hxxps://www[.]torproject[.]org/download/

Analysis

max time kernel
235s
max time network
237s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
01-06-2024 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.torproject.org/download/

Score

8^/10

evasion trojan

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 26 IoCs

pid	Process
3536	tor-browser-windows-x86_64-portable-13.0.15.exe
2780	firefox.exe
3496	firefox.exe
3276	firefox.exe
4564	firefox.exe
400	firefox.exe
2164	tor.exe
3888	firefox.exe
5152	firefox.exe
5700	firefox.exe
5728	firefox.exe
5756	firefox.exe
4688	lyrebird.exe
4868	firefox.exe
2720	firefox.exe
5860	firefox.exe
3536	firefox.exe
5196	firefox.exe
5740	firefox.exe
4948	firefox.exe
1816	firefox.exe
4556	firefox.exe
5708	firefox.exe
4572	firefox.exe
1012	firefox.exe
5388	firefox.exe

Loads dropped DLL 64 IoCs

pid	Process
3536	tor-browser-windows-x86_64-portable-13.0.15.exe
3536	tor-browser-windows-x86_64-portable-13.0.15.exe
3536	tor-browser-windows-x86_64-portable-13.0.15.exe
2780	firefox.exe
3496	firefox.exe
3496	firefox.exe
3496	firefox.exe
3496	firefox.exe
3496	firefox.exe
3496	firefox.exe
3496	firefox.exe
3496	firefox.exe
3496	firefox.exe
3496	firefox.exe
3496	firefox.exe
3276	firefox.exe
3276	firefox.exe
3276	firefox.exe
3276	firefox.exe
4564	firefox.exe
4564	firefox.exe
4564	firefox.exe
4564	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
3888	firefox.exe
3888	firefox.exe
3888	firefox.exe
3888	firefox.exe
4564	firefox.exe
4564	firefox.exe
400	firefox.exe
400	firefox.exe
5152	firefox.exe
5152	firefox.exe
5152	firefox.exe
5152	firefox.exe
5152	firefox.exe
5152	firefox.exe
3888	firefox.exe
3888	firefox.exe
5700	firefox.exe
5728	firefox.exe
5728	firefox.exe
5756	firefox.exe
5728	firefox.exe
5728	firefox.exe
5700	firefox.exe
5700	firefox.exe
5700	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5728	firefox.exe
5728	firefox.exe
5700	firefox.exe
5700	firefox.exe
5756	firefox.exe
5756	firefox.exe
4868	firefox.exe
4868	firefox.exe
4868	firefox.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133617215556733369"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	tor-browser-windows-x86_64-portable-13.0.15.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	lyrebird.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	lyrebird.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	lyrebird.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.0.15.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3644	chrome.exe
3644	chrome.exe
4688	lyrebird.exe
4688	lyrebird.exe
5844	chrome.exe
5844	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3644	chrome.exe
3644	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3496	firefox.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3496	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3644 wrote to memory of 3628	3644	chrome.exe	80
PID 3644 wrote to memory of 3628	3644	chrome.exe	80
PID 3644 wrote to memory of 1464	3644	chrome.exe	82
PID 3644 wrote to memory of 1464	3644	chrome.exe	82
PID 3644 wrote to memory of 1464	3644	chrome.exe	82
PID 3644 wrote to memory of 1464	3644	chrome.exe	82
PID 3644 wrote to memory of 1464	3644	chrome.exe	82
PID 3644 wrote to memory of 1464	3644	chrome.exe	82
PID 3644 wrote to memory of 1464	3644	chrome.exe	82
PID 3644 wrote to memory of 1464	3644	chrome.exe	82
PID 3644 wrote to memory of 1464	3644	chrome.exe	82
PID 3644 wrote to memory of 1464	3644	chrome.exe	82
PID 3644 wrote to memory of 1464	3644	chrome.exe	82
PID 3644 wrote to memory of 1464	3644	chrome.exe	82
PID 3644 wrote to memory of 1464	3644	chrome.exe	82
PID 3644 wrote to memory of 1464	3644	chrome.exe	82
PID 3644 wrote to memory of 1464	3644	chrome.exe	82
PID 3644 wrote to memory of 1464	3644	chrome.exe	82
PID 3644 wrote to memory of 1464	3644	chrome.exe	82
PID 3644 wrote to memory of 1464	3644	chrome.exe	82
PID 3644 wrote to memory of 1464	3644	chrome.exe	82
PID 3644 wrote to memory of 1464	3644	chrome.exe	82
PID 3644 wrote to memory of 1464	3644	chrome.exe	82
PID 3644 wrote to memory of 1464	3644	chrome.exe	82
PID 3644 wrote to memory of 1464	3644	chrome.exe	82
PID 3644 wrote to memory of 1464	3644	chrome.exe	82
PID 3644 wrote to memory of 1464	3644	chrome.exe	82
PID 3644 wrote to memory of 1464	3644	chrome.exe	82
PID 3644 wrote to memory of 1464	3644	chrome.exe	82
PID 3644 wrote to memory of 1464	3644	chrome.exe	82
PID 3644 wrote to memory of 1464	3644	chrome.exe	82
PID 3644 wrote to memory of 1464	3644	chrome.exe	82
PID 3644 wrote to memory of 1464	3644	chrome.exe	82
PID 3644 wrote to memory of 4128	3644	chrome.exe	83
PID 3644 wrote to memory of 4128	3644	chrome.exe	83
PID 3644 wrote to memory of 2796	3644	chrome.exe	84
PID 3644 wrote to memory of 2796	3644	chrome.exe	84
PID 3644 wrote to memory of 2796	3644	chrome.exe	84
PID 3644 wrote to memory of 2796	3644	chrome.exe	84
PID 3644 wrote to memory of 2796	3644	chrome.exe	84
PID 3644 wrote to memory of 2796	3644	chrome.exe	84
PID 3644 wrote to memory of 2796	3644	chrome.exe	84
PID 3644 wrote to memory of 2796	3644	chrome.exe	84
PID 3644 wrote to memory of 2796	3644	chrome.exe	84
PID 3644 wrote to memory of 2796	3644	chrome.exe	84
