cerber | hxxps://github[.]com/Endermanch/MalwareDatabase/tree/master/ransomwares

Analysis

max time kernel
387s
max time network
386s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
31-07-2024 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase/tree/master/ransomwares

Score

10^/10

cerber discovery evasion persistence privilege_escalation ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___A8OY3UHK_.txt

Family

cerber

Ransom Note

Hi, I'am CRBR ENCRYPTOR ;) ----- ALL YOUR DOCUMENTS, PH0T0S, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only one way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/3B19-F0F8-349C-0098-B10E Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.1n5mod.top/3B19-F0F8-349C-0098-B10E 2. http://xpcx6erilkjced3j.19kdeh.top/3B19-F0F8-349C-0098-B10E 3. http://xpcx6erilkjced3j.1mpsnr.top/3B19-F0F8-349C-0098-B10E 4. http://xpcx6erilkjced3j.18ey8e.top/3B19-F0F8-349C-0098-B10E 5. http://xpcx6erilkjced3j.17gcun.top/3B19-F0F8-349C-0098-B10E ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://xpcx6erilkjced3j.onion/3B19-F0F8-349C-0098-B10E

http://xpcx6erilkjced3j.1n5mod.top/3B19-F0F8-349C-0098-B10E

http://xpcx6erilkjced3j.19kdeh.top/3B19-F0F8-349C-0098-B10E

http://xpcx6erilkjced3j.1mpsnr.top/3B19-F0F8-349C-0098-B10E

http://xpcx6erilkjced3j.18ey8e.top/3B19-F0F8-349C-0098-B10E

http://xpcx6erilkjced3j.17gcun.top/3B19-F0F8-349C-0098-B10E

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Contacts a large (1149) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4752	netsh.exe
3332	netsh.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Control Panel\International\Geo\Nation	tor-browser-windows-x86_64-portable-13.5.1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Control Panel\International\Geo\Nation	firefox.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\	[email protected]

Executes dropped EXE 29 IoCs

pid	Process
5704	tor-browser-windows-x86_64-portable-13.5.1.exe
3300	firefox.exe
3884	firefox.exe
3064	firefox.exe
5732	firefox.exe
2656	firefox.exe
228	tor.exe
5520	firefox.exe
5904	firefox.exe
5432	firefox.exe
3704	firefox.exe
4676	firefox.exe
6108	firefox.exe
5472	firefox.exe
3192	firefox.exe
5492	firefox.exe
6308	firefox.exe
3632	firefox.exe
3044	firefox.exe
6340	firefox.exe
2496	firefox.exe
3932	firefox.exe
3304	firefox.exe
6920	tor.exe
2688	firefox.exe
3240	firefox.exe
1512	firefox.exe
6708	firefox.exe
6808	firefox.exe

