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip6" +__ControlPort 127.0.0.1:9151 HashedControlPassword 16:98d93f092f48379760415acf4a7e6dfd8037ee7dcde5cfcdb1194b34b4 +__SocksPort "127.0.0.1:9150 ExtendedErrors IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth" __OwningControllerProcess 3360 DisableNetwork 1
3⤵
- Executes dropped EXE
PID:3032

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3360.1.608152459\671132184" -childID 1 -isForBrowser -prefsHandle 2812 -prefMapHandle 2932 -prefsLen 21572 -prefMapSize 245085 -jsInitHandle 1344 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {49df0709-42df-4fb6-814b-7be08fe03fe2} 3360 tab
3⤵
- Executes dropped EXE
PID:4856

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3360.2.1161695505\1713839739" -childID 2 -isForBrowser -prefsHandle 3204 -prefMapHandle 2952 -prefsLen 21702 -prefMapSize 245085 -jsInitHandle 1344 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {06140872-46fc-4363-b71c-453fe1cc143d} 3360 tab
3⤵
- Executes dropped EXE
PID:1188

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3360.3.499247471\1443585757" -childID 3 -isForBrowser -prefsHandle 3856 -prefMapHandle 3852 -prefsLen 20789 -prefMapSize 245085 -jsInitHandle 1344 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {1131b407-7636-4c2f-9d43-72196a4275ba} 3360 tab
3⤵
- Executes dropped EXE
PID:4592

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3360.4.1136257975\1335852079" -childID 4 -isForBrowser -prefsHandle 3972 -prefMapHandle 3872 -prefsLen 20789 -prefMapSize 245085 -jsInitHandle 1344 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {0ffb96c9-0b37-46ba-a72e-679910685810} 3360 tab
3⤵
- Executes dropped EXE
PID:3028

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3360.5.364331355\1025743402" -childID 5 -isForBrowser -prefsHandle 4180 -prefMapHandle 4184 -prefsLen 20789 -prefMapSize 245085 -jsInitHandle 1344 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {b48a07c3-3161-467f-9e6c-6aa388ede8ee} 3360 tab
3⤵
- Executes dropped EXE
PID:2868

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3360.6.2065128640\950352866" -childID 6 -isForBrowser -prefsHandle 4560 -prefMapHandle 4556 -prefsLen 21109 -prefMapSize 245085 -jsInitHandle 1344 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {8eddf958-d776-4c94-8c15-01f5451b8b6a} 3360 tab
3⤵
- Executes dropped EXE
PID:1876

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3360.7.1044740132\1251638095" -childID 7 -isForBrowser -prefsHandle 4308 -prefMapHandle 4216 -prefsLen 21109 -prefMapSize 245085 -jsInitHandle 1344 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {1fda7020-d36c-4d28-be11-c4881de2e0fa} 3360 tab
3⤵
- Executes dropped EXE
PID:3804

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3360.8.88716662\1066825278" -childID 8 -isForBrowser -prefsHandle 4132 -prefMapHandle 4140 -prefsLen 21109 -prefMapSize 245085 -jsInitHandle 1344 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {a564db42-16f3-4c5a-bd36-ea63f77a5eb0} 3360 tab
3⤵
- Executes dropped EXE
PID:3864

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3360.9.1272927381\1241335533" -childID 9 -isForBrowser -prefsHandle 8720 -prefMapHandle 8724 -prefsLen 21109 -prefMapSize 245085 -jsInitHandle 1344 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {2f66ada7-29fd-48ab-bbaa-5693058b9ca6} 3360 tab
3⤵
- Executes dropped EXE
PID:3960

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3360.10.1426767302\1841722698" -parentBuildID 20240213172118 -prefsHandle 8880 -prefMapHandle 8884 -prefsLen 23025 -prefMapSize 245085 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {c98bf7d7-5045-4fd1-893c-692018c62aa4} 3360 rdd
3⤵
- Executes dropped EXE
PID:4724

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3360.11.1929937103\812450625" -parentBuildID 20240213172118 -sandboxingKind 1 -prefsHandle 8496 -prefMapHandle 8972 -prefsLen 23025 -prefMapSize 245085 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {3d7a267f-20e2-417d-b0d6-6b5613ed657a} 3360 utility
3⤵
- Executes dropped EXE
PID:4640

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3360.12.1777954938\123456358" -childID 10 -isForBrowser -prefsHandle 3848 -prefMapHandle 8880 -prefsLen 21109 -prefMapSize 245085 -jsInitHandle 1344 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {5f9b77dc-04b5-40eb-9976-456db28a1960} 3360 tab
3⤵
- Executes dropped EXE
PID:3276

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3360.13.1234334558\1017689973" -childID 11 -isForBrowser -prefsHandle 8236 -prefMapHandle 8004 -prefsLen 21109 -prefMapSize 245085 -jsInitHandle 1344 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {9ef6cb9b-c566-4270-a670-8f281e36461e} 3360 tab
3⤵
- Executes dropped EXE
PID:3704

