Analysis Overview
SHA256
385acfc374741d089060df1d9f5b5a7d1e118976b4c1fa75a127d41758969206
Threat Level: Known bad
The file Launcher.exe was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Downloads MZ/PE file
Loads dropped DLL
Executes dropped EXE
Checks whether UAC is enabled
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
NTFS ADS
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Checks SCSI registry key(s)
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-09 18:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-09 18:41
Reported
2024-07-09 18:47
Platform
win11-20240709-en
Max time kernel
300s
Max time network
303s
Command Line
Signatures
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.5.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe | N/A |
Loads dropped DLL
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3156 set thread context of 4140 | N/A | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.5.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-126710838-2490174220-686410903-1000\{7ED8F1BA-87DC-47B9-A94A-C184A41334B2} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 528903.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.5.exe:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff81c3c3cb8,0x7ff81c3c3cc8,0x7ff81c3c3cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff81c3c3cb8,0x7ff81c3c3cc8,0x7ff81c3c3cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,3541612154620160975,8631637959276175885,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,3541612154620160975,8631637959276175885,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,3541612154620160975,8631637959276175885,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2500 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3541612154620160975,8631637959276175885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3541612154620160975,8631637959276175885,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,3084741408696975545,7739840513556477299,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1964 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,3084741408696975545,7739840513556477299,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3541612154620160975,8631637959276175885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3541612154620160975,8631637959276175885,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3541612154620160975,8631637959276175885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,3541612154620160975,8631637959276175885,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5616 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3541612154620160975,8631637959276175885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3541612154620160975,8631637959276175885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3541612154620160975,8631637959276175885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,3541612154620160975,8631637959276175885,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6052 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3541612154620160975,8631637959276175885,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3541612154620160975,8631637959276175885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3541612154620160975,8631637959276175885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3541612154620160975,8631637959276175885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1896,3541612154620160975,8631637959276175885,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5900 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1896,3541612154620160975,8631637959276175885,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3784 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3541612154620160975,8631637959276175885,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3541612154620160975,8631637959276175885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3541612154620160975,8631637959276175885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3541612154620160975,8631637959276175885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3541612154620160975,8631637959276175885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3541612154620160975,8631637959276175885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3541612154620160975,8631637959276175885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3541612154620160975,8631637959276175885,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3541612154620160975,8631637959276175885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3541612154620160975,8631637959276175885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6624 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3541612154620160975,8631637959276175885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3541612154620160975,8631637959276175885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,3541612154620160975,8631637959276175885,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6472 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,3541612154620160975,8631637959276175885,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6152 /prefetch:8