Loads dropped DLL 64 IoCs

pid	Process
5704	tor-browser-windows-x86_64-portable-13.5.1.exe
5704	tor-browser-windows-x86_64-portable-13.5.1.exe
5704	tor-browser-windows-x86_64-portable-13.5.1.exe
3300	firefox.exe
3884	firefox.exe
3884	firefox.exe
3884	firefox.exe
3884	firefox.exe
3884	firefox.exe
3884	firefox.exe
3884	firefox.exe
3884	firefox.exe
3884	firefox.exe
3884	firefox.exe
3884	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
5732	firefox.exe
5732	firefox.exe
5732	firefox.exe
5732	firefox.exe
2656	firefox.exe
2656	firefox.exe
2656	firefox.exe
2656	firefox.exe
5520	firefox.exe
5520	firefox.exe
5520	firefox.exe
5520	firefox.exe
2656	firefox.exe
2656	firefox.exe
5732	firefox.exe
5732	firefox.exe
5520	firefox.exe
5520	firefox.exe
5904	firefox.exe
5904	firefox.exe
5904	firefox.exe
5904	firefox.exe
5904	firefox.exe
5904	firefox.exe
5432	firefox.exe
3704	firefox.exe
5432	firefox.exe
3704	firefox.exe
5432	firefox.exe
3704	firefox.exe
5432	firefox.exe
3704	firefox.exe
4676	firefox.exe
4676	firefox.exe
4676	firefox.exe
4676	firefox.exe
3704	firefox.exe
3704	firefox.exe
4676	firefox.exe
4676	firefox.exe
5432	firefox.exe
5432	firefox.exe
6108	firefox.exe
6108	firefox.exe
6108	firefox.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	firefox.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	firefox.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\b:	[email protected]
File opened (read-only)	\??\g:	[email protected]
File opened (read-only)	\??\n:	[email protected]
File opened (read-only)	\??\v:	[email protected]
File opened (read-only)	\??\b:	[email protected]
File opened (read-only)	\??\w:	[email protected]
File opened (read-only)	\??\x:	[email protected]
File opened (read-only)	\??\y:	[email protected]
File opened (read-only)	\??\u:	[email protected]
File opened (read-only)	\??\l:	[email protected]
File opened (read-only)	\??\z:	[email protected]
File opened (read-only)	\??\l:	[email protected]
File opened (read-only)	\??\o:	[email protected]
File opened (read-only)	\??\m:	[email protected]
File opened (read-only)	\??\r:	[email protected]
File opened (read-only)	\??\a:	[email protected]
File opened (read-only)	\??\p:	[email protected]
File opened (read-only)	\??\j:	[email protected]
File opened (read-only)	\??\k:	[email protected]
File opened (read-only)	\??\m:	[email protected]
File opened (read-only)	\??\z:	[email protected]
File opened (read-only)	\??\a:	[email protected]
File opened (read-only)	\??\p:	[email protected]
File opened (read-only)	\??\u:	[email protected]
File opened (read-only)	\??\h:	[email protected]
File opened (read-only)	\??\t:	[email protected]
File opened (read-only)	\??\w:	[email protected]
File opened (read-only)	\??\x:	[email protected]
File opened (read-only)	\??\i:	[email protected]
File opened (read-only)	\??\k:	[email protected]
File opened (read-only)	\??\i:	[email protected]
File opened (read-only)	\??\q:	[email protected]
File opened (read-only)	\??\e:	[email protected]
File opened (read-only)	\??\r:	[email protected]
File opened (read-only)	\??\s:	[email protected]
File opened (read-only)	\??\e:	[email protected]
File opened (read-only)	\??\h:	[email protected]
File opened (read-only)	\??\n:	[email protected]
File opened (read-only)	\??\o:	[email protected]
File opened (read-only)	\??\y:	[email protected]
File opened (read-only)	\??\g:	[email protected]
File opened (read-only)	\??\q:	[email protected]
File opened (read-only)	\??\s:	[email protected]
File opened (read-only)	\??\t:	[email protected]
File opened (read-only)	\??\j:	[email protected]
File opened (read-only)	\??\v:	[email protected]

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
44	raw.githubusercontent.com
45	raw.githubusercontent.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3424	whatismyipaddress.com
3422	whatismyipaddress.com
3423	whatismyipaddress.com

Drops file in System32 directory 40 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat!	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook	[email protected]
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\documents	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\desktop	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat!	[email protected]

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp48B7.bmp"	[email protected]

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\microsoft\office	[email protected]
File opened for modification	\??\c:\program files (x86)\microsoft\powerpoint	[email protected]
File opened for modification	\??\c:\program files (x86)\steam	[email protected]
File opened for modification	\??\c:\program files (x86)\bitcoin	[email protected]
File opened for modification	\??\c:\program files (x86)\outlook	[email protected]
File opened for modification	\??\c:\program files (x86)\excel	[email protected]
File opened for modification	\??\c:\program files (x86)\microsoft\excel	[email protected]
File opened for modification	\??\c:\program files (x86)\microsoft\microsoft sql server	[email protected]
File opened for modification	\??\c:\program files (x86)\microsoft\onenote	[email protected]
File opened for modification	\??\c:\program files (x86)\office	[email protected]
File opened for modification	\??\c:\program files (x86)\the bat!	[email protected]
File opened for modification	\??\c:\program files (x86)\microsoft sql server	[email protected]
File opened for modification	\??\c:\program files (x86)\	[email protected]
File opened for modification	\??\c:\program files (x86)\microsoft\outlook	[email protected]
File opened for modification	\??\c:\program files (x86)\microsoft\word	[email protected]
File opened for modification	\??\c:\program files (x86)\onenote	[email protected]
File opened for modification	\??\c:\program files (x86)\powerpoint	[email protected]
File opened for modification	\??\c:\program files (x86)\thunderbird	[email protected]
File opened for modification	\??\c:\program files (x86)\word	[email protected]
File opened for modification	\??\c:\program files\	[email protected]