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3360.14.902681293\1117499089" -childID 12 -isForBrowser -prefsHandle 8952 -prefMapHandle 8676 -prefsLen 21109 -prefMapSize 245085 -jsInitHandle 1344 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {74c89cbf-e3c3-4a21-9209-34f5682bdf80} 3360 tab
3⤵
- Executes dropped EXE
PID:1568

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3360.15.630551226\1204346583" -childID 13 -isForBrowser -prefsHandle 7504 -prefMapHandle 8876 -prefsLen 21109 -prefMapSize 245085 -jsInitHandle 1344 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {fe3475eb-4416-454e-ac71-7d61237e448f} 3360 tab
3⤵
- Executes dropped EXE
PID:5264

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3360.16.1693815394\929409181" -childID 14 -isForBrowser -prefsHandle 7332 -prefMapHandle 8392 -prefsLen 21109 -prefMapSize 245085 -jsInitHandle 1344 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {d050da39-f39f-4388-9482-d0684998495f} 3360 tab
3⤵
- Executes dropped EXE
PID:5728

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3360.17.918587521\1577609007" -childID 15 -isForBrowser -prefsHandle 7428 -prefMapHandle 7496 -prefsLen 21109 -prefMapSize 245085 -jsInitHandle 1344 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {9450a1ff-43ad-41b7-8a4c-786196f4fede} 3360 tab
3⤵
- Executes dropped EXE
PID:6140

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3360.18.122228105\1539894767" -childID 16 -isForBrowser -prefsHandle 7680 -prefMapHandle 7300 -prefsLen 21109 -prefMapSize 245085 -jsInitHandle 1344 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {d270f119-773c-42c4-93ef-3c0e12585e0f} 3360 tab
3⤵
- Executes dropped EXE
PID:5400

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3360.19.71150081\1375212461" -childID 17 -isForBrowser -prefsHandle 8740 -prefMapHandle 7672 -prefsLen 21109 -prefMapSize 245085 -jsInitHandle 1344 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {5700a8ec-96d1-4374-bf28-e5cb654377f7} 3360 tab
3⤵
- Executes dropped EXE
PID:5600

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:236

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:2928

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
656bb397c72d15efa159441f116440a6

SHA1
5b57747d6fdd99160af6d3e580114dbbd351921f

SHA256
770ed0fcd22783f60407cdc55b5998b08e37b3e06efb3d1168ffed8768751fab

SHA512
5923db1d102f99d0b29d60916b183b92e6be12cc55733998d3da36d796d6158c76e385cef320ec0e9afa242a42bfb596f7233b60b548f719f7d41cb8f404e73c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d459a8c16562fb3f4b1d7cadaca620aa

SHA1
7810bf83e8c362e0c69298e8c16964ed48a90d3a

SHA256
fa31bc49a2f9af06d325871104e36dd69bfe3847cd521059b62461a92912331a

SHA512
35cb00c21908e1332c3439af1ec9867c81befcc4792248ee392080b455b1f5ce2b0c0c2415e344d91537469b5eb72f330b79feb7e8a86eeb6cf41ec5be5dfd2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
6fdb2cd0e118acc52000d2faf91bbeb6

SHA1
1fb591ca7df8b2af5f2ec94db06284dc8a9534d6

SHA256
c760161e7d91a001d30a365cac230216ad6405d69707eee069ae081c4686f9ea

SHA512
4cc3c6f5f96ef5ffe0ffd7e46d4659cff01f31f85c4f3d6c9eeedce036770e394d0d2e6f467dde2a7cc51bebb2feaaa1c8a91c7802e5d91e59bb56e3ac56b805

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
550B

MD5
2b3a31496d938b72edb44e3b28a12c36

SHA1
d3d458eedd039095acce22c4a175787369f097b6

SHA256
b380f13446b67ac654cf00d9f41026402d34e769f38fddccb4585bbaaeb84f57

SHA512
6ea0bf5097d80e9db25776032b26fd25496605af6f047ba389bd0bf597d63a684224d2134c70f1d02a8036bdbc5b66d81ab88a04f0d3a7cd1261ddc0039ac32c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
e73aa1cffe0df379c84b2c3079023d20

SHA1
76a84f9ece9c5f0d544bd1c3e270ce622f7c100d

SHA256
bcbc5a645bfbe47f078a08f576f499b1d1ff88bf2d61d259b564f7895a434f96

SHA512
2c8561bed0430840d78c0d88f3d62472cb0169c6929c9b178c55e9a8b6c964e3534d6147553c99dfcf867648cbf38fccf54bbc22b397d704b95b5cf6db932ac5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
2995bec2fe73a64d21584ea783f1f0f4

SHA1
8d71466a883b055237f97e25ecf9b79acaa7d938

SHA256
540de35425e6edd0af80d493303c90c1f998bf1d1d4fa8b53c0e97cd1920248c

SHA512
ad2f1d410b614190600453f8e5502da888591ba10e9b82f408dfac9333f10ab7a969319d82b3eb23b2d92d7b3cc75dc41dd50dbae9ca63394d2b6601f1ccb7b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
924502109d42383403c4caaf410e6572