C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.5.exe
"C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.5.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,3541612154620160975,8631637959276175885,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2912 /prefetch:2
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3068.0.298415665\1246019264" -parentBuildID 20240611120000 -prefsHandle 2224 -prefMapHandle 2168 -prefsLen 19243 -prefMapSize 240228 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {81b25d38-8be3-4d4c-8681-ce6cfc2f4128} 3068 gpu
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3068.1.1721789724\1693050971" -childID 1 -isForBrowser -prefsHandle 2788 -prefMapHandle 3140 -prefsLen 20081 -prefMapSize 240228 -jsInitHandle 1392 -jsInitLen 240916 -parentBuildID 20240611120000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {b5e8d88f-5b19-4861-b560-5bd9bd5f336c} 3068 tab
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe" -f "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc" DataDirectory "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor" ClientOnionAuthDir "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\onion-auth" --defaults-torrc "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc-defaults" GeoIPFile "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip" GeoIPv6File "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip6" +__ControlPort 127.0.0.1:9151 HashedControlPassword 16:cc770b996fbc64ef60ce98df8de3c815bb89c96934568325753a35466e +__SocksPort "127.0.0.1:9150 ExtendedErrors IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth" __OwningControllerProcess 3068 DisableNetwork 1
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3068.2.1846351570\640737048" -childID 2 -isForBrowser -prefsHandle 3484 -prefMapHandle 3588 -prefsLen 20891 -prefMapSize 240228 -jsInitHandle 1392 -jsInitLen 240916 -parentBuildID 20240611120000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {42d2892a-4c25-47d6-a892-72b5a2348423} 3068 tab
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3068.3.1164895728\1922938157" -childID 3 -isForBrowser -prefsHandle 3676 -prefMapHandle 3672 -prefsLen 20968 -prefMapSize 240228 -jsInitHandle 1392 -jsInitLen 240916 -parentBuildID 20240611120000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {f09a2f96-a709-4e8d-a6bd-403be0c03722} 3068 tab
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3068.4.1225887330\1735118212" -parentBuildID 20240611120000 -prefsHandle 2756 -prefMapHandle 2604 -prefsLen 21357 -prefMapSize 240228 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {23e6b09c-18f1-4f5d-ac98-f95aa82385d4} 3068 rdd
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3068.5.2113861581\874644194" -childID 4 -isForBrowser -prefsHandle 4020 -prefMapHandle 4016 -prefsLen 22491 -prefMapSize 240228 -jsInitHandle 1392 -jsInitLen 240916 -parentBuildID 20240611120000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {8ca7dcc8-4d26-4bf2-9cd6-7c8fbd616c10} 3068 tab
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3068.6.1900274754\1668654942" -childID 5 -isForBrowser -prefsHandle 4168 -prefMapHandle 4172 -prefsLen 22491 -prefMapSize 240228 -jsInitHandle 1392 -jsInitLen 240916 -parentBuildID 20240611120000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {878369ef-0f8d-480e-84fa-f2831b9a4583} 3068 tab
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3068.7.77554902\67900320" -childID 6 -isForBrowser -prefsHandle 4196 -prefMapHandle 4200 -prefsLen 22491 -prefMapSize 240228 -jsInitHandle 1392 -jsInitLen 240916 -parentBuildID 20240611120000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {d2600c30-8b5c-4f1d-a2a6-e729c3bdfe7b} 3068 tab
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | civilizzzationo.shop | udp |
| US | 104.21.67.34:443 | civilizzzationo.shop | tcp |
| US | 8.8.8.8:53 | 34.67.21.104.in-addr.arpa | udp |
| US | 104.21.67.34:443 | civilizzzationo.shop | tcp |
| US | 104.21.67.34:443 | civilizzzationo.shop | tcp |
| US | 104.21.67.34:443 | civilizzzationo.shop | tcp |
| US | 104.21.67.34:443 | civilizzzationo.shop | tcp |
| US | 104.21.67.34:443 | civilizzzationo.shop | tcp |
| GB | 88.221.135.35:443 | th.bing.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 66.254.114.41:80 | www.pornhub.com | tcp |
| US | 66.254.114.41:80 | www.pornhub.com | tcp |
| US | 66.254.114.41:443 | www.pornhub.com | tcp |
| GB | 64.210.156.20:443 | media.trafficjunky.net | tcp |
| GB | 64.210.156.20:443 | media.trafficjunky.net | tcp |
| GB | 64.210.156.23:443 | media.trafficjunky.net | tcp |
| GB | 64.210.156.23:443 | media.trafficjunky.net | tcp |
| GB | 64.210.156.23:443 | media.trafficjunky.net | tcp |
| GB | 64.210.156.23:443 | media.trafficjunky.net | tcp |
| GB | 64.210.156.23:443 | media.trafficjunky.net | tcp |
| GB | 64.210.156.23:443 | media.trafficjunky.net | tcp |
| US | 8.8.8.8:53 | cdn1-smallimg.phncdn.com | udp |
| US | 66.254.114.156:443 | cdn1-smallimg.phncdn.com | tcp |
| US | 172.67.177.254:443 | prvc.io | tcp |
| GB | 64.210.156.16:443 | media.trafficjunky.net | tcp |
| GB | 64.210.156.23:443 | media.trafficjunky.net | tcp |