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\word	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\desktop	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\documents	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\steam	[email protected]
File opened for modification	\??\c:\windows\	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat!	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat!	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\documents	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\word	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\word	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\desktop	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat!	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\steam	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server	[email protected]

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4404	cmd.exe
4092	PING.EXE

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
640	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133669151709275938"	chrome.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000_Classes\Local Settings	[email protected]
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	tor-browser-windows-x86_64-portable-13.5.1.exe
Key created	\REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3881032017-2947584075-2120384563-1000\{91F5C131-6E2C-489F-9EE6-4D131A930D6F}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 692055.crdownload:SmartScreen	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2592	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4092	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
464	chrome.exe
464	chrome.exe
4200	msedge.exe
4200	msedge.exe
1684	msedge.exe
1684	msedge.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
5224	identity_helper.exe
5224	identity_helper.exe
5528	msedge.exe
5528	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
3936	msedge.exe
3936	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs

pid	Process
464	chrome.exe
464	chrome.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
3884	firefox.exe
3884	firefox.exe
3884	firefox.exe
3884	firefox.exe
3884	firefox.exe
3884	firefox.exe
3884	firefox.exe
3884	firefox.exe
3884	firefox.exe
3884	firefox.exe
3884	firefox.exe
3884	firefox.exe
3884	firefox.exe
3884	firefox.exe
3884	firefox.exe
3884	firefox.exe
3884	firefox.exe
3884	firefox.exe
3884	firefox.exe
3932	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 464 wrote to memory of 3188	464	chrome.exe	82
PID 464 wrote to memory of 3188	464	chrome.exe	82
PID 464 wrote to memory of 3456	464	chrome.exe	83
PID 464 wrote to memory of 3456	464	chrome.exe	83
PID 464 wrote to memory of 3456	464	chrome.exe	83
PID 464 wrote to memory of 3456	464	chrome.exe	83
PID 464 wrote to memory of 3456	464	chrome.exe	83
PID 464 wrote to memory of 3456	464	chrome.exe	83
PID 464 wrote to memory of 3456	464	chrome.exe	83
PID 464 wrote to memory of 3456	464	chrome.exe	83
PID 464 wrote to memory of 3456	464	chrome.exe	83
PID 464 wrote to memory of 3456	464	chrome.exe	83
PID 464 wrote to memory of 3456	464	chrome.exe	83
PID 464 wrote to memory of 3456	464	chrome.exe	83
PID 464 wrote to memory of 3456	464	chrome.exe	83
PID 464 wrote to memory of 3456	464	chrome.exe	83
PID 464 wrote to memory of 3456	464	chrome.exe	83
PID 464 wrote to memory of 3456	464	chrome.exe	83
PID 464 wrote to memory of 3456	464	chrome.exe	83
PID 464 wrote to memory of 3456	464	chrome.exe	83
PID 464 wrote to memory of 3456	464	chrome.exe	83
PID 464 wrote to memory of 3456	464	chrome.exe	83
PID 464 wrote to memory of 3456	464	chrome.exe	83
PID 464 wrote to memory of 3456	464	chrome.exe	83
PID 464 wrote to memory of 3456	464	chrome.exe	83
PID 464 wrote to memory of 3456	464	chrome.exe	83
PID 464 wrote to memory of 3456	464	chrome.exe	83
PID 464 wrote to memory of 3456	464	chrome.exe	83
PID 464 wrote to memory of 3456	464	chrome.exe	83
PID 464 wrote to memory of 3456	464	chrome.exe	83
PID 464 wrote to memory of 3456	464	chrome.exe	83
PID 464 wrote to memory of 3456	464	chrome.exe	83
PID 464 wrote to memory of 4936	464	chrome.exe	84
PID 464 wrote to memory of 4936	464	chrome.exe	84
PID 464 wrote to memory of 2336	464	chrome.exe	85
PID 464 wrote to memory of 2336	464	chrome.exe	85
PID 464 wrote to memory of 2336	464	chrome.exe	85
PID 464 wrote to memory of 2336	464	chrome.exe	85