SHA1
9a21e32cba3a0676799fdd9e909455f84a5692eb

SHA256
64c5fe577f667c239ca0b0d3e9c1f5818a4d1098fdd2fad3c448fe001b1c5b13

SHA512
9ab9d85af39ac529c2bfd3babf258c54fd45dff33cc9d3f9a07a766f219b9354245ad347068e0c7240b7ee40d25c0bc31991ad8d4c132b6759b9de522a9c2462

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
9f1e243772d6095342d72468784717b9

SHA1
ff7db0cf467d203e9e9bdbd528a53ebd52826b4a

SHA256
d94f42d6413e4df7538d3040eaeb74604cfe14c99051134b8ebb329aa5aa5d38

SHA512
0252904b8557719e99200767ad2538d3c333241cef8592298cc4aa39eb77ac771a962893ade43ad4441b83fbf6a3f7e71ff76fd756ac8b4691456218d0b2a031

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
a4c9adc5055d20f9d17954d665399485

SHA1
528bc86191d15eddab35aa69d0cdaef3fe430dd3

SHA256
03a41230cf5f5f05835d23325f25493e002ab9d9345ec7ac0e7d49ab17643041

SHA512
9662c1940043861b9d2ca02cb82be40122461f2d3be43a6fde1aedc5b24ca356af2ca4ab97526259cea3f3af35aac8ea4fc23e69ff439f251a7c202137664a47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
874B

MD5
03f271408eb63c81c6d38b5a29f42457

SHA1
600ab4f2ac9a5c84da68bd77b0694965a243cb81

SHA256
595074bc59a648efb76597ec1696b5edd51f89566736b55a304a4486875f94c1

SHA512
2821591e21155ea619253b90dfa66917a77bf9f7a1514cd81c6cfd137964d095f0d6ae8b61c83ac2b9c945e17c4ea7d31e87438214cbb691aa7afe8a618f28e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe592188.TMP
Filesize
706B

MD5
477131a7cb58e0567586e0fe7c3e0c4e

SHA1
a3d98d25eaadd3037356a94927d20d943004d059

SHA256
110594b47a841201447d1c2f39f75309cdd818f5628e38c4e5fcbf2d3566c0c1

SHA512
c50f70b2638194989de33279d45d3016fec7476888ae705178972ef7ef2e54bd46e28ce2d3d055ed81387e182cabcec35539db52a0fe962f8281ee48c2238bcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
fa6238c4cebba69fd39db88a5102a009

SHA1
00f88a3b4442870dabd2c12916975c9f9abfa3da

SHA256
1cd3037eba9365bac619e9babeb737ca8e506347af54cd8ba7f9f6715951314e

SHA512
59635f43eb95701bf12a342c590c895c7e4003e4686b90d4fab26a7acc0c745ef56bbe8cef226a0a74ce372aa88172dc4551d92500022928bc69acc4bffcfbdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
a12eec387687f832abff8a3ca4675b14

SHA1
34c36ed7febb594cae34b7b3d6f49d480d767d4f

SHA256
ab890bf7be0f5049efb8056c7ec8275f45497daa2bdca6fc11955424c74f5c0a

SHA512
f1a48819846f165cf6c11d060e0ad689060c287e3d21a476baeb531df9009f75c8a59fade62ae7605972af947517698fb680a11e745d3ddb6caeb4c74ba8564c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
6a437416ad876e6a46033a640cac2c47

SHA1
1a408eefe7236252c14490c79325e7f98d821961

SHA256
6711da79dabcb811bc8e18fa66336f7d497c1ef80465266a39325435eb3c3c72

SHA512
cf4142c5fde7cfb12abe62f82d1056563dff489aefe3b183b76b2afb91b379bb1143328ab0a3de872fbf933d73cd5e98f846f447c40b181849acf0cd2b5af4ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-3-2.1027.4592.1.odl
Filesize
706B

MD5
e96962f1fb7fb00000fb1f22386c1e7e

SHA1
cac2bf6cc9d5e69a5ff32f9d74206d4fd270e9cb

SHA256
3ed70a040ef2b14869f5ce4a471390ca27fc738ae4e1c9853aaf7677191d0dd1

SHA512
435de6e0aaaf82a50b16ee387c0fc415b214c24d0a9e3e3262f39beca66135679d585fad83fa50c709623dc01575df5685db1a03d2a636378790c2ab1f39eafa

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize
10KB

MD5
d3c1574e06e9c0ed4ddfecf7eda00476

SHA1
e90dcb7eeb77fdeee2883c9c99fea03c50f80eca

SHA256
0b643c95e32e8cb6c8ad9a28231243f3d028db10560130aabe10cd65c62dace7

SHA512
06a7e8fa4859fd6902e842760ab1be755247ced2cb5d5b92fda7e25483749d2a65acc7ada0dd351c943711eef033f152137aafc18b5283bf3c310737b8b7077b