| US | 8.8.8.8:53 | 16.156.210.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.169.217.172.in-addr.arpa | udp |
| PL | 93.184.223.43:443 | eg-cdn.trafficjunky.net | tcp |
| US | 216.239.34.36:443 | region1.google-analytics.com | tcp |
| US | 66.254.114.171:443 | a.adtng.com | tcp |
| GB | 64.210.156.4:443 | hw-cdn2.adtng.com | tcp |
| GB | 64.210.156.4:443 | hw-cdn2.adtng.com | tcp |
| GB | 172.217.169.27:443 | storage.googleapis.com | tcp |
| US | 216.239.34.36:443 | region1.google-analytics.com | udp |
| GB | 95.101.143.201:443 | r.bing.com | tcp |
| GB | 95.101.143.202:443 | www.bing.com | tcp |
| GB | 95.101.143.202:443 | www.bing.com | tcp |
| GB | 95.101.143.201:443 | r.bing.com | tcp |
| NL | 40.126.32.74:443 | login.microsoftonline.com | tcp |
| US | 13.107.5.80:443 | services.bingapis.com | tcp |
| US | 13.107.5.80:443 | services.bingapis.com | tcp |
| US | 172.64.154.167:443 | www2.bing.com | tcp |
| US | 172.64.154.167:443 | www2.bing.com | tcp |
| GB | 95.101.143.201:443 | r.bing.com | tcp |
| GB | 23.214.133.245:443 | fast.com | tcp |
| GB | 23.214.133.245:443 | fast.com | tcp |
| GB | 23.214.133.245:443 | fast.com | tcp |
| IE | 54.78.193.176:443 | ichnaea-web.netflix.com | tcp |
| IE | 34.242.3.84:443 | api.fast.com | tcp |
| US | 45.57.68.161:443 | ipv4-c058-nyc005-ix.1.oca.nflxvideo.net | tcp |
| US | 45.57.68.161:443 | ipv4-c058-nyc005-ix.1.oca.nflxvideo.net | tcp |
| US | 45.57.69.163:443 | ipv4-c070-nyc005-ix.1.oca.nflxvideo.net | tcp |
| US | 45.57.69.163:443 | ipv4-c070-nyc005-ix.1.oca.nflxvideo.net | tcp |
| US | 45.57.63.216:443 | ipv4-c169-was001-ix.1.oca.nflxvideo.net | tcp |
| US | 45.57.63.216:443 | ipv4-c169-was001-ix.1.oca.nflxvideo.net | tcp |
| US | 45.57.62.212:443 | ipv4-c163-was001-dev-ix.1.oca.nflxvideo.net | tcp |
| US | 45.57.62.212:443 | ipv4-c163-was001-dev-ix.1.oca.nflxvideo.net | tcp |
| US | 45.57.45.155:443 | ipv4-c587-ord001-ix.1.oca.nflxvideo.net | tcp |
| US | 45.57.45.155:443 | ipv4-c587-ord001-ix.1.oca.nflxvideo.net | tcp |
| US | 45.57.68.161:443 | ipv4-c058-nyc005-ix.1.oca.nflxvideo.net | tcp |
| US | 45.57.69.163:443 | ipv4-c070-nyc005-ix.1.oca.nflxvideo.net | tcp |
| US | 45.57.69.163:443 | ipv4-c070-nyc005-ix.1.oca.nflxvideo.net | tcp |
| US | 45.57.69.163:443 | ipv4-c070-nyc005-ix.1.oca.nflxvideo.net | tcp |
| US | 45.57.68.161:443 | ipv4-c058-nyc005-ix.1.oca.nflxvideo.net | tcp |
| US | 45.57.68.161:443 | ipv4-c058-nyc005-ix.1.oca.nflxvideo.net | tcp |
| US | 45.57.63.216:443 | ipv4-c169-was001-ix.1.oca.nflxvideo.net | tcp |
| US | 45.57.63.216:443 | ipv4-c169-was001-ix.1.oca.nflxvideo.net | tcp |
| US | 45.57.63.216:443 | ipv4-c169-was001-ix.1.oca.nflxvideo.net | tcp |
| US | 45.57.45.155:443 | ipv4-c587-ord001-ix.1.oca.nflxvideo.net | tcp |
| US | 45.57.62.212:443 | ipv4-c163-was001-dev-ix.1.oca.nflxvideo.net | tcp |
| US | 45.57.62.212:443 | ipv4-c163-was001-dev-ix.1.oca.nflxvideo.net | tcp |
| IE | 54.78.193.176:443 | ichnaea-web.netflix.com | tcp |
| US | 45.57.45.155:443 | ipv4-c587-ord001-ix.1.oca.nflxvideo.net | tcp |
| US | 45.57.45.155:443 | ipv4-c587-ord001-ix.1.oca.nflxvideo.net | tcp |
| US | 45.57.63.216:443 | ipv4-c169-was001-ix.1.oca.nflxvideo.net | tcp |
| US | 13.107.21.200:443 | bing.com | tcp |
| FI | 95.216.163.36:443 | www.torproject.org | tcp |
| FI | 95.216.163.36:443 | www.torproject.org | tcp |
| GB | 88.221.135.104:80 | apps.identrust.com | tcp |
| FI | 95.216.163.36:443 | www.torproject.org | tcp |
| FI | 95.216.163.36:443 | www.torproject.org | tcp |
| FI | 95.216.163.36:443 | www.torproject.org | tcp |
| FI | 95.216.163.36:443 | www.torproject.org | tcp |
| US | 172.64.154.167:443 | www2.bing.com | tcp |
| US | 172.64.154.167:443 | www2.bing.com | tcp |
| FI | 95.216.163.36:443 | www.torproject.org | tcp |
| DE | 116.202.120.166:443 | www.torproject.org | tcp |
| FI | 95.216.163.36:443 | www.torproject.org | tcp |
| FI | 95.216.163.36:443 | www.torproject.org | tcp |
| GB | 95.101.28.56:443 | aefd.nelreports.net | tcp |
| GB | 95.101.28.56:443 | aefd.nelreports.net | udp |
| IS | 93.95.231.88:9001 | tcp | |
| N/A | 127.0.0.1:51272 | tcp | |
| DK | 185.129.61.129:443 | tcp | |
| N/A | 127.0.0.1:9151 | tcp | |
| N/A | 127.0.0.1:51392 | tcp | |
| N/A | 127.0.0.1:51458 | tcp |
Files
memory/4140-4-0x0000000000600000-0x000000000064F000-memory.dmp
memory/4140-7-0x0000000000600000-0x000000000064F000-memory.dmp
memory/4140-8-0x0000000000600000-0x000000000064F000-memory.dmp
memory/3156-5-0x00007FF750B60000-0x00007FF75227E000-memory.dmp
memory/4140-9-0x0000000000600000-0x000000000064F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 562b59fd3a3527ef4e850775b15d0836 |
| SHA1 | ffd14d901f78138fc2eece97c5e258b251bc6752 |
| SHA256 | 0a64863cb40f9d3b13a7b768b62e8b4707dfee1d3e86a07e999acb87bd7d3430 |
| SHA512 | ef9fd3d83ab85b18cf0e0d17e2c7d71936f783e3ae38005e5c78742560332f88be7c4c936d4dc4179e93fde0240d2882d71ef7038289c8cbddbfc4790c0603c2 |
\??\pipe\LOCAL\crashpad_4456_OZQZXWYAEYCLUDAF
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | c1ff2a88b65e524450bf7c721960d7db |
| SHA1 | 382c798fcd7782c424d93262d79e625fcb5f84aa |
| SHA256 | 2d12365f3666f6e398456f0c441317bc8ad3e7b089feacc14756e2ae87379409 |