PID 3644 wrote to memory of 2796	3644	chrome.exe	84
PID 3644 wrote to memory of 2796	3644	chrome.exe	84
PID 3644 wrote to memory of 2796	3644	chrome.exe	84
PID 3644 wrote to memory of 2796	3644	chrome.exe	84
PID 3644 wrote to memory of 2796	3644	chrome.exe	84
PID 3644 wrote to memory of 2796	3644	chrome.exe	84
PID 3644 wrote to memory of 2796	3644	chrome.exe	84
PID 3644 wrote to memory of 2796	3644	chrome.exe	84
PID 3644 wrote to memory of 2796	3644	chrome.exe	84
PID 3644 wrote to memory of 2796	3644	chrome.exe	84
PID 3644 wrote to memory of 2796	3644	chrome.exe	84
PID 3644 wrote to memory of 2796	3644	chrome.exe	84
PID 3644 wrote to memory of 2796	3644	chrome.exe	84
PID 3644 wrote to memory of 2796	3644	chrome.exe	84
PID 3644 wrote to memory of 2796	3644	chrome.exe	84
PID 3644 wrote to memory of 2796	3644	chrome.exe	84
PID 3644 wrote to memory of 2796	3644	chrome.exe	84
PID 3644 wrote to memory of 2796	3644	chrome.exe	84
PID 3644 wrote to memory of 2796	3644	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.torproject.org/download/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9da8eab58,0x7ff9da8eab68,0x7ff9da8eab78
  2⤵
  PID:3628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1548 --field-trial-handle=1800,i,10551915307395979274,7967244286905235138,131072 /prefetch:2
  2⤵
  PID:1464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1800,i,10551915307395979274,7967244286905235138,131072 /prefetch:8
  2⤵
  PID:4128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2120 --field-trial-handle=1800,i,10551915307395979274,7967244286905235138,131072 /prefetch:8
  2⤵
  PID:2796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2884 --field-trial-handle=1800,i,10551915307395979274,7967244286905235138,131072 /prefetch:1
  2⤵
  PID:1144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2892 --field-trial-handle=1800,i,10551915307395979274,7967244286905235138,131072 /prefetch:1
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4532 --field-trial-handle=1800,i,10551915307395979274,7967244286905235138,131072 /prefetch:8
  2⤵
  PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4572 --field-trial-handle=1800,i,10551915307395979274,7967244286905235138,131072 /prefetch:8
  2⤵
  PID:1604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 --field-trial-handle=1800,i,10551915307395979274,7967244286905235138,131072 /prefetch:8
  2⤵
  PID:1616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5032 --field-trial-handle=1800,i,10551915307395979274,7967244286905235138,131072 /prefetch:8
  2⤵
  PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3812 --field-trial-handle=1800,i,10551915307395979274,7967244286905235138,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5068 --field-trial-handle=1800,i,10551915307395979274,7967244286905235138,131072 /prefetch:8
  2⤵
  PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4796 --field-trial-handle=1800,i,10551915307395979274,7967244286905235138,131072 /prefetch:8
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 --field-trial-handle=1800,i,10551915307395979274,7967244286905235138,131072 /prefetch:8
  2⤵
  PID:1600
- C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.0.15.exe
  "C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.0.15.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  PID:3536
- - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
    "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2780
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Checks processor information in registry
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:3496
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3496.0.591290767\428997707" -parentBuildID 20240510150000 -prefsHandle 2692 -prefMapHandle 2704 -prefsLen 19246 -prefMapSize 243824 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {f5318b1e-8294-482f-8a14-b9699c97409e} 3496 gpu
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3276
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3496.1.268213646\1632724500" -childID 1 -isForBrowser -prefsHandle 1760 -prefMapHandle 2132 -prefsLen 20081 -prefMapSize 243824 -jsInitHandle 1244 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {711a0cf8-b093-473d-a8b5-3e8aa409bb48} 3496 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4564
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe" --defaults-torrc "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc-defaults" -f "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc" DataDirectory "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor" ClientOnionAuthDir "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\onion-auth" GeoIPFile "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip" GeoIPv6File "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip6" +__ControlPort 127.0.0.1:9151 HashedControlPassword 16:a9754afacfcb799d60bb145f1f44a9fc1112b8d55a156896a5d82e9537 +__SocksPort "127.0.0.1:9150 ExtendedErrors IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth" __OwningControllerProcess 3496 DisableNetwork 1
        5⤵
        Executes dropped EXE
        