PID 464 wrote to memory of 2336	464	chrome.exe	85
PID 464 wrote to memory of 2336	464	chrome.exe	85
PID 464 wrote to memory of 2336	464	chrome.exe	85
PID 464 wrote to memory of 2336	464	chrome.exe	85
PID 464 wrote to memory of 2336	464	chrome.exe	85
PID 464 wrote to memory of 2336	464	chrome.exe	85
PID 464 wrote to memory of 2336	464	chrome.exe	85
PID 464 wrote to memory of 2336	464	chrome.exe	85
PID 464 wrote to memory of 2336	464	chrome.exe	85
PID 464 wrote to memory of 2336	464	chrome.exe	85
PID 464 wrote to memory of 2336	464	chrome.exe	85
PID 464 wrote to memory of 2336	464	chrome.exe	85
PID 464 wrote to memory of 2336	464	chrome.exe	85
PID 464 wrote to memory of 2336	464	chrome.exe	85
PID 464 wrote to memory of 2336	464	chrome.exe	85
PID 464 wrote to memory of 2336	464	chrome.exe	85
PID 464 wrote to memory of 2336	464	chrome.exe	85
PID 464 wrote to memory of 2336	464	chrome.exe	85
PID 464 wrote to memory of 2336	464	chrome.exe	85
PID 464 wrote to memory of 2336	464	chrome.exe	85
PID 464 wrote to memory of 2336	464	chrome.exe	85
PID 464 wrote to memory of 2336	464	chrome.exe	85
PID 464 wrote to memory of 2336	464	chrome.exe	85
PID 464 wrote to memory of 2336	464	chrome.exe	85
PID 464 wrote to memory of 2336	464	chrome.exe	85
PID 464 wrote to memory of 2336	464	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Endermanch/MalwareDatabase/tree/master/ransomwares
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe4d08cc40,0x7ffe4d08cc4c,0x7ffe4d08cc58
  2⤵
  PID:3188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2040,i,14380993954865539222,3836532267971948716,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=2036 /prefetch:2
  2⤵
  PID:3456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1876,i,14380993954865539222,3836532267971948716,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=2588 /prefetch:3
  2⤵
  PID:4936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2132,i,14380993954865539222,3836532267971948716,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=2600 /prefetch:8
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,14380993954865539222,3836532267971948716,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,14380993954865539222,3836532267971948716,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:4360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4520,i,14380993954865539222,3836532267971948716,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4636 /prefetch:8
  2⤵
  PID:4964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4948,i,14380993954865539222,3836532267971948716,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5020,i,14380993954865539222,3836532267971948716,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5272,i,14380993954865539222,3836532267971948716,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4984 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5140,i,14380993954865539222,3836532267971948716,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:1456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5312,i,14380993954865539222,3836532267971948716,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4880,i,14380993954865539222,3836532267971948716,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:5768

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:1460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1364

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3932

C:\Users\Admin\Downloads\Cerber 5\[email protected]
"C:\Users\Admin\Downloads\Cerber 5\[email protected]"
1⤵
- Drops startup file
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2412
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4752
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall reset
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3332
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___WHNOVU_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5044
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___CDRDIQW_.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:2592
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "E" > NUL & ping -n 1 127.0.0.1 > NUL & del "C" > NUL && exit
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4404
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "E"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:640
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4092