| SHA512 | f19c08edf1416435a7628064d85f89c643c248d0979ece629b882f600956f0d8cd93efbe253fa3ec61ad205233a8804807600f845e53e5ed8949290b80fe42d3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 52ebbb07157397f63d27a92e9feb0388 |
| SHA1 | 4c479359089d63c107aea6cd6160b6387bb7ed5a |
| SHA256 | af420571fcbd9f6b66223ae348c19c26de027fa66c89a8f71ace5832000dd1df |
| SHA512 | 1d5265c6c5e931a7d133243085aecfb2d09421e697597be7979a4435e9827f306591ef4d38067cd2615173c9982fc207d34f47baad44f68058b81ca9b2e8e4b5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 895dbad71ac770ee56f42de5c7371ca6 |
| SHA1 | 507d8d1da90bdfbbcf98dfbb676ab4d91a4d2768 |
| SHA256 | e684288a06bed460b54eff1c21e4d7267fabbbe13fa5ef6bc0d701004add587d |
| SHA512 | 14a2345eeb7bc90f2102c8fc827e2c6d9ff7940d0a366ff080d83f10a1bfb9ba7ed9d3cbec7b909c1dcf8a0dcbcc5b3d0c441e2a26fe6c24fa15c605f135d682 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | ae3b3c7c268149fc04611d63969355a3 |
| SHA1 | e6d63acec30a1bd1cffdfe55e6f8892d6b008fd2 |
| SHA256 | 406943364c3615d4841a7aeef439dc29c725e2d6462fa6415da579f8e92b61b3 |
| SHA512 | 2a3935b88486e76338da1a84a56b26e0903b8b08190dc849c5f5a89fecd997d31552728f833a7c0221884631a7b45b277a34fb68130685a9ce0409827e2108b7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | ea86b6766498f269e855b308e2c4d51b |
| SHA1 | 1011f85e5a6c0565d25365e1621f3d94aa194f96 |
| SHA256 | 9969cf118affe8307e51b7e08632868ddb5fc7149133c7309c5ab6678af1b47d |
| SHA512 | ac922d7f4f7c81aced1d0be64f9fa1cc778d16135741e0894123592f7115db96479e1bc2aaa75a7287c3a4e23437b7cb4a96a7bd518740b369983a9509fc6812 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7a7975cc34b60338527f6307b1c4d43d |
| SHA1 | 90438de3bc8e4352988b37230d2dffc0f43ac6a7 |
| SHA256 | e5d35c4d31c643f058ddb5d57a38553e711f1124116a4845bb36a1105f922fe8 |
| SHA512 | 34e2658bb6b8751cf7bf73dba5cfa7a11c043d12643d98c37ba2c9bc302896d523f9c709c5b5168b1f0c0c8d81a44151e17ed8426f5b985e4b3fee17b3c8542f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a
| MD5 | 7d5e1b1b9e9321b9e89504f2c2153b10 |
| SHA1 | 37847cc4c1d46d16265e0e4659e6b5611d62b935 |
| SHA256 | adbd44258f3952a53d9c99303e034d87c5c4f66c5c431910b1823bb3dd0326af |
| SHA512 | 6f3dc2c523127a58def4364a56c3daa0b2d532891d06f6432ad89b740ee87eacacfcea6fa62a6785e6b9844d404baee4ea4a73606841769ab2dfc5f0efe40989 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019
| MD5 | c3c0eb5e044497577bec91b5970f6d30 |
| SHA1 | d833f81cf21f68d43ba64a6c28892945adc317a6 |
| SHA256 | eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb |
| SHA512 | 83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b
| MD5 | 970d0e20692b74e97203d5cf9358350f |
| SHA1 | 3e45b858a775b05d117b26a317ceef16d3320ad1 |
| SHA256 | 2c2ba720b00b5ea91083f203eba58347373081ef53201695e5b2de96405945a3 |
| SHA512 | 75cd3e41d4094aad759b315eb56eefa1f2b3a4111899ad0da733b12ceef8157ad44d507a01705f9b1ac77c53866355a08edef8663608ec2d7753425c203ba507 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c
| MD5 | 76a3f1e9a452564e0f8dce6c0ee111e8 |
| SHA1 | 11c3d925cbc1a52d53584fd8606f8f713aa59114 |
| SHA256 | 381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c |
| SHA512 | a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d
| MD5 | 710d7637cc7e21b62fd3efe6aba1fd27 |
| SHA1 | 8645d6b137064c7b38e10c736724e17787db6cf3 |
| SHA256 | c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b |
| SHA512 | 19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e
| MD5 | b38fbbd0b5c8e8b4452b33d6f85df7dc |
| SHA1 | 386ba241790252df01a6a028b3238de2f995a559 |
| SHA256 | b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd |
| SHA512 | 546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f
| MD5 | 620dd00003f691e6bda9ff44e1fc313f |
| SHA1 | aaf106bb2767308c1056dee17ab2e92b9374fb00 |
| SHA256 | eea7813cba41e7062794087d5d4c820d7b30b699af3ec37cb545665940725586 |
| SHA512 | 3e245851bfa901632ea796ddd5c64b86eda217ec5cd0587406f5c28328b5cb98c5d8089d868e409e40560c279332ba85dd8ce1159ae98e8588e35ed61da2f006 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 48f2cfbfd18a6fc2f878c6a5a264b0d9 |
| SHA1 | 08651f3d0c11b2fc1d9233b542c3007f4a70c3f8 |
| SHA256 | fd4cf3a7ad284cc1e84c00fdfff251219e5f82c7858f9cd60c5151ab5f5ad87c |
| SHA512 | 7db5b69fec67f3cf09ff471dcc93e849d2a86a5fcc9c549c4634a02950986f2a7f49bdaf2b5b33a836268a5182bd2212f86812e37a37ec3ea1742179755ac3aa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a04e3.TMP
| MD5 | c13eaac4a581ef7b5a7a8b07b9e4dffa |
| SHA1 | 21a91535a3a11144810538ec0a262d1a50a6c0e4 |
| SHA256 | 0158e7d1089e7e8a7bbefb0432ba65cf317b8d9bcccb10f9ea5fa8b7212e6bb6 |
| SHA512 | b7b3eadb3ec17f0138c0c0135a0d4c657ee38448b5211eda21c5f66edb470adb477facf8f794df1eb6dd9f25cde65637a7ed59367168ef89505e6fd7b21c8cb9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c6f08063b603008bab8cc6ba1f73434f |
| SHA1 | 5e15347023a9f47d78fcdd0bf6701026f485ab7e |
| SHA256 | 6beb2c18822d9525d8c4445a03c8c4ab8d0abd1189dc7c3cf500fe1f174decda |
| SHA512 | a70194ab5a50fcbccdb4864206e1e3b860c8daa0fd137cb9fdc22295f1602bed13e27eca86052a247d477d00b18f80689c6763a316f4152260c2b41ce4b53888 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | 1934cc0e8a0e8e19e2c40f88c04d2853 |