        PID:2164
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3496.2.702057215\125936117" -childID 2 -isForBrowser -prefsHandle 3200 -prefMapHandle 3296 -prefsLen 20897 -prefMapSize 243824 -jsInitHandle 1244 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {bac6090d-f2fb-4435-8678-b7414284b917} 3496 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:400
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3496.3.1699758724\1501306644" -childID 3 -isForBrowser -prefsHandle 1920 -prefMapHandle 1984 -prefsLen 20974 -prefMapSize 243824 -jsInitHandle 1244 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {22b453d2-d40d-45a6-8438-ad5c7c1fb99b} 3496 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3888
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3496.4.662872086\1234650335" -parentBuildID 20240510150000 -prefsHandle 3856 -prefMapHandle 3852 -prefsLen 24113 -prefMapSize 243824 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {d960e99e-3d97-48bd-abea-946a7e610cb8} 3496 rdd
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5152
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3496.5.1218358978\252245707" -childID 4 -isForBrowser -prefsHandle 1836 -prefMapHandle 1868 -prefsLen 22426 -prefMapSize 243824 -jsInitHandle 1244 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {24cd3995-6b0d-4d6b-b55f-1724dba349ed} 3496 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5700
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3496.6.39939729\1403065135" -childID 5 -isForBrowser -prefsHandle 4148 -prefMapHandle 4152 -prefsLen 22426 -prefMapSize 243824 -jsInitHandle 1244 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {c6d02c06-2333-4a3d-a0ca-916b57df7274} 3496 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5728
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3496.7.1828753296\1767680619" -childID 6 -isForBrowser -prefsHandle 4340 -prefMapHandle 4344 -prefsLen 22426 -prefMapSize 243824 -jsInitHandle 1244 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {ea0ced1a-f369-4c1f-a816-67395abc71a0} 3496 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5756
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\PluggableTransports\lyrebird.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\PluggableTransports\lyrebird.exe"
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        
        PID:4688
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3496.8.1268543460\903016504" -childID 7 -isForBrowser -prefsHandle 4364 -prefMapHandle 4576 -prefsLen 22627 -prefMapSize 243824 -jsInitHandle 1244 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {8d7c3921-c81f-4467-8dc1-e259a51c78f9} 3496 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4868
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3496.9.2132713968\288387884" -childID 8 -isForBrowser -prefsHandle 4572 -prefMapHandle 1816 -prefsLen 22914 -prefMapSize 243824 -jsInitHandle 1244 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {1a05f195-c4e2-4c9d-acad-e8bd45d8e235} 3496 tab
        5⤵
        Executes dropped EXE
        
        PID:2720
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3496.10.295622630\2131100112" -childID 9 -isForBrowser -prefsHandle 4108 -prefMapHandle 4128 -prefsLen 22914 -prefMapSize 243824 -jsInitHandle 1244 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {e05b3072-eb89-4850-873c-4df02284e214} 3496 tab
        5⤵
        Executes dropped EXE
        
        PID:5860
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3496.11.965404896\89053680" -childID 10 -isForBrowser -prefsHandle 5088 -prefMapHandle 5084 -prefsLen 22914 -prefMapSize 243824 -jsInitHandle 1244 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {01d5672a-1dc8-4aa3-97e5-a01b17e85f8b} 3496 tab
        5⤵
        Executes dropped EXE
        
        PID:3536
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3496.12.418179262\758208890" -childID 11 -isForBrowser -prefsHandle 1852 -prefMapHandle 5064 -prefsLen 22914 -prefMapSize 243824 -jsInitHandle 1244 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {de660caa-3ef6-42f7-9be4-254418da2713} 3496 tab
        5⤵
        Executes dropped EXE
        
        PID:5196
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3496.13.1120329108\1670056010" -childID 12 -isForBrowser -prefsHandle 4904 -prefMapHandle 3984 -prefsLen 22914 -prefMapSize 243824 -jsInitHandle 1244 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {d35ed706-7193-4a54-844e-7df1f2057631} 3496 tab
        5⤵
        Executes dropped EXE
        
        PID:5740
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3496.14.419058356\747818305" -childID 13 -isForBrowser -prefsHandle 5512 -prefMapHandle 5520 -prefsLen 22914 -prefMapSize 243824 -jsInitHandle 1244 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {45986df5-bafb-444c-9c25-d650794e2f07} 3496 tab
        5⤵
        Executes dropped EXE
        
        PID:4948
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3496.15.992519643\83825450" -childID 14 -isForBrowser -prefsHandle 5196 -prefMapHandle 9192 -prefsLen 22914 -prefMapSize 243824 -jsInitHandle 1244 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {0439fd4e-9219-4ce1-ad90-41006da4611f} 3496 tab
        5⤵
        Executes dropped EXE
        
        PID:1816
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3496.16.1866226953\321798392" -childID 15 -isForBrowser -prefsHandle 2076 -prefMapHandle 5304 -prefsLen 22914 -prefMapSize 243824 -jsInitHandle 1244 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {a9373165-f24c-432a-9b81-0ebdecc2c53c} 3496 tab
        5⤵
        Executes dropped EXE
        
        PID:4556
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3496.17.1151105971\2025364717" -childID 16 -isForBrowser -prefsHandle 2068 -prefMapHandle 2004 -prefsLen 22914 -prefMapSize 243824 -jsInitHandle 1244 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {626d926b-5810-4056-9d70-afa160dc8208} 3496 tab
        5⤵
        Executes dropped EXE
        
        PID:5708
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3496.18.25358102\1344676992" -childID 17 -isForBrowser -prefsHandle 9284 -prefMapHandle 5536 -prefsLen 22914 -prefMapSize 243824 -jsInitHandle 1244 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {435af501-ce9d-46a7-aef4-eba00a03418c} 3496 tab
        5⤵
        Executes dropped EXE
        