C:\Users\Admin\Downloads\Cerber 5\[email protected]
"C:\Users\Admin\Downloads\Cerber 5\[email protected]"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:2964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe3abf46f8,0x7ffe3abf4708,0x7ffe3abf4718
  2⤵
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,16995993541609793985,17425094238001347916,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 /prefetch:2
  2⤵
  PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,16995993541609793985,17425094238001347916,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,16995993541609793985,17425094238001347916,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,16995993541609793985,17425094238001347916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,16995993541609793985,17425094238001347916,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,16995993541609793985,17425094238001347916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,16995993541609793985,17425094238001347916,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,16995993541609793985,17425094238001347916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:5236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,16995993541609793985,17425094238001347916,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
  2⤵
  PID:5580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,16995993541609793985,17425094238001347916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:5696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,16995993541609793985,17425094238001347916,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:5704
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,16995993541609793985,17425094238001347916,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3404 /prefetch:8
  2⤵
  PID:5960
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,16995993541609793985,17425094238001347916,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3404 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,16995993541609793985,17425094238001347916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,16995993541609793985,17425094238001347916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:5352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,16995993541609793985,17425094238001347916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:5468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,16995993541609793985,17425094238001347916,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:5476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,16995993541609793985,17425094238001347916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:1
  2⤵
  PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,16995993541609793985,17425094238001347916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,16995993541609793985,17425094238001347916,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
  2⤵
  PID:1076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1992,16995993541609793985,17425094238001347916,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5904 /prefetch:8
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,16995993541609793985,17425094238001347916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1992,16995993541609793985,17425094238001347916,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6368 /prefetch:8
  2⤵
  PID:812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1992,16995993541609793985,17425094238001347916,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5528
- C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.5.1.exe
  "C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.5.1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  PID:5704
- - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
    "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3300
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Checks processor information in registry
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:3884
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3884.0.1292875641\229696482" -parentBuildID 20240708120000 -prefsHandle 2212 -prefMapHandle 2216 -prefsLen 19247 -prefMapSize 240456 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {14aaa45d-1796-4c5b-b30f-d738b4358ace} 3884 gpu
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3064
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3884.1.1557305512\1373435905" -childID 1 -isForBrowser -prefsHandle 2784 -prefMapHandle 2780 -prefsLen 20123 -prefMapSize 240456 -jsInitHandle 1228 -jsInitLen 240916 -parentBuildID 20240708120000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {11d0c62f-51f0-49b2-9d00-6fd2f6078e7f} 3884 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5732
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe" -f "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc" DataDirectory "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor" ClientOnionAuthDir "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\onion-auth" --defaults-torrc "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc-defaults" GeoIPFile "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip" GeoIPv6File "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip6" +__ControlPort 127.0.0.1:9151 HashedControlPassword 16:d78e925b3332034260cdee97cfb7e9361b22647e38c9a62fbbecd471ca +__SocksPort "127.0.0.1:9150 ExtendedErrors IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth" __OwningControllerProcess 3884 DisableNetwork 1
        5⤵
        Executes dropped EXE
        