| SHA1 | cf5d2903864395eecdd5bb44df00c24ca443848d |
| SHA256 | 65958b8c614d3904bd9c50e434f8e7cf7d3a458949a03e4f99df42ddbeb0b20a |
| SHA512 | a4d6c847f849aea549ba364b4e22929324d0de3e07c066d586a6309f94548af404b17571191b6afc71fe05af92f14f3b8cd320259376b806ee5d540aa59c3b20 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5a0c27.TMP
| MD5 | f7dd0b99160e82e7d942eca514b96bc9 |
| SHA1 | da145ebe2f57523db2a74ca1e24aace1debb6d98 |
| SHA256 | 5e4b2849a0e7f71864e97bc0c78410008cb408a4578d5c676fae46d1ac7d04cc |
| SHA512 | 6979d2430b48fba31ae2be971df25e909de52ed12d78a3e5fc7fa42b49e0332c53bf368b761685cea7fd4f175be809722c10adac6e732c6ec314ee019fabae46 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021
| MD5 | 209af4da7e0c3b2a6471a968ba1fc992 |
| SHA1 | 2240c2da3eba4f30b0c3ef2205ce7848ecff9e3f |
| SHA256 | ecc145203f1c562cae7b733a807e9333c51d75726905a3af898154f3cefc9403 |
| SHA512 | 09201e377e80a3d03616ff394d836c85712f39b65a3138924d62a1f3ede3eac192f1345761c012b0045393c501d48b5a774aeda7ab5d687e1d7971440dc1fc35 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022
| MD5 | 7322a4b055089c74d35641df8ed19efa |
| SHA1 | b9130bf21364c84ac5ed20d58577f5213ec957a1 |
| SHA256 | c27e6cbe88590ba6a04271b99d56aa22212ccf811a5d17a544ee816530d5fd44 |
| SHA512 | bad26b076fa0888bf7680f416b39417abe0c76c6366b87e5a420f7bc5a881cc81f65b3ef4af4ba792aa6030bcf08bdc56b462775f38c4dbf48ff4d842c971bea |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | ed395e9a41c874c72168384ee2de1c04 |
| SHA1 | 6d5219689a8a8cdfc3ee0b0f5307703a6b2c1174 |
| SHA256 | 16b4f8c5b7534b080f0160442088e082ba147e6e0f80eb0ae2ad89447829035e |
| SHA512 | ee8cfae9ac57b8eb7c6e3be57ebb0958d6b238b718ca3ba24f843ae04aafcbe8b0d0322349f48725058734c2575795cd165be9883bbb3921c39415e23f92c6c6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 8c7adccdada7bbb71343d8ba14a1f842 |
| SHA1 | f601ed30d1834da7a55e0935162d5ba46faf41d9 |
| SHA256 | 8c474c48ec74f6e96e1d4a2be04144ddfcd296e9587233bfd52693c24cb3bbfc |
| SHA512 | 69f47c6f48602687070c41cd763b60f465c6a9ec2cf22965c446ab7cb47ca528eeeeac451bdfeb48b88f0e2efc528cb7a645d6af6c9c45101dd02d659373ba95 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\58ba8ae6-7a26-4534-9b4a-c084a8cd8a20\7
| MD5 | 7f7617a2906d26c1bbad035114bc0e46 |
| SHA1 | 2fe6dcfab3f03142a4f632e8d8f96405a7d5de9a |
| SHA256 | 28ba32831096acd48843853f2937b12dc3f4d3e314d708fa246f9d88d1df0cbc |
| SHA512 | 60b6455a098fa1e93a286aa34890935f5190282283f5d87a7832e5871c5bb64d1be06e6dfd4d0560fd6fa56463d731c7e8063574dd0b06d730b6c4b0a5d482f8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | ecbe80a0b858f99ac207b34178ff89d9 |
| SHA1 | a0444125295decb0a02dfac858e67ef4e31acee4 |
| SHA256 | 0852276a1af6f1e8e7c01fe6e39f5608198c49df5215cd73d742bb58a6ef07e3 |
| SHA512 | b38e8f37608fe3472da5f2a2b60889cc80f6baa71a5f9886cb27bc16b1c97ef1f1aee8de2ec3370119f211618b9da1b0c5ff060294b80957d1d7d6254a33ec42 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 91a613097180549f9a54251ca4872c2b |
| SHA1 | e51fb2cfec78e523a816375f0c46de40814f7820 |
| SHA256 | 2bef964deef70774ac8cfa9355881020369e4c0022177b8f4701abc580f75292 |
| SHA512 | 610968acaa40572136dbf55da7c4cf41f8f6940bab76b160a0a144d0dba95d531cc4138af8386e7e53d80447bdd9b27ac7d36cd5f6dbb506217a83cf45b3e1bb |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
| MD5 | 93328f7a94bfb33c13ed17d9e3b0461f |
| SHA1 | 39a93be518bafe45fb9ec87db3ee6467af1db5fe |
| SHA256 | 00038786f82315c25a1077461348d5b9762c557d29abadc8a6d9b3b8ea58fb0a |
| SHA512 | c8a114361e83191e63efce7a0d46070b3cd49aeeb8bbd36ed7b668410f24a20aed599d7294cf2a31a22fb70eb674b2460ddc934854152716feccfba9bff02a46 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
| MD5 | b9cca752647a1b8cb6d63fe5e24471fe |
| SHA1 | 1a5eed782255f921dd50d4497acd28ff38ac2738 |
| SHA256 | 10ebc6ecd1f3722ec4fb480ab2737f160a0ad2259a334c3c00e4ba62b490485b |
| SHA512 | 79c957336940311edb3d55ce628063e5ca171bfb30bcaa9026bae9b8723cec2a272466cc42984b7785e96944c2165edf8c35a5b56d04c3c4956b6064271e1627 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026
| MD5 | 68f0a51fa86985999964ee43de12cdd5 |
| SHA1 | bbfc7666be00c560b7394fa0b82b864237a99d8c |
| SHA256 | f230c691e1525fac0191e2f4a1db36046306eb7d19808b7bf8227b7ed75e5a0f |
| SHA512 | 3049b9bd4160bfa702f2e2b6c1714c960d2c422e3481d3b6dd7006e65aa5075eed1dc9b8a2337e0501e9a7780a38718d298b2415cf30ec9e115a9360df5fa2a7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000025
| MD5 | 3051c1e179d84292d3f84a1a0a112c80 |
| SHA1 | c11a63236373abfe574f2935a0e7024688b71ccb |
| SHA256 | 992cbdc768319cbd64c1ec740134deccbb990d29d7dccd5ecd5c49672fa98ea3 |
| SHA512 | df64e0f8c59b50bcffb523b6eab8fabf5f0c5c3d1abbfc6aa4831b4f6ce008320c66121dcedd124533867a9d5de83c424c5e9390bf0a95c8e641af6de74dabff |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 17cb9fc29c3013a5ddb463e48141738e |
| SHA1 | 435cb640c2a0f21f19ceda31bfc13457285fd3d2 |
| SHA256 | 5b06d359fddc20d202f8e39f001e3122e4b51d5d47e388e8c523c8d57575cb3b |
| SHA512 | 48e426b29c027a47c5c40df062403642215bec7c5862cee3eff84442e81578741324ba9330afd0d642f122398907c642492db4ea59b828256a620435970112ed |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d81587e852abb675ba77dc5ff7842c2f |