        PID:4572
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3496.19.1076125502\171374953" -childID 18 -isForBrowser -prefsHandle 9252 -prefMapHandle 8760 -prefsLen 22914 -prefMapSize 243824 -jsInitHandle 1244 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {a6dddb67-844d-4c39-b4dd-81b0c6657d25} 3496 tab
        5⤵
        Executes dropped EXE
        
        PID:1012
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3496.20.1098996256\2030465252" -childID 19 -isForBrowser -prefsHandle 8572 -prefMapHandle 4420 -prefsLen 22914 -prefMapSize 243824 -jsInitHandle 1244 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {7aa4b24c-7dd5-48fd-83df-ce0850a6e294} 3496 tab
        5⤵
        Executes dropped EXE
        
        PID:5388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1536 --field-trial-handle=1800,i,10551915307395979274,7967244286905235138,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5844

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
35f77094c1d4719ef80529a01fe19932

SHA1
a3905de2870c6c21bdd5e5f48465b8143e991bef

SHA256
471dd6c8842ad95b6e02f9d8b5a41a49f00fa399b204237b3bb74fc2c7cfad42

SHA512
c9a0fcc8cc33958e8f050aa7533d9e26bab4709b00ef35fe1bb2acad5526b71be7079e356569d19c11f76ee6d9acf3d4dd57a71cf4bc9125104b9c362d4e67e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
97698b1c3c743dd4d015bd4cb6efa583

SHA1
9438a393ac9b8fad893727666f6ba373dc5ddc73

SHA256
4410f4949b9817143ec9bb59e89d5796364448de02ab3d729ad1b7273dc0dc6e

SHA512
0b10dd4420e515fc27864420f76b6f50a047f818df7a13ca8dc7d0a2c47fa0c0f0dd503f3e07e5270f4aefac3643d723ffeeb69959190f99205ea45150163bcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
65bd916f3edf1d43e51cb242925239cf

SHA1
bc4c5da741ed5996fa83ef3293688c3fb4dcf042

SHA256
ea6531db2e2e03e18ee29512473e8e4b571e3e86d439e8b251f4cd5f9bb11b66

SHA512
985286b3073f6cc99ebff704f27af7364e30b9385e2a5dca39980c7a943adff488bc19e3a34c7bd3f04c37b3ae3b298ae28ae7da318ec7f0d67746cd5cad2ee6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
c35f1e282e961650a128ef541bbeda08

SHA1
c0daa0b658284deb650900bf19dcd4195c777080

SHA256
4831793da446f868b8352877dcb3c1d48a852b375224de3fde30723417b82b5e

SHA512
748fb811052499ba3fd7f3c8f191c496476d0038a50c081533a4d0e1419cacf68505d09138c4bd0bc64aaa3e2498273c3e1422af1435a58c782ef16557b9284c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
bad79ffcd3ccfaa1cd87be48465430f5

SHA1
a7cbf8043e0bd6badd8e285e738e2dee5d093a9e

SHA256
f71d97e544e760ab64b906111418527c10dd46184f01cd37dc51f38ff4a3fa69

SHA512
8a52c3cd08f594a50e68a70a46616f4d25035aaadcae54e54c7f9c4c3749eb75948ff24a19f50bb2c2a043bdf777fb57f14f16b960115ccfc0a50df4d384b1ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
f040ae9581ecd974c5bf44afef56cd73

SHA1
8532bfcea63a05eee724f745cd7c5ffb92430aaa

SHA256
57c25dba57f365031323fb3e7aabb3421ddf4d677e6a05f29461a6d3d9ceeb33

SHA512
90ffc7859b44bf2d6ffe86b4abdbac8adbb447427643a9858093a6789fcd38e5b2b304ea3f84a49c591038f310b738013bacf6a9df06ffc2c31622d81a6cb003

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
103KB

MD5
0696d1ee2aa11d6f226cf6b54a074ae9

SHA1
74f01c883a2d1145e23298bdaaa2533aa7e46fc6

SHA256
ee6518e2f47f90a3ff6b57f352a76537b8e70f31122bed0859349e7bc70b0d15

SHA512
9fc850f3b3430218768bc831e59c68219f380093b0389f1b8c59f53c14e75f32466ed413f1395efe9cd983d7646d90fd470cc1d3c03c6e8dd4cf223170e866bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57dc66.TMP

Filesize
88KB

MD5
92af7cd5eef040e9bc68d0b521c2e7c4

SHA1
e434d9d4ff68bc09ab46ef934299412fdd268669

SHA256
55d726c2a0ecf7dbae0135715138842e8032e4c45c0ba416581e73fbe16c1c81

SHA512
58240e1e11a8d168adacb5c30bbd8f3e9f27f266a0c03007e377b9950c11ee17281484a772656c2ac58345a0242a5cbcf9be0f4dcfaccc985fdf60b68a3a424e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstB661.tmp\LangDLL.dll

Filesize
8KB

MD5
59888d7d17f0100e5cffe2aca0b3dfaf

SHA1
8563187a53d22f33b90260819624943204924fdc

SHA256
f9075791123be825d521525377f340b0f811e55dcec00d0e8d0347f14733f8a3

SHA512
d4ca43a00c689fa3204ce859fdd56cf47f92c10ba5cfa93bb987908a072364685b757c85febc11f8b3f869f413b07c6fcc8c3a3c81c9b5de3fba30d35495ff23

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstB661.tmp\System.dll

Filesize
25KB

MD5
480304643eee06e32bfc0ff7e922c5b2

SHA1
383c23b3aba0450416b9fe60e77663ee96bb8359

SHA256
f2bb03ddaeb75b17a006bc7fc652730d09a88d62861c2681a14ab2a21ef597ce

SHA512
125c8d2ccbfd5e123ce680b689ac7a2452f2d14c5bfbb48385d64e24b28b6de97b53916c383945f2ff8d4528fef115fbb0b45a43ffa4579199e16d1004cf1642