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
Filesize
342KB

MD5
37c82e15058e2f8f5e9525b956e6440d

SHA1
3bf20d00bd7a7943c4066d534f5b276cac5ae39f

SHA256
80c4716318f874881151c78c4dce9a0a01be4294834f33ee7f12a8a34bb8b2b7

SHA512
5c9c37a13cac634771ae18736845b8e7c1a33fd8c6c9ae564f6863b5033a68565f0fd3da555d15870bbc547cc549153c096c44f2d7ced828baffdcfa8641da0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
Filesize
296KB

MD5
d91dc7e710e5887ee55a7680ece94909

SHA1
72263f2798c0fb1b43625ffd4ed570c44b40be2a

SHA256
27c39f209a48dd577d9ad1c3a8c1de5151c531f664347857e948d07f8922883f

SHA512
b7aae488934eee59c7f7d5c8b58b294ae909273c3ac44f579f2c3ba7f88c56d5cf64c3c3dbd280bf80221eeb5dc978ad61a5425a5f366e3f3482a210ac7444d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk
Filesize
1KB

MD5
ffa187bfebc8ca823611f1178202f32b

SHA1
ef7198545aee55c39dee4fd9be6624f6375c06c2

SHA256
2c3eff9bfa7f9d676c905fb10d3df39d56aab4624f9b98386cb12e353276302c

SHA512
28ad7623c182a4a3b32c54a92dcafda68e81516f2a16c313db80768c64f9cf1f4c7028c71f5382014ec58c5bb1af02259c7167ec1aebda6355c34dcc869be499

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier
Filesize
27B

MD5
130a75a932a2fe57bfea6a65b88da8f6

SHA1
b66d7530d150d45c0a390bb3c2cd4ca4fc404d1c

SHA256
f2b79cae559d6772afc1c2ed9468988178f8b6833d5028a15dea73ce47d0196e

SHA512
6cd147c6f3af95803b7b0898e97ec2ed374c1f56a487b50e3d22003a67cec26a6fa12a3920b1b5624bde156f9601469ae3c7b7354fa8cf37be76c84121767eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz4DAB.tmp\LangDLL.dll
Filesize
8KB

MD5
59888d7d17f0100e5cffe2aca0b3dfaf

SHA1
8563187a53d22f33b90260819624943204924fdc

SHA256
f9075791123be825d521525377f340b0f811e55dcec00d0e8d0347f14733f8a3

SHA512
d4ca43a00c689fa3204ce859fdd56cf47f92c10ba5cfa93bb987908a072364685b757c85febc11f8b3f869f413b07c6fcc8c3a3c81c9b5de3fba30d35495ff23

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz4DAB.tmp\System.dll
Filesize
25KB

MD5
480304643eee06e32bfc0ff7e922c5b2

SHA1
383c23b3aba0450416b9fe60e77663ee96bb8359

SHA256
f2bb03ddaeb75b17a006bc7fc652730d09a88d62861c2681a14ab2a21ef597ce

SHA512
125c8d2ccbfd5e123ce680b689ac7a2452f2d14c5bfbb48385d64e24b28b6de97b53916c383945f2ff8d4528fef115fbb0b45a43ffa4579199e16d1004cf1642

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz4DAB.tmp\nsDialogs.dll
Filesize
14KB

MD5
990eb444cf524aa6e436295d5fc1d671

SHA1
ae599a54c0d3d57a2f8443ad7fc14a28fe26cac3

SHA256
46b59010064c703fbaf22b0dbafadb5bd82ab5399f8b4badcc9eeda9329dbab8

SHA512
d1e4eb477c90803ddf07d75f5d94c2dacfdcd3e786a74ea7c521401e116abf036d9399e467d2d12bd1a7c1abda2f1d6d15b40c8039fd6ec79ba5fe4119674c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
256KB

MD5
d10a3cfcc08aae3a7234498f213cf89e

SHA1
ccae4469a3a05fcb6e7af33019ca5357e5406dda

SHA256
0da56bd07a486818b7735761001cc1d3ca5af645f369a3c206bcb6719fefff06

SHA512
90a4a68b45113360d732ccac7698c74aa550c05d9883d287b808982800fce1a24abf69cf06b0f017babd647cafd3ca10aa894c59e6dab8ba1ff34c639bdf6427

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe
Filesize
931KB

MD5
836cda1d8a9718485cc9f9653530c2d9

SHA1
fca85ff9aa624547d9a315962d82388c300edac1

SHA256
d3793a581da66ef5840648574ce364846e7c68a559c0f5e49faf9e4892ecdc72

SHA512
07ca078d79f622706d08a534f6b5e2c896152fb0d0e452781fa6be5dc90028fdf074b3b78acac438f2acf5b3f5522e70afb7db4551874a3083860213e2790481

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe
Filesize
112KB

MD5
bae2b04e1160950e570661f55d7cd6f8

SHA1
f4abc073a091292547dda85d0ba044cab231c8da

SHA256
ab0744c19af062c698e94e8eb9ee0e67bcf9a078f53d2a6a848406e2413c4d59

SHA512
1bfef1217a6e2ecacee407eed70df9205cbfabb4ddfe06fcc11a7ddf2b42262ec3ab61421474b56b338fa76ffea9beac73530650d39eff61dffcfc25a7fe45b6