| SHA1 | c1d7ac19987e8518ee4af38797e72cc4916404e9 |
| SHA256 | 2c37f0350c6a97d9e2e5bd2788c3cfc330aca0e1a6048c3e729b50731b9c17ee |
| SHA512 | a0a3df9f2f6263a12c4a44f18ed43007c46dff7c735fb01d7b9fd46f7705f2c7f91093b3c3d71077478b5489f72471ff99e5795e0491c07e63620ca0b059bc11 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | ae0a0841e5f20cbada87e586f40626fd |
| SHA1 | 86a605262ab8cc9d9014906a200f9c368929fc0c |
| SHA256 | fc45f00ae1d4aa6571dc7ef75e8eda80306641376b272f4abe91182027683b37 |
| SHA512 | f69a0aa1a7c3346aa1dde370419073063d85da43f0dec4a256fd9e171feae53f614737356c4de6eb62dfdc5c8098f9d2da4b5f200b5a2e2c7123bc79e471b007 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 0ea686a36f668aa06e6adcbfff1567db |
| SHA1 | 189948e1d79f22d2b67b23c612666de9b3dbf2d9 |
| SHA256 | e3d80396061763c2bfd3ce27e877787b8d493ad4549b0cbb5a514ec928611bed |
| SHA512 | 58cb28346c9f6d0f437a25879080901188d04a004a57928fc10c28c7c5ea1d3cc050088be35d6de1d29558bf7bfa0e16237194d2abf18508568272320c17d64e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 9d8b11f4958d184b4011513653981961 |
| SHA1 | 91b57baa30f4ae06da591f53595e2da0133b8c06 |
| SHA256 | b37b7c92abadc45d97d7c169d6d76180f22c00f68bf655b3c9943d9445fda519 |
| SHA512 | b1ada3dca1892c1ec03ed5c4241237f5d9ac93cb8dcddc20bfd86ad2ce1d4399438dadbe58958aa07f9c9af21c7520cd63dd901b6687a111ca9b46ba71ff3cd6 |
C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.5.exe:Zone.Identifier
| MD5 | fbccf14d504b7b2dbcb5a5bda75bd93b |
| SHA1 | d59fc84cdd5217c6cf74785703655f78da6b582b |
| SHA256 | eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913 |
| SHA512 | aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98 |
C:\Users\Admin\AppData\Local\Temp\nsc53E.tmp\LangDLL.dll
| MD5 | d02e216c527f97b5cd320770cbe03a0d |
| SHA1 | 76a0bea3650c393341e240231cf999d11a3d8eb8 |
| SHA256 | cda679d62e2852d900f412239e7c01a64a928db6c0cc03b8fa0c1eabdfe815c4 |
| SHA512 | 39d99ea0045e332f197f0d6430a71adaeaccd1c8e1028ad997ffa5527e5a0fe5dbdda62e02329ae1824abad43eedd64dbfb05a1e8e19010745bfe8d53e83d990 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 84876737900fb2e8cbf48235e97291bd |
| SHA1 | 0ad6876f920df374ab92074fff098db60ab8e17e |
| SHA256 | 550fb2f7f716446d7bfa6a69aaffc6e8f947fcdfbd49cc9e9953f1ebf05fdc26 |
| SHA512 | e1be8ac350ca457d8c2b849a21265722ccbb5a643c90951e4035a9bb5ce4a2fed82a5d3ea59ac826786027693011eadc42de5fccb92cce91fa2b6ee385bf6c3d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 017043295f4872cd61f07d15078511f7 |
| SHA1 | b64f0bff25c7d782ccd91e98bbbafa28225987b8 |
| SHA256 | 47c6493f7f4b46cc0fb20673ce7f877205f9cd64fa2f1e9ef11b970726422aea |
| SHA512 | 06a28a77fc70a74bfcd3cc8ba4a82bcd55aae0325a6a4c8197b9c77866ddf22bce4d67d41d589ae08a1923fa3564fbe1553c93d80c7b6073cd39c04bfbb6e03d |
C:\Users\Admin\AppData\Local\Temp\nsc53E.tmp\System.dll
| MD5 | 62a6f7756aabaeafe2eaa8a1b19eeb99 |
| SHA1 | 24b7ec2cf0712f03911fad6b7ccf933e0879fe5b |
| SHA256 | 4c4d8324fc74a61ed5477b6602fecd1f404f524e6c17c6d7a0b682f8521a29d7 |
| SHA512 | 7d30a35811f4dc5e3c4714224ac2b143d17f6a1de744db230b3a74409c6705233831e340b13d468c612b9e924cf69a62a15164e601e62609c98a46cf4ec0562f |
C:\Users\Admin\AppData\Local\Temp\nsc53E.tmp\nsDialogs.dll
| MD5 | 6cac9c4cbadc065beeebe16e57279a9a |
| SHA1 | 26bcac80ab11c56d8d9de74a85ef2314044f96ca |
| SHA256 | f33b3bfbb97fedfe2d77ebb894c7db5c32b8905bedab6c58248108021cf96bdb |
| SHA512 | 854b505ca4d17127fafabc8e4d903e097b6e77d4adcb2873185333a7fac68d6e903b2e8f3ce0df639ec3c44feb3666489405ee74d49f512700ab86cec4bc9e44 |
C:\Users\Admin\Desktop\Tor Browser\Tor Browser.lnk
| MD5 | db1ef3b2e549f74b0fd0305e133be00a |
| SHA1 | 8ff0fdaab08e29c02390177758e20e992398058b |
| SHA256 | e47719615b835cd4e1ec6061dac219f9564ef883a9e16168174a35a96c9690f6 |
| SHA512 | 96055a1fe0ea395c49dcb9ebbee83c0eb68a609e6aa86cbf6ef8b3922eb3de87af04344c2165602ee6b80011681cb2e5b45f1d8ed0b70d8c22b61cd524b21686 |
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
| MD5 | 8379d4a51d2a9b8973a45592fa8b638a |
| SHA1 | 0b056ee546c3d4f65ccb54aad14f293b3e6252b2 |
| SHA256 | 8c12ee73b212edf7bf85525c46cc15d5267b2728de52fd3e5cc59fc86aef173f |
| SHA512 | c4571fd0d6b5b1b41c5b9b43c70e09fd6a287e4227eeabdd0c10157a852f7d4691281ea1981c45d3a9d6335e4335fd1eeaf934ebc3086c20e76355654f35db52 |
C:\Users\Admin\Desktop\Tor Browser\Browser\mozglue.dll
| MD5 | ee5bd0cde8db4ce8af55699c7c99003c |
| SHA1 | fc00280601a1f895031e29e787d64f13718b431d |
| SHA256 | a6f3d485f373e4c598545e702c99ff0921c7a2180ce54d73c972c1eff599fa72 |
| SHA512 | fce9c194db68dcf9842e602deb85901735509bbf72af3a4a69192e61bf2533c16d34bde2cb25c3521fe98ccc7044a6b35a330f4e6d019fb28130ed627529d1cc |
C:\Users\Admin\Desktop\Tor Browser\Browser\dependentlibs.list
| MD5 | 70b1d09d91bc834e84a48a259f7c1ee9 |
| SHA1 | 592ddaec59f760c0afe677ad3001f4b1a85bb3c0 |
| SHA256 | 2b157d7ff7505d10cb5c3a7de9ba14a6832d1f5bfdbfe4fff981b5db394db6ce |
| SHA512 | b37be03d875aa75df5a525f068ed6cf43970d38088d7d28ae100a51e2baa55c2ad5180be0beda2300406db0bdea231dde1d3394ee1c466c0230253edfe6aa6e4 |
C:\Users\Admin\Desktop\Tor Browser\Browser\lgpllibs.dll
| MD5 | 511067dccd926c528e9f6518fc16c4cb |
| SHA1 | 84d6c8a784d7b9c3012312fe9ee8dc769a01ffd5 |