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstB661.tmp\nsDialogs.dll

Filesize
14KB

MD5
990eb444cf524aa6e436295d5fc1d671

SHA1
ae599a54c0d3d57a2f8443ad7fc14a28fe26cac3

SHA256
46b59010064c703fbaf22b0dbafadb5bd82ab5399f8b4badcc9eeda9329dbab8

SHA512
d1e4eb477c90803ddf07d75f5d94c2dacfdcd3e786a74ea7c521401e116abf036d9399e467d2d12bd1a7c1abda2f1d6d15b40c8039fd6ec79ba5fe4119674c27

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\datareporting\glean\db\data.safe.tmp

Filesize
182B

MD5
7d3d11283370585b060d50a12715851a

SHA1
3a05d9b7daa2d377d95e7a5f3e8e7a8f705938e3

SHA256
86bff840e1bec67b7c91f97f4d37e3a638c5fdc7b56aae210b01745f292347b9

SHA512
a185a956e7105ad5a903d5d0e780df9421cf7b84ef1f83f7e9f3ab81bf683b440f23e55df4bbd52d60e89af467b5fc949bf1faa7810c523b98c7c2361fde010e

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\extensions.json

Filesize
27KB

MD5
7a1f63a6edbc055671e7ba804aa54cb1

SHA1
cf3d2e49b43d90487e5a5023a1450031751410de

SHA256
b7cededcc5b678a01b9b430da3cedc47145c8502dc8fd17f641814133d97bc8d

SHA512
b25275cd1c3303366d6f8836f8f11a246d959d353ef024013aa0c0327a86c9b7d555a7b8d9e658c4ac84844b9ed1759fe54fd751861fdd74dbd47b56518eb409

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

Filesize
5KB

MD5
87b2634bf29fad089e51aa482dbdc3c6

SHA1
905e5f2ea408b5886b959e1a83917092d58a4b3f

SHA256
37831df93f7b938cfbdf788212a4df9db029d64c6bd2b2908eb7cf56dd9eb961

SHA512
3471d6a8fcb9483c1a9dd28193d6138aeae94e29376fcb9d6d60d22d01a65490c3e8627366d3002e80b159fdb7629e3ff9473d8f4efbe306ab4238dc6e2e5826

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

Filesize
5KB

MD5
67d5a00959fe51c833c1773775516715

SHA1
b07524a319ea0466a2725d145bdf5d37a02ad7b7

SHA256
3409dfaac3a86a9225af4d409af7a756e2f293e77d755274a5152551a3b0d513

SHA512
13505b30600fa3451c185efdd897e6e20bafc3a49bd6173fda82eba6b2eec1e6791587bcf1566a7a22af568c06594ec53a40bcd0e46eeecc78be68f6df776b3b

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

Filesize
5KB

MD5
98b7f462f56f9b8ab58a428ba70a3bd6

SHA1
be5bb504896188d08997e2427b5c2008391b2b04

SHA256
f128979a9f34e1d94817e1ad05f182d57e3042503d26d444355de8fb621e2f93

SHA512
56d1e32986f35c380e35320daf3d7ef5abde55d9f0868c651f3128e2c953843ae08ebf265b58eb7d9290f72c67a6a7ee4628bfda048544eb249c2865d4af7380

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js

Filesize
2KB

MD5
d51371f92ade64761357c5fcb544283c

SHA1
f092d6434649e90b4d47352edf7be91c0b07671a

SHA256
d91236288e7118c5ecb9f216dca8322d28050c9faa7b2f42bd78bcb258134886

SHA512
a38df19bda050d1484103cdfae1faabbf7a1795fd4feba19ba07f95c76ba48463213d951fdf585f808f724e9f30337c8de4d6bb237951efcd1d1587825449358

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js

Filesize
5KB

MD5
df9704f1c0147d557de60df056aad80f

SHA1
8f5a5b733a2c2fb502e5126f83fcfc7cef3972cc

SHA256
1acdcfb7f0af8f70d30d2a354154bf8da95fd433aec91fe5ac8951629d979864

SHA512
dbbd34920999e25b46159f4601d115ee26527f855aec51ded94b2cd5ffb952c5123bde56301efbb9f1c2a24e1e9bc138d9b2925c0a26a0a8dd07c3f73ee0988a

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
88KB

MD5
ac9e9fdd8d04b04782c30d5434e8512f

SHA1
6a9d182f941c6482910574870e87be5b770a6da1

SHA256
b6dde91e3b05861f33f17d881c01a0208d2cce1ac484dea494204a9f3a56c55e

SHA512
195c9326a6224c5f273749e0f02926d90f669242d28c0c60655113df26f6c5055e44a90086adadfa91159fe891c7c051afdfec5ddedc84a8753a18c650533333

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profiles.ini

Filesize
103B

MD5
5b0cb2afa381416690d2b48a5534fe41

SHA1
5c7d290a828ca789ea3cf496e563324133d95e06

SHA256
11dedeb495c4c00ad4ef2ecacbd58918d1c7910f572bbbc87397788bafca265c

SHA512
0e8aafd992d53b2318765052bf3fbd5f21355ae0cbda0d82558ecbb6304136f379bb869c2f9a863496c5d0c11703dbd24041af86131d32af71f276df7c5a740e