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\datareporting\glean\db\data.safe.tmp
Filesize
182B

MD5
b1c8aa9861b461806c9e738511edd6ae

SHA1
fe13c1bbc7e323845cbe6a1bb89259cbd05595f8

SHA256
7cea48e7add3340b36f47ba4ea2ded8d6cb0423ffc2a64b44d7e86e0507d6b70

SHA512
841a0f8c98dd04dc9a4be2f05c34ecd511388c76d08ca0f415bfb6056166d9a521b8bc2c46b74697f3ecdac5141d1fe6af76dd0689350caca14e9f849ee75a8b

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\extensions.json
Filesize
26KB

MD5
e78921fa649fd5440bd0b58dd078872f

SHA1
188d8d206e995753a3a8abaae67a8e61498af56c

SHA256
3d88fa99dfab54e83dc86309855e9aff8e55feb4819b73d41185c0e802337db9

SHA512
e7e31ec313b75b352f7b56e6ef8e5818dc78ebc1d12e8a1f5f50a7f2ee78d03e6f7322522f05b19c89e202a770558f6eb0e58a0c7887e1b9be233a29741a9302

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js
Filesize
5KB

MD5
dec7677cbc0f3ff56d90dd62ed9b0f89

SHA1
4800e9098fbd7a8f9b3f99d2925cdb3404b75230

SHA256
33b6b649ef3e952ed0aff495f45b0555ac526ff7e28002b37d41be951222eb9e

SHA512
ffc0f115b93fdc0beef0b23ff75efe09558494adaca8b3823cf5ebe178e485075bca4376f7508270d7489de3b8f49644d215ed5d4ac86ecebbedc4bf83ffa71e

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js
Filesize
5KB

MD5
5dbfa0326dd26b4b204be2ea90cc2dd3

SHA1
05fa50017e6d4bfabf22f1c059ef605a23345c5f

SHA256
314fd13a3523a31e4e70f056da4ef22cf42b09fb63b11c39c18dc39fd90db5b2

SHA512
17bb441f592625f820170adc1577aa46453ec9fc6f720d95d565279a5bf2327f38033c990b623ed4856b8ffb354b80761559e08acabd0a73b3dfb4cceb529c2a

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js
Filesize
6KB

MD5
0356b6c4626868d7b8dc4005457022d9

SHA1
ddd87f5653eaaf5b5776be402029a7418f3fb7ca

SHA256
5e4d81279b39ee880b83ab2f7830fe9037dea80b1cff619e9fbd2f8a5a6b5cad

SHA512
376ca4853ff4ba8cdd35337966047e8677022b440473694f087b7bdeb730d262cd5d2b57a2f5ec92da74d2b289384c76351f3c244d8e35233b520027008bbc70

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js
Filesize
5KB

MD5
dd9f07ade607513ee935df96a5688f5d

SHA1
795e684fe298f1bb3a822e9eb5cd1fa167a352a6

SHA256
2fb8102f16c5a3bc52eb27473a25a9f25fb49b023ddced76be5b2ac297f404db

SHA512
e0feaefafc5af93888ac884ca01bc5b116a77d8fc4df558ecc440cc6a193c245c87728509abb46da823151147e16e2e5e268bb4691332ded847504de2e1e581e

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js
Filesize
1KB

MD5
81a3b3463e997b41f48dd75c78b65de7

SHA1
4aa8e7f8438c86d6efa2db9f0352d70d3e095a1d

SHA256
f860f57dd9ae117b28a5c5b919d42d481ef616bf7fdc5beada1122aaf0d52473

SHA512
48d3467b474c898a586df8b2e56da581c82694665f246455666c664e6710f66d54f21ffcb03be904f689c87f793d0c3b0d37ab86a785631e5dfe7130d45c22e2

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\sessionCheckpoints.json
Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\sessionCheckpoints.json
Filesize
181B

MD5
2d87ba02e79c11351c1d478b06ca9b29

SHA1
4b0fb1927ca869256e9e2e2d480c3feb8e67e6f1

SHA256
16b7be97c92e0b75b9f8a3c22e90177941c7e6e3fbb97c8d46432554429f3524

SHA512
be7e128c140a88348c3676afc49a143227c013056007406c66a3cae16aae170543ca8a0749136702411f502f2c933891d7dcdde0db81c5733415c818f1668185

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\sessionCheckpoints.json
Filesize
122B

MD5
99601438ae1349b653fcd00278943f90

SHA1
8958d05e9362f6f0f3b616f7bfd0aeb5d37967c9

SHA256
72d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a

SHA512
ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\sessionCheckpoints.json
Filesize
146B

MD5
65690c43c42921410ec8043e34f09079

SHA1
362add4dbd0c978ae222a354a4e8d35563da14b4

SHA256
7343d5a46e2fca762305a4f85c45484a49c1607ede8e8c4bd12bedd2327edb8d

SHA512
c0208d51cf1586e75f22764b82c48ecbb42c1ff54aa412a85af13d686e0119b4e49e98450d25c70e3792d3b9c2cda0c5ab0c6931ebaf548693bb970a35ae62b9