| SHA256 | 07e7f225894d055aed95bb39b0ed761a5bcd479dc0cecab218477a91ae81b9bb |
| SHA512 | 49581a970cc5c694bc949281cfebe23d53497a67f073537f6107a2b58b29f11eb0d6483b2c38dbb2b15f857b63695a639459252c5c35919f8ff10d9300379dff |
C:\Users\Admin\Desktop\Tor Browser\Browser\nss3.dll
| MD5 | df60ab882983b02912a0cc8506143959 |
| SHA1 | 3219888ee11ad95e84f06f113294f75f39824a35 |
| SHA256 | e02ffbd776bcabc34f50d7af846dd7564e1f85fdc0139f155f7488887ed75645 |
| SHA512 | 9b31e053f5761592baffac36936a734078ab38894582c7d3734bdc537a27fa057633bd1ef3681c026d73b62e73db0b47d819ed4243377c1141654807e4098e2c |
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profiles.ini
| MD5 | 5b0cb2afa381416690d2b48a5534fe41 |
| SHA1 | 5c7d290a828ca789ea3cf496e563324133d95e06 |
| SHA256 | 11dedeb495c4c00ad4ef2ecacbd58918d1c7910f572bbbc87397788bafca265c |
| SHA512 | 0e8aafd992d53b2318765052bf3fbd5f21355ae0cbda0d82558ecbb6304136f379bb869c2f9a863496c5d0c11703dbd24041af86131d32af71f276df7c5a740e |
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js
| MD5 | bc96653a02c82a94bab15bacbd1e253d |
| SHA1 | 49a5d58f0921d53dfb27c3602e543efddec8fa7d |
| SHA256 | d586941e389099fd74978e834e3da1def004356b0d9e1bec98653622022346a6 |
| SHA512 | 7e4dca7ee72cf01a1ec754f5964857f1c5302a084e7f81843cc29376d51be2ed218c6add5d3c205bc19cf02ef50823499b9dc6febd3ff293bcf331cd5f499d14 |
memory/4956-1475-0x00007FF82B530000-0x00007FF82B531000-memory.dmp
memory/4956-1474-0x00007FF829940000-0x00007FF829941000-memory.dmp
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js
| MD5 | f71954dc297f3b0310cd69e440544ff3 |
| SHA1 | df91e805c7762da931a33c6607ef7f0d1d34a62e |
| SHA256 | ae640e63843d4a614ebc072777f8db071b7affef719fd070c5fd7310528ab9c0 |
| SHA512 | 01712b677de9d86f88f989ef770cdc87996d5875be9caba479ec671cca2a1ebeabe42e80b20d381538432af6f0284b1bd13786e60a4fd8788ee6d411fa8b680a |
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | f5819f523014c88f2c439a3459565672 |
| SHA1 | b5b93d7230e6fe283d0dd6ce11ec0da7d931eee8 |
| SHA256 | d5be51f491d701b71e2b602d7a5882f1dbaa1e4b28e8c8297faa03f98a36194e |
| SHA512 | c477efa70823dfd95cb33ef20e4a336eedd90baab3992030c49684ff890fb4adebdc597f56e00768e181cce98a6b73a12bd5663ac63a1eb37502404db52530ff |
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\datareporting\glean\db\data.safe.tmp
| MD5 | 7fba44cb533472c1e260d1f28892d86b |
| SHA1 | 727dce051fc511e000053952d568f77b538107bb |
| SHA256 | 14fb5cda1708000576f35c39c15f80a0c653afaf42ed137a3d31678f94b6e8bf |
| SHA512 | 1330b0f39614a3af2a6f5e1ea558b3f5451a7af20b6f7a704784b139a0ec17a20c8d7b903424cb8020a003319a3d75794e9fe8bc0aeb39e81721b9b2fdb9e031 |
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js
| MD5 | 658643b9aa94426a1a7f20146682be75 |
| SHA1 | 2b72e977e6d956a1dbec7150118f678bafe73200 |
| SHA256 | a4e4c1022ca33be054ea7362fc57925fe1b65490817d06f88c6c0b0eacdfb5fc |
| SHA512 | 5afa2cab530bfa5833bdc888595d246a510798c2969e0f64388abac31fd962329d62177220290ca38d571acfd208b12f205db87ab7efe730b987f2db15ea8be4 |
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\extensions.json
| MD5 | 39c3dcdf4f2abf812b28b6cf898e05c5 |
| SHA1 | 8fcc1cdd2cf5577ea638650a40e101c6329da9d7 |
| SHA256 | 3e553efc81e5a4dc40e654a0376c0a97288692ce981590d5c199b8b67e4335a0 |
| SHA512 | 284ce2941f40fbed30ca513db79e7fe4005dddd639470ca013593531632af5f3d0a3a4db59b903074415a5c38f093e80d745c2a2980f67815eb44024d691f19c |
memory/3068-1668-0x00000190F2CF0000-0x00000190F2D00000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
| MD5 | ef787dcf57fb91c79434fff8b95a2440 |
| SHA1 | 523b3dfc98416a7189db2250aac5d2a198b5978f |
| SHA256 | 32c2447a68f5bab65dbe95d2ca8e99e89af33d7a419c35f95007d3349fef2aea |
| SHA512 | 1255a207625fab537c7a18008a05ed3aab27d5fd5e4232c4eea1061e0090f7179367cc6ad328d71212989fa9049606b3501f940a2acb7863c4648309c9b782c8 |
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js
| MD5 | 1005bf6ddb8cc6ce8eb3299783dcd87d |
| SHA1 | d1520ae593bc3a9a6c19b5b00b5d74b04eb124cb |
| SHA256 | 90c52d079994fa7ccfa3559362312960f0a797ee7f4b3bc8dfbddc7d5f2994d5 |
| SHA512 | 770b07bcca705a9a2733151dde834136d9f5d58af20de6809c48054c0ed0a82e26f2e20c00ea00d02d6d23353016a096c1891117fee9e24d3b650c0703cab80d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 786d9285c7920c09c5163994364ce747 |
| SHA1 | bebc191a4329d3b92385b014a17bdfeb67cd0478 |
| SHA256 | 5fabf1c22f823be9dbba72daa6bd111bf3a7304784c1f2d84374a88d7333a71d |
| SHA512 | ca3cce773207de1a5440238996be48e34da578a15b2fd467a74bd91f3a8ce5b3b6f17f1bb3076c9acb4f3eff843d10361c664dd60669f484633b8560798d5392 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | d3ee8557c5ddb1bfa325c0eddb4d022a |
| SHA1 | 9d60cc4ad8a40c88a767f1887cca2e4f208f672f |
| SHA256 | 67ccd9e244f0ac5e8b18612b759defe790b5a997f2596628fc640d0954b1d439 |
| SHA512 | 71cbf14e3f51c7c007def74728a3fb2868b15d8b79b21430ae5775dec55b6bc79c25a637302b28eda3ffb963c9bb9496999be1f62c31aa2782c98a68fd520cd7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 99dad5aff0756d1db2d78d767091d13e |
| SHA1 | 263f3b89d32bb0da43353c03310c58f267037139 |
| SHA256 | 0c7bf7807a18ff56aab51b96ae881a797f335f173be5754cbaec69808ce74552 |