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\cached-microdesc-consensus

Filesize
2.5MB

MD5
4f0ea11b42c3e5e793f40a81a576dfc6

SHA1
ac798434ebba8c3bdfe3b1c50c7f1b54952ae296

SHA256
9de7277c1b9431f65fec536f688e1650b39af0548083275f17939fbfed79f99b

SHA512
3f246f538af72d72720ca5c7292eba1a5112d19fcc9f9c2823f9789a302628c558d2e536ce2df2053048f7bb9143cd9f00f8e1519cb380540bbd4ebc83377e7e

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\cached-microdescs.new

Filesize
6.9MB

MD5
2f34a47aaefa06e1d6c28f11dda6d074

SHA1
2eb37ffef15e6ad5c4cbd6db4365bbd5de9a3b3f

SHA256
6991b302eb96f10c62336227e42b58616eebbdf8c3eeb47d9885c27f175c77f2

SHA512
e7aecef3d77a6967bc6fe360e3f757e3bc820e734ceaa2567349083172e2f20a47a40012303ae6684ae5ca48a054eab022feaeb96ebb27cfbfb6c2a1e34778f5

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc.tmp

Filesize
493B

MD5
d93a73d948d50b974a413f421c29f8b9

SHA1
3f88084c1aa91281c8a36d1978f95492a0a588cc

SHA256
1c7f544d701123dfb9bdef5623e0fa2483edb3d4125491f95cb2441336ad9325

SHA512
b8420d9afb6ef28eb00494de9fd74b6a2929fc4063090b2838e6afed23e83707efbb23b745ec34a8f5427ae323881f770e733d8edc6f4d16ede0aa1a30d5248f

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\browser\omni.ja

Filesize
24.9MB

MD5
0b3feaadc595d2b6588a71f17c6dcbbc

SHA1
3209da1b046534efe22c9b3da86e2cf4adf5d3ae

SHA256
4b4d1a732676a3775f133ef969b1b73c25a66603928ec542d81c144290a472c9

SHA512
55e873a9a824b95a594b7ae1dd106e94118adbb973be272d6b683a6530aaf4b9715a82b9404d1c8c4a9e950fc57a129f8205f2ea3f90d2b4b448f49211c6927f

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\defaults\pref\channel-prefs.js

Filesize
429B

MD5
3d84d108d421f30fb3c5ef2536d2a3eb

SHA1
0f3b02737462227a9b9e471f075357c9112f0a68

SHA256
7d9d37eff1dc4e59a6437026602f1953ef58ee46ff3d81dbb8e13b0fd0bec86b

SHA512
76cb3d59b08b0e546034cbb4fb11d8cfbb80703430dfe6c9147612182ba01910901330db7f0f304a90474724f32fd7b9d102c351218f7a291d28b3a80b7ac1e5

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\dependentlibs.list

Filesize
42B

MD5
70b1d09d91bc834e84a48a259f7c1ee9

SHA1
592ddaec59f760c0afe677ad3001f4b1a85bb3c0

SHA256
2b157d7ff7505d10cb5c3a7de9ba14a6832d1f5bfdbfe4fff981b5db394db6ce

SHA512
b37be03d875aa75df5a525f068ed6cf43970d38088d7d28ae100a51e2baa55c2ad5180be0beda2300406db0bdea231dde1d3394ee1c466c0230253edfe6aa6e4

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\distribution\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi

Filesize
930KB

MD5
a3fb2788945937b22e92eeeb30fb4f15

SHA1
8cade36d4d5067cd9a094ab2e4b3c786e3c160aa

SHA256
05b98840b05ef2acbac333543e4b7c3d40fee2ce5fb4e29260b05e2ff6fe24cd

SHA512
4897aefe3a0efffaa3d92842b42fe223f0b9882031a65bea683f4554d1fec92b8a66ea15c67e9b95c7fc12991cde3245010ccfb91768ba233711ced3412c13bc

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe

Filesize
1.7MB

MD5
1415ff2562e8a4c595e99ff713a1ba38

SHA1
0286f612a5572ec221e456ec145149078930c76a

SHA256
18324f12f6e5858900e764340a24cf1f86b78041db68f3da062b9bca8ce6c7a8

SHA512
4dc261ba9bb6476eedf0c050bbfc20f5a46d080dbe35665b0d9230608b0c08115e6d251de741e87d83cf4ab4304d59e3f2328af71196443f3b967d4492d8dc64

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\000_README.txt

Filesize
297B

MD5
793eae5fb25086c0e169081b6034a053

SHA1
3c7cc102c8fcaf3dcbe48c3f8b17ec0f45dcc475

SHA256
14e396a360e5f9c5833dc71131d0b909f7b24c902b74f31a7a3d78d5aa0fa980

SHA512
5e949be232df14bf7bfb679986a16f4a613439f5b5e71271abbfbf74296b43c977510fd6403702139ffd77dd3369e054dbe086e0188fff4f436f3505654e1f70

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoNaskhArabic-Regular.ttf

Filesize
225KB

MD5
27dfbbe8ee4015763e3c51d73474e94a

SHA1
4328cdc9a3f9c6b7df0624c81afbd3459f213e40

SHA256
b4fe7b745c5b40e5d6294a883afcb8b4264b88d331fd0b4620050441479f391e

SHA512
42cc921fee7bad58ee1fac12eb8153b580b5d9d6ed510d5df4bd4be754ef1b017c987051385d828b70de050340f9629be7b385d0338c9db6e0f9f51543387375