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\sessionCheckpoints.json.tmp
Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\sessionCheckpoints.json.tmp
Filesize
241B

MD5
48fcad918c62db97e9af1dba1d131473

SHA1
d89381594d3241b0e645033f67572a5d8c166764

SHA256
dd8349e2789db1125b477971c5d445b6afb2f6ea3b57de65080631040900fe8c

SHA512
2278d074aab519859188b047c77fe7b4db718e0af237b63e06a1b095d7a1eb4e07d6ea59cab5d7b1325aae0047fadea36eae12a80bfefe112aab85fc18aa1ca3

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
160KB

MD5
93fac5cc3ce347229349fe2697116e33

SHA1
98b40d3636cf26246f72212588953ed337f32da6

SHA256
9d16bdd9efe7c54bfce95ec2767af570c28afe25044cc2449c7a2a3a02f9140f

SHA512
1922c75c5e6f9f81894a05ec38c191a59ada43f04a6f4f63fd98579811ba45d26192014ee00dfba5c699fd8035872bb73e88dfaad0f7d1c7d2b0ce8910ef71e9

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profiles.ini
Filesize
103B

MD5
5b0cb2afa381416690d2b48a5534fe41

SHA1
5c7d290a828ca789ea3cf496e563324133d95e06

SHA256
11dedeb495c4c00ad4ef2ecacbd58918d1c7910f572bbbc87397788bafca265c

SHA512
0e8aafd992d53b2318765052bf3fbd5f21355ae0cbda0d82558ecbb6304136f379bb869c2f9a863496c5d0c11703dbd24041af86131d32af71f276df7c5a740e

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\cached-microdesc-consensus
Filesize
642KB

MD5
041e4cd54f18eff0e904839f645a0fc0

SHA1
b3f385ca89c76ed0e4549fdb195f1ff3fa389eaa

SHA256
b170f436ac0aabb0cafcd9ff4e4f74b67d57d02e96d1147ff0ca8c23061e2a43

SHA512
b53a93cf366e2426817587066d977d9d0a24e4101256ddb7ecbfecf9cebecb3e7d84c9704b0a2de8ed7f093c9cbe54a49df6c2a0887350a5ff9adc4e86af2428

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\cached-microdescs.new
Filesize
2.2MB

MD5
8bc874a30f7e6af358e24ebfab6c0199

SHA1
3cae8e83cea380f72e6e4b5e46b233ed27eaffb1

SHA256
9b019fff22f32fa8a570685943135364f2f334b52d654b85ec61b02fade57f53

SHA512
cf92a5de158e73a30fefbac6b2a2d24751459f0ea37bd5b3827e535ea361d6130b8b917e17c5a7d23386461cd32e1b02a45842a255b7ca7ddd2ca8f225e9d9a6

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\browser\omni.ja
Filesize
6.9MB

MD5
5a39e72cd62f22ba3077e12a6b9ed98d

SHA1
5b9b0b354844ecff038ac8b4c51f888adeca43fc

SHA256
58e2fd200f8843b297ce188cf82ea8be25619a7a796767353274caa0592fa8a5

SHA512
539aec4f7fdfc84c829c756407ebaa4913cf22fe5833970c918200b95334a5235e3a7714c801fce83e33bd387afdf82c652b004cc82b8717899200895800ac2c

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\dependentlibs.list
Filesize
42B

MD5
70b1d09d91bc834e84a48a259f7c1ee9

SHA1
592ddaec59f760c0afe677ad3001f4b1a85bb3c0

SHA256
2b157d7ff7505d10cb5c3a7de9ba14a6832d1f5bfdbfe4fff981b5db394db6ce

SHA512
b37be03d875aa75df5a525f068ed6cf43970d38088d7d28ae100a51e2baa55c2ad5180be0beda2300406db0bdea231dde1d3394ee1c466c0230253edfe6aa6e4

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
Filesize
1.7MB

MD5
15ff36f3e045f98652c3909d99de57ab

SHA1
1df6b4e970451227269e09be8c67067bc8a6d7db

SHA256
d5a7aec0caef36f3e1726b7e91bad676e227ecd1aa6750ad4aef34c9411985ac

SHA512
2081aa0459ba3ea01123b5d3f760fa3198e677c914aa9c648716e667d21338e63a918c065f11c2a10b8c3adb273693825b3b878207bcf39c68c6e7de909eaf2c

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\lgpllibs.dll
Filesize
43KB

MD5
10e5c7ebb10d59afe3e19e2b35743649

SHA1
79cf3b27b50881e689453c5ab90038022d3f15aa

SHA256
b17c7c7b2493535f60d21fcfa5993dd964045efd0b99329444cc5fe773a6dde7

SHA512
d8dd494070b1f352ac028d33f547bb5768b3858581e476cac38b378cba4d5720f4548ccd1e2cb79657cac68148d5b00f8c1adf9608f015b728dec0ce34d07f44