| SHA512 | 6a62c67f6f64afaad30ad031a46a95cf5669880132800a67f9122502deef1b9ace84d333c01bcb23909036d8699ded5fcedd08cab662de40c6174302bea83d95 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-09 18:41
Reported
2024-07-09 18:48
Platform
win10-20240404-en
Max time kernel
314s
Max time network
318s
Command Line
Signatures
Lumma Stealer
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 212 set thread context of 3220 | N/A | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50f8f41530d2da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "336503708" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e0be5534150446b85833d0051c1cab000000000200000000001066000000010000200000009fbe8b3e6c809cdf9cf820b36c4fcd3d5aa49d7d338b9f2359cc2c5c712141db000000000e80000000020000200000006011102ef6be5bca787d3a151e6ec7ce228a1698f6d37cadf74c147a601d384720000000d6463cf8652fb980b6e780725959562e2484b3701c923af76187cb5a86aeab6340000000377802070acf0c1aad231953642688adfa41e6db911ba57d72e3a5df716bdcf69faf67a483aef57a8db6373dec01f1d584c92684434a84c567af71b885d05dc5 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4024fc1530d2da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e0be5534150446b85833d0051c1cab00000000020000000000106600000001000020000000d21f669093867d361e904a26620db7cfcc2b6d96bdd20f82d4328d6da459127f000000000e8000000002000020000000a98b88695b59ecde4252363410ef22e8e999221583c6b969e90bc5203a6465bf2000000037d89d62d48e377e34fca20db2491f37ae68ed9c0ca6b15f345e0ce29776a3e8400000002179d49567bd40a3319967878d1ba0200f6beb72fc7c6bfe9df10b34a8783aac5280ef22762e1a7779d225ae05389aa720fbe5f00d7a2e0fe5f038983ebc1c76 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3F9BF25A-3E23-11EF-B03F-EAEDABA7A252} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31117872" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31117872" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "336503708" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4472 CREDAT:82945 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | civilizzzationo.shop | udp |
| US | 104.21.67.34:443 | civilizzzationo.shop | tcp |
| US | 104.21.67.34:443 | civilizzzationo.shop | tcp |
| US | 8.8.8.8:53 | 34.67.21.104.in-addr.arpa | udp |
| US | 104.21.67.34:443 | civilizzzationo.shop | tcp |
| US | 104.21.67.34:443 | civilizzzationo.shop | tcp |
| US | 104.21.67.34:443 | civilizzzationo.shop | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
Files
memory/212-4-0x00007FF77C330000-0x00007FF77DA4E000-memory.dmp
memory/3220-5-0x0000000002E00000-0x0000000002E4F000-memory.dmp
memory/3220-8-0x0000000002E00000-0x0000000002E4F000-memory.dmp
memory/3220-9-0x0000000002E00000-0x0000000002E4F000-memory.dmp
memory/212-7-0x00007FF77C330000-0x00007FF77DA4E000-memory.dmp
memory/3220-10-0x0000000002E00000-0x0000000002E4F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-09 18:41
Reported
2024-07-09 18:47
Platform
win10v2004-20240709-en
Max time kernel
299s
Max time network
191s
Command Line
Signatures
Lumma Stealer
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 612 set thread context of 4504 | N/A | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 612 wrote to memory of 4504 | N/A | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 612 wrote to memory of 4504 | N/A | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 612 wrote to memory of 4504 | N/A | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 612 wrote to memory of 4504 | N/A | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 612 wrote to memory of 4504 | N/A | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\System32\nbrsem.exe
"C:\Windows\System32\nbrsem.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | civilizzzationo.shop | udp |
| US | 104.21.67.34:443 | civilizzzationo.shop | tcp |
| US | 104.21.67.34:443 | civilizzzationo.shop | tcp |
| US | 8.8.8.8:53 | 34.67.21.104.in-addr.arpa | udp |
| US | 104.21.67.34:443 | civilizzzationo.shop | tcp |
| US | 104.21.67.34:443 | civilizzzationo.shop | tcp |
| US | 104.21.67.34:443 | civilizzzationo.shop | tcp |
| US | 104.21.67.34:443 | civilizzzationo.shop | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| IE | 52.111.236.22:443 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
memory/612-4-0x00007FF6C35C0000-0x00007FF6C4CDE000-memory.dmp
memory/4504-5-0x0000000000C20000-0x0000000000C6F000-memory.dmp
memory/4504-8-0x0000000000C20000-0x0000000000C6F000-memory.dmp
memory/612-6-0x00007FF6C35C0000-0x00007FF6C4CDE000-memory.dmp
memory/4504-9-0x0000000000C20000-0x0000000000C6F000-memory.dmp
memory/4504-10-0x0000000000C20000-0x0000000000C6F000-memory.dmp
memory/2232-11-0x000001CB38FB0000-0x000001CB38FB1000-memory.dmp
memory/2232-12-0x000001CB38FB0000-0x000001CB38FB1000-memory.dmp
memory/2232-13-0x000001CB38FB0000-0x000001CB38FB1000-memory.dmp
memory/2232-17-0x000001CB38FB0000-0x000001CB38FB1000-memory.dmp
memory/2232-23-0x000001CB38FB0000-0x000001CB38FB1000-memory.dmp
memory/2232-22-0x000001CB38FB0000-0x000001CB38FB1000-memory.dmp
memory/2232-21-0x000001CB38FB0000-0x000001CB38FB1000-memory.dmp
memory/2232-20-0x000001CB38FB0000-0x000001CB38FB1000-memory.dmp
memory/2232-19-0x000001CB38FB0000-0x000001CB38FB1000-memory.dmp
memory/2232-18-0x000001CB38FB0000-0x000001CB38FB1000-memory.dmp