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSans-Regular.ttf

Filesize
589KB

MD5
e782457ebb0389715abdf5a9e20b3234

SHA1
e0d9ad78d1972d056d015452ed8dee529e8bb24b

SHA256
0e90d375cdb64f088a6a676eb560b755afa184e523fefbb9c33fdda4d7dd8461

SHA512
3ec030fdaa18f90bd8060466276c9ec49fd9233746e603d61a4f65a9a53e97e7b3382f8f913da17c48ffefc8adcf2be25f7e1c51f16555068b8f344a4e6dd961

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansAdlam-Regular.ttf

Filesize
91KB

MD5
ac01114123630edca1bd86dc859c65e7

SHA1
f7e68b5f5e52814121077d40a845a90214b29d41

SHA256
1b7b86711479fbfd060ed38abe1258246b4be2826760e6827287958218bb3f5c

SHA512
1c9ac878ba12f3de207aa9a7eb8c0239f769f9ae7475fec998e998192aa6900fe146039ac982612c6c0b7e5363355f2803d8f62e4787c0908c883ac3796e2a9b

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBalinese-Regular.ttf

Filesize
128KB

MD5
12764d72c2cee67144991a62e8e0d1c5

SHA1
f61be58fea99ad23ef720fbc189673a6e3fd6a64

SHA256
194e110cb1e3f1938def209e152a8007fe5a8b0db5b7ce46a2de6e346667e43d

SHA512
fb670a7dbb57465d6384cd5c3a35356e94bf54ac4cb7578e67c8729ff982943b99c95b57f6059443e3e8b56d8c8d2cfc6e81ae3a1cf07306f91c3a96e4883906

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBamum-Regular.ttf

Filesize
224KB

MD5
f0b22427c3ddce97435c84ce50239878

SHA1
a4a61de819c79dc743df4c5b152382f7e2e7168d

SHA256
0282610e6923d06a4d120cff3824e829b4535a8c4c57c07e11dbe73475541084

SHA512
ff2b22e58597d0ba19562c36f03cf83b5f327eee27f979c9ff84fe35a21b1fc9234f21fdb35fb95f933c79b9cf7760328d29b31480153da59a6576cf5f7f544e

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBassaVah-Regular.ttf

Filesize
7KB

MD5
778376d22591a4a98bf83ac555ddf413

SHA1
608172ca18450b4cc61ff6cc155f66cff55c5bf9

SHA256
8218239377452e05634a91ee8a4338daf0aa96a15673a437533a098eb9c06f53

SHA512
e895a03374a3d3da04554cd048191722652ed4f1f7cc91639354843138ce26aea6c7f2da0ecda47eb76bcdd61a0315cc2e35e080a5953c24d82f4e94ce4aa260

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBatak-Regular.ttf

Filesize
21KB

MD5
9390ee64243e5335b79e33e5e8311341

SHA1
c8d4b3ab79f6b12311eb4e4da29e709e583b5870

SHA256
cff9f0e51e7f1d95934cac31d9ad43ba453ee308c7b46a27803dc7e2e6c3adef

SHA512
ad7b23dab247c5c71298c5023bc58bd1d00160145558d86ab75dd37de1f1017540bac544cd9bf1cb2802d19d2973c0cf189d05a980777de886ffb552ae923bc0

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBengali-Regular.ttf

Filesize
198KB

MD5
7b5138efef2c02dda9cfae9917cd913f

SHA1
b44b58f354c4a68e119df226f01ad763b2d1025c

SHA256
9f8b4dd091f19b111d24ea18daae81bea8684cc67de17ea1acd797e144bf20ba

SHA512
47e4cfd2218c91080fc4ccc3ac13dabe9efb7c96b981d53577177fb062973b9fad0052edcf2b0c663ff3b7a1d9e38e96586c93cb72618d64344b96e3df13204c

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBuginese-Regular.ttf

Filesize
7KB

MD5
bd4c30081a164037311e8712423c5bf2

SHA1
2a13bc7987ca34644b075c1fe197ba293b4ca527

SHA256
bc19f17d7f6e8f280c2cc95ef6d1b67fac25becfe98722f482039a4d84f3c9ba

SHA512
2a20d113b73cbca311d08dba40dcb7f8ab9d5383f7590b61b785070f77204db9ab163557a420c6c96ede815643f82ffdf75bc59b5802284779ff237616734c66

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBuhid-Regular.ttf

Filesize
5KB

MD5
34699ac8824cdb6593b4dbef605dd6b2

SHA1
22ff82e35cbb1ac9053f767f404ee351786fe0c2

SHA256
328d80e11e7f65f9b6e4bac12de32b7ce42154301c2a14ba92155e32e05939d6

SHA512
fe714d5d44c6c2f4f96b4349bff301a67749bcb084ade3a0270723f1fa6bd6061193c4d782cb663d63e2c32cc809f33a8114e2e0bc6915de2b04efc82b5de673

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansCanadianAboriginal-Regular.ttf

Filesize
111KB

MD5
fc6ec655d6a00c567119522854e24172

SHA1
b72baef2dc0aca98cf7d3458cc027f4b0622db08

SHA256
0d188756c9c282bf31738af5373f2363cc8007bbbc8d5560fae5821ed4937611

SHA512
0a0eb23751b5df39becbbb308b6b36e324ea6ec469d2167a795cc10fb3bc38cb7b3187a3a63566e280470b09a080c000280e3b9a01681a68f8a3f35c7a2f139a