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\mozglue.dll
Filesize
1.4MB

MD5
4d0887daeff8ab3105e737d8aa3ea8d7

SHA1
ea9a8c004b460d56dc6368a99bde6175e4bed127

SHA256
eded7914f589bc87fc5d07ae93585b2f4a86b6497627b8669bc71453712e243c

SHA512
b4425c08eb318b3777b6c9cb55a08708ed64d4b0c941dfbd8d0b16f9dad6a4cc13aa93598f45e88f193f24c2380bf404f601eafa80186356ccb8e650f54b70ed

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\nss3.dll
Filesize
2.5MB

MD5
f1ee115c557e3a86498ea4a28aeb1987

SHA1
fef2c4e1686c1e80c6f215b695cce9ea5095acc2

SHA256
81fec8f9544cda31f96cafd80b9591755e6af0bcc9fb904551fd5c8da1acb0c1

SHA512
0d2ceff379df79da5f942697f613ae24b597ce900903293a92af5cb6c37d46be482ceb1ca4168a8ff155b3c49d93ba36e92e25ec0532087510f304e1906d9a60

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\omni.ja
Filesize
6.6MB

MD5
37c9c4f8c5b11ff4e212e9903bd89197

SHA1
3e03e239cafdb33624712cf6b601d41f0e5bb679

SHA256
ae7f47e3d3609a0fa5670d8c10baaa77aa08fc34ae16fed0c0f8387f1d345d16

SHA512
eb8a8aba61dc33241ee7742f902b8ecdafdd7cb51ca62c361744cd11ff67d27f2e20f5c1ddd725cd1e90a793cf084b93ce832d914b41c6bbe9782872762b0bb6

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\xul.dll
Filesize
6.9MB

MD5
9d7af8ae3b29a3ccf7e0b06b8e77413e

SHA1
870df3c952c51c0c4cff17c6f28dd727ba27935d

SHA256
6b1aadd788a61778be7592fdee0abbbe79d8f7c3646a5344195fa09883bce09f

SHA512
1077a3b101bb1db97f352cf7fe455ba8860423053028dc560d96f9019b6950c7e9272356e06b768e74a0fc6370da7893ee9adc8bfbad74e743818858ba8054a7

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\xul.dll
Filesize
6.6MB

MD5
7e00c12a421460581acf7f54f46bb3ec

SHA1
cebd506dc0e6f09325e7ce5e1ca88b1d82d264be

SHA256
d3949730eb62c7c597609411ea155703aa7b2be7ce4e6d03492e433ed11eb935

SHA512
33bb393e57afd521d5666472047bd2d47e2c228689738e76b508a217a964931f6dc84609975d9cb2ff248a8f1ff9ddfebd83a4e8801fcf401826d64bbe8aad69

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\xul.dll
Filesize
6.4MB

MD5
925b85d25909e4f94e057bb1f97722c3

SHA1
009b2f6829852050d8447cc872d858998d90d8cd

SHA256
b75ee757dcc1a22ee0ec743f80e3b20c15a5dc8e03ed7f3ca0e1b0e511a9b4ae

SHA512
9f81b48538b93058970f5553badbcaf4b0c94b0278e50cb604fa93e28dc42e701f50cedeb86aeaf21d27d8d8e0c13aa5e56cb7d1782e56feeafcd3a4e00181a5

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Start Tor Browser.lnk
Filesize
829B

MD5
06c02473dbe94b2e4ed5deaa0aa9de39

SHA1
f77ad400e5e66a8c0c25e8201b62306e87e99435

SHA256
fa4ec59be50b9474a9347cda347c5adb9d05add70050ea66f47e25d98582cdc0

SHA512
93928c2e6f0c5600de96e5e836fe0484d0bc8fd6dc7235b4bbaba89b1ad1e8ba432c53020798a2dd2c7119d61f6a92f49948a8be11e1d6a4926843513023a1c9

Download Submit
C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.0.10.exe
Filesize
66.3MB

MD5
1da2cff47b4674e252d3ad4d8d642e82

SHA1
a9545de30d05ce7d0eedef259d6cf74f8bff4d6b

SHA256
f51b7e15a127cd0ef182c2cc2a4b8c64fd9996a153320026b8920086c39b464b

SHA512
b4f7832858e85baf6a3c1e2ec7aaba05980976705a49158dd84a082ce9d411538e196c0e9068feb37f414f20080b4cb86d30b899053b3d2eada278d61c0ddc2f

Download Submit
C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.0.10.exe
Filesize
5.1MB

MD5
13d863251cecde2db91651582cd7caf6

SHA1
cd7cd8a88956c777819fcac08bfe176893bf05ac

SHA256
ea8b8392c0537982006bd373b190daa3f2204d65b96afd4189289a55433bcc1f

SHA512
d5d1134ebebddacf70fa2a40c538f5eb4c87b185634e8c72f107df3ce8582b6955306334ada4962c5d7ed553596b2446e4ccea1f19688dba2f309d5df51b20a7

Download Submit
C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.0.10.exe
Filesize
4.8MB