        PID:228
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3884.2.1781805188\479667824" -childID 2 -isForBrowser -prefsHandle 3168 -prefMapHandle 3164 -prefsLen 20897 -prefMapSize 240456 -jsInitHandle 1228 -jsInitLen 240916 -parentBuildID 20240708120000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {3fe1e311-6b8b-4f2a-8105-7d24af1dbeaf} 3884 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2656
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3884.3.1781233108\1357766478" -childID 3 -isForBrowser -prefsHandle 3768 -prefMapHandle 3368 -prefsLen 20974 -prefMapSize 240456 -jsInitHandle 1228 -jsInitLen 240916 -parentBuildID 20240708120000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {a787749a-016f-41f6-bacf-b9d115c755c7} 3884 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5520
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3884.4.2047708902\758872618" -parentBuildID 20240708120000 -prefsHandle 4036 -prefMapHandle 3380 -prefsLen 22346 -prefMapSize 240456 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {6f0e3e6e-da8d-40eb-a0dd-017529df5520} 3884 rdd
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5904
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3884.5.295549593\1150703400" -childID 4 -isForBrowser -prefsHandle 3540 -prefMapHandle 3528 -prefsLen 22218 -prefMapSize 240456 -jsInitHandle 1228 -jsInitLen 240916 -parentBuildID 20240708120000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {51feac3f-24ae-4887-bc10-9cd9c33dede5} 3884 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5432
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3884.6.521108528\1780884909" -childID 5 -isForBrowser -prefsHandle 4220 -prefMapHandle 4224 -prefsLen 22218 -prefMapSize 240456 -jsInitHandle 1228 -jsInitLen 240916 -parentBuildID 20240708120000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {c2a01613-a9b2-4d35-85fc-d6d880aa776b} 3884 tab
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3704
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3884.7.1220730138\1031681141" -childID 6 -isForBrowser -prefsHandle 4468 -prefMapHandle 4472 -prefsLen 22366 -prefMapSize 240456 -jsInitHandle 1228 -jsInitLen 240916 -parentBuildID 20240708120000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {270f3578-0d8f-470b-8de1-02013880cdd9} 3884 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4676
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3884.8.1113515051\1840018644" -childID 7 -isForBrowser -prefsHandle 4276 -prefMapHandle 4280 -prefsLen 22543 -prefMapSize 240456 -jsInitHandle 1228 -jsInitLen 240916 -parentBuildID 20240708120000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {b8e586d7-9cd8-4f04-914a-642343cb10ed} 3884 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6108
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3884.9.176216860\138253635" -childID 8 -isForBrowser -prefsHandle 4740 -prefMapHandle 4980 -prefsLen 22666 -prefMapSize 240456 -jsInitHandle 1228 -jsInitLen 240916 -parentBuildID 20240708120000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {680b0652-570a-4b6e-9fe8-02e62e7c4706} 3884 tab
        5⤵
        Executes dropped EXE
        
        PID:5472
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3884.10.2109877580\1110561204" -childID 9 -isForBrowser -prefsHandle 4712 -prefMapHandle 2820 -prefsLen 22865 -prefMapSize 240456 -jsInitHandle 1228 -jsInitLen 240916 -parentBuildID 20240708120000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {05499aab-42e4-4e16-8704-8f6f80221bad} 3884 tab
        5⤵
        Executes dropped EXE
        
        PID:3192
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3884.11.519788696\150081012" -childID 10 -isForBrowser -prefsHandle 3392 -prefMapHandle 3192 -prefsLen 24827 -prefMapSize 240456 -jsInitHandle 1228 -jsInitLen 240916 -parentBuildID 20240708120000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {e2839e2f-a8e5-4b83-b33f-e3d6ea5f7cb2} 3884 tab
        5⤵
        Executes dropped EXE
        
        PID:5492
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3884.12.1534276620\2036562877" -childID 11 -isForBrowser -prefsHandle 5144 -prefMapHandle 3460 -prefsLen 22865 -prefMapSize 240456 -jsInitHandle 1228 -jsInitLen 240916 -parentBuildID 20240708120000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {81b37b57-f8ea-47ff-a1df-b6e2f7cb03b8} 3884 tab
        5⤵
        Executes dropped EXE
        
        PID:6308
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3884.13.1549426730\499952071" -childID 12 -isForBrowser -prefsHandle 5628 -prefMapHandle 5668 -prefsLen 25094 -prefMapSize 240456 -jsInitHandle 1228 -jsInitLen 240916 -parentBuildID 20240708120000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {f3114be5-7a3c-4284-8da6-b125121a1f5c} 3884 tab
        5⤵
        Executes dropped EXE
        
        PID:3632
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3884.14.1334668320\1873900802" -childID 13 -isForBrowser -prefsHandle 4948 -prefMapHandle 4924 -prefsLen 23132 -prefMapSize 240456 -jsInitHandle 1228 -jsInitLen 240916 -parentBuildID 20240708120000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {5991538e-6dc4-44b0-a157-3db1cc502b52} 3884 tab
        5⤵
        Executes dropped EXE
        
        PID:3044
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3884.15.331369588\1705043512" -childID 14 -isForBrowser -prefsHandle 5280 -prefMapHandle 4560 -prefsLen 23132 -prefMapSize 240456 -jsInitHandle 1228 -jsInitLen 240916 -parentBuildID 20240708120000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {0a8d7449-6621-4ad6-937a-9c9aac18b059} 3884 tab
        5⤵
        Executes dropped EXE
        