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\freebl3.dll

Filesize
690KB

MD5
d95b080522c46eb65e8d5649f63b4dcb

SHA1
66a1d20c6a9d67c39dd27ab0653cb2c875e4a000

SHA256
bd7ba810019884ef8002302d8f3e6bc8476dfddbca6c6caf58bfe35dc1516d00

SHA512
720edeba3de59a0e6def728f6f097540032d426a45d2ed1b045f072d916e2f3b3e9b88e8c825959c1cbe52eb7e621ed1e635f3be5ce1bcaf67ccfba3823b837a

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\lgpllibs.dll

Filesize
43KB

MD5
60060fca03446a8d9927fb3e254d4827

SHA1
7939740fa99d45e9dfc8d974b2eb6b26ed6eaf87

SHA256
677c9992fbd068364a123f23c22fc8b023d8446b0c33fbbd09b88b722339f179

SHA512
aed767f0b4dd0ed8d5f7ef393c37f2512e3a29e0038d768f01b89c52bad85ef29d0a55bd3ab344f853f2a4e6c44d442e193c181d07dfcd38849b2c81c978670d

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\mozglue.dll

Filesize
1.4MB

MD5
5382e3987a1347af3bc4705f8c1d1487

SHA1
b909e402b53db1cd0adddd80eff9c7dde7a0baea

SHA256
7b1f3e637d1a219cf2e8e56a7cb940aeafb442308d8d35aab0fd3d5013346be6

SHA512
a3621b656cd9cde98c6bac04a94f564397d05eb62fc52c0b5879cc6d3e9756b3e2234e895f833e3b26e7a03faf1c85ace654c388aa46766929c5dee22d793745

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\nss3.dll

Filesize
2.5MB

MD5
ea8e6a9acebc39f558acd1bd82dbdde1

SHA1
17131f0a927ea1f857570b1b541a524d43b53fb7

SHA256
37b630d828d3d886ea06f841b83ba37b59b4ed4991e28debe5ecd1d765ff04b8

SHA512
a02b2f9850ba19093b9d8c291b0b5253f23c73c7e34fb5649f7effc8cc809d025581af64af28d5b8fd5337ea526146f274ffa25ee3eb7a055d69110752d2a9af

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\nssckbi.dll

Filesize
472KB

MD5
21d0d59316ebc2b15938ca84db562300

SHA1
144f12431f9804bf94103d0334b733865547b829

SHA256
aa9d1b7421d8f8925e324258ed832983cd9a81d3f11ae301b7c80b1cfd9a27a1

SHA512
ee5844abf71140e6bdb4826336b83fe144121c655e47daac3d5ab06312188f14ecbbefe8643ec0dfbc7071eb136d35811c0caefde0077e8707a2d15ec3f0db03

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\omni.ja

Filesize
17.7MB

MD5
19ecacaaea9cd1fa41ece74bf5eef8b4

SHA1
8813c248e348f1578a6286dfb6a07a4666e4af3d

SHA256
3ed1d3a73a91eb9ff0dd990ec4a2ab3e4ea54d7738dc193e3ad51ae6a9b5c1be

SHA512
7cdf9bb8a065792b281f5d9768f98b5326b10609dcd42f85bf06a80dc83bf9390aaac3492a66dbe60e2473b6598aa266e48409bc1b5ac87329f2d7bad510142e

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\softokn3.dll

Filesize
288KB

MD5
c68998293eeb01f29158103e8c568dbe

SHA1
87afc20671346abb8c8151f3e7edff4d7c92b5b5

SHA256
d063690acd9d5567b497e7b1aad89e3675990c42fbf0c9e82286157bd7471c3c

SHA512
552bdb07c01d2008f892b2c4d9d612bcdd89394a34473e4433279fcf9cf4d1400ccc22e56db2b532c3391e4c1cc180d2a27e54173f6aba93a5f7324d693946c8

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Start Tor Browser.lnk

Filesize
829B

MD5
196425af7b12d1d9a5221265d5770816

SHA1
9111257d9040ea38bcad88149930378e696ad2c3

SHA256
8e1a4eb5cc644dfd58280e09a22b73e5a8b57da671be9c215aacde4b839d932b

SHA512
9fd4e48de6bbcd3501ab1031fd20361cd3768d358b69b2346179ab20bef333516a3b74ae15c4d5b98a19784207acd0f6c414eac276c2409e1ff33ccb1f9e28ed

Download Submit
C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.0.15.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/3496-559-0x000001AB096E0000-0x000001AB096F0000-memory.dmp

Filesize
64KB

Download
memory/3496-680-0x000001AB06340000-0x000001AB06350000-memory.dmp

Filesize
64KB

Download
memory/3496-728-0x000001AB01C50000-0x000001AB01DC0000-memory.dmp

Filesize
1.4MB

Download
memory/3536-416-0x0000000140000000-0x0000000140070000-memory.dmp

Filesize
448KB

Download
memory/3536-386-0x0000000140000000-0x0000000140070000-memory.dmp

Filesize
448KB

Download
memory/3536-388-0x00007FF9DEBF0000-0x00007FF9DEBFD000-memory.dmp

Filesize
52KB

Download
memory/3536-200-0x00007FF9DF570000-0x00007FF9DF57F000-memory.dmp

Filesize
60KB

Download
memory/3536-199-0x0000000140000000-0x0000000140070000-memory.dmp

Filesize
448KB

Download
memory/4564-526-0x00007FF9E8670000-0x00007FF9E8671000-memory.dmp

Filesize
4KB

Download
memory/4564-525-0x00007FF9E8660000-0x00007FF9E8661000-memory.dmp

Filesize
4KB

Download