MD5
88e96a66028cf0a3f6bc49613e0a1b02

SHA1
ded3e04e56cb43435301aee8bff89eee9d76f39e

SHA256
c2d4a0f8d3889b684cd1a26a559f980bcecf207942448d90c8138cbd38cb2c59

SHA512
a708347ad3e289bb29fb8ba2c7400f706a785dd1696d817e35a2d1aa4cf3875662646f69ec81a07440c89df30bde8341fa30ab6c8b47a7bbb87998780e9a0ef5

Download Submit
C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.0.10.exe:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\pipe\LOCAL\crashpad_1016_FQOUOJGVZZLPEUQS
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/484-62-0x00000000053C0000-0x00000000053D0000-memory.dmp

Filesize
64KB

Download
memory/484-6-0x0000000074BA0000-0x0000000075351000-memory.dmp

Filesize
7.7MB

Download
memory/484-5-0x0000000000770000-0x000000000085E000-memory.dmp

Filesize
952KB

Download
memory/484-7-0x00000000052D0000-0x000000000536C000-memory.dmp

Filesize
624KB

Download
memory/484-66-0x0000000074BA0000-0x0000000075351000-memory.dmp

Filesize
7.7MB

Download
memory/484-8-0x00000000053C0000-0x00000000053D0000-memory.dmp

Filesize
64KB

Download
memory/484-9-0x00000000053D0000-0x0000000005456000-memory.dmp

Filesize
536KB

Download
memory/484-61-0x0000000074BA0000-0x0000000075351000-memory.dmp

Filesize
7.7MB

Download
memory/556-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/556-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/556-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/736-1015-0x000001516A780000-0x000001516A781000-memory.dmp

Filesize
4KB

Download
memory/736-1107-0x000001516A650000-0x000001516A679000-memory.dmp

Filesize
164KB

Download
memory/1060-1040-0x000002D46CC50000-0x000002D46CC79000-memory.dmp

Filesize
164KB

Download
memory/1060-860-0x00007FF84FAE0000-0x00007FF84FAE1000-memory.dmp

Filesize
4KB

Download
memory/1060-861-0x000002D46CC80000-0x000002D46CC81000-memory.dmp

Filesize
4KB

Download
memory/1372-570-0x00007FF841D80000-0x00007FF841D8F000-memory.dmp

Filesize
60KB

Download
memory/1372-569-0x0000000140000000-0x0000000140070000-memory.dmp

Filesize
448KB

Download
memory/1372-773-0x0000000140000000-0x0000000140070000-memory.dmp

Filesize
448KB

Download
memory/1924-51-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2768-1152-0x000002E2F3360000-0x000002E2F3361000-memory.dmp

Filesize
4KB

Download
memory/2768-1179-0x000002E2F3330000-0x000002E2F3359000-memory.dmp

Filesize
164KB

Download
memory/2992-874-0x0000022CFE490000-0x0000022CFE491000-memory.dmp

Filesize
4KB

Download
memory/2992-1080-0x0000022CFE460000-0x0000022CFE489000-memory.dmp

Filesize
164KB

Download
memory/3012-67-0x0000000074BA0000-0x0000000075351000-memory.dmp

Filesize
7.7MB

Download
memory/3012-24-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/3012-21-0x0000000000760000-0x00000000007BC000-memory.dmp

Filesize
368KB

Download
memory/3012-63-0x0000000074BA0000-0x0000000075351000-memory.dmp

Filesize
7.7MB

Download
memory/3012-22-0x0000000074BA0000-0x0000000075351000-memory.dmp

Filesize
7.7MB

Download
memory/3012-23-0x0000000002BF0000-0x0000000002C14000-memory.dmp

Filesize
144KB

Download
memory/3372-1029-0x0000017001890000-0x0000017001891000-memory.dmp

Filesize
4KB

Download
memory/3372-1108-0x0000017001860000-0x0000017001889000-memory.dmp

Filesize
164KB

Download
memory/3964-999-0x00000202CEDA0000-0x00000202CEDA1000-memory.dmp

Filesize
4KB

Download
memory/3964-1106-0x00000202CED70000-0x00000202CED99000-memory.dmp

Filesize
164KB

Download
memory/4100-41-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4100-45-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4100-44-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4592-1160-0x000002449D500000-0x000002449D529000-memory.dmp

Filesize
164KB

Download
memory/4592-1131-0x000002449D530000-0x000002449D531000-memory.dmp

Filesize
4KB

Download
memory/4816-1143-0x0000011637300000-0x0000011637329000-memory.dmp

Filesize
164KB

Download
memory/4816-1091-0x0000011637330000-0x0000011637331000-memory.dmp

Filesize
4KB

Download
memory/4848-59-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/4848-0-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/4848-60-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/4916-888-0x0000022860EC0000-0x0000022860EC1000-memory.dmp

Filesize
4KB

Download
memory/4916-1105-0x0000022860E90000-0x0000022860EB9000-memory.dmp

Filesize
164KB

Download
memory/4976-1196-0x000002D3A5830000-0x000002D3A5831000-memory.dmp

Filesize
4KB

Download