        PID:6340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,16995993541609793985,17425094238001347916,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1880 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,16995993541609793985,17425094238001347916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4272 /prefetch:1
  2⤵
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,16995993541609793985,17425094238001347916,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4248 /prefetch:1
  2⤵
  PID:5684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,16995993541609793985,17425094238001347916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6804 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,16995993541609793985,17425094238001347916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:1
  2⤵
  PID:5976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,16995993541609793985,17425094238001347916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6700 /prefetch:1
  2⤵
  PID:6668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1992,16995993541609793985,17425094238001347916,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4252 /prefetch:8
  2⤵
  PID:5484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1992,16995993541609793985,17425094238001347916,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6068 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,16995993541609793985,17425094238001347916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,16995993541609793985,17425094238001347916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:1
  2⤵
  PID:5520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,16995993541609793985,17425094238001347916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6684 /prefetch:1
  2⤵
  PID:6840

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2356

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\2317e147c93c4cc5af764c720221cb03 /t 4820 /p 5044
1⤵
PID:3928

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
1⤵
- Executes dropped EXE
PID:2496
- C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
  "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3932
- - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
    "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3932.0.1741190555\439781277" -parentBuildID 20240708120000 -prefsHandle 2044 -prefMapHandle 1908 -prefsLen 21578 -prefMapSize 241916 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {d37745a1-f31f-4d44-bf73-8ca2de0af8d0} 3932 gpu
    3⤵
    - Executes dropped EXE
    PID:3304
- - C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe
    "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe" -f "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc" DataDirectory "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor" ClientOnionAuthDir "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\onion-auth" --defaults-torrc "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc-defaults" GeoIPFile "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip" GeoIPv6File "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip6" +__ControlPort 127.0.0.1:9151 HashedControlPassword 16:7c0f809b0c99d7b6606a60b324e771abe22392d4598353ff6b4af7aa6e +__SocksPort "127.0.0.1:9150 ExtendedErrors IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth" __OwningControllerProcess 3932 DisableNetwork 1
    3⤵
    - Executes dropped EXE
    PID:6920
- - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
    "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3932.1.32630600\634887164" -childID 1 -isForBrowser -prefsHandle 2832 -prefMapHandle 2732 -prefsLen 21652 -prefMapSize 241916 -jsInitHandle 1292 -jsInitLen 240916 -parentBuildID 20240708120000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {9f034eb2-8571-40a5-b982-d17ed7399569} 3932 tab
    3⤵
    - Executes dropped EXE
    PID:2688
- - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
    "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3932.2.1613926392\2023241142" -childID 2 -isForBrowser -prefsHandle 2796 -prefMapHandle 3236 -prefsLen 21782 -prefMapSize 241916 -jsInitHandle 1292 -jsInitLen 240916 -parentBuildID 20240708120000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {251cff18-2800-45a2-9577-b3dbf4fadc85} 3932 tab
    3⤵
    - Executes dropped EXE
    PID:3240
- - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
    "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3932.3.1351149089\1447698987" -childID 3 -isForBrowser -prefsHandle 3912 -prefMapHandle 3908 -prefsLen 20641 -prefMapSize 241916 -jsInitHandle 1292 -jsInitLen 240916 -parentBuildID 20240708120000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {951a658b-a3f0-4591-b8af-3dc14284bc69} 3932 tab
    3⤵
    - Executes dropped EXE
    PID:1512
- - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
    "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3932.4.14927743\941046888" -childID 4 -isForBrowser -prefsHandle 3116 -prefMapHandle 3100 -prefsLen 20641 -prefMapSize 241916 -jsInitHandle 1292 -jsInitLen 240916 -parentBuildID 20240708120000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {74f99fb0-751e-4673-8ed9-25262f435814} 3932 tab
    3⤵
    - Executes dropped EXE
    PID:6708
- - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
    "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="3932.5.1829843234\27083064" -childID 5 -isForBrowser -prefsHandle 4148 -prefMapHandle 4152 -prefsLen 20641 -prefMapSize 241916 -jsInitHandle 1292 -jsInitLen 240916 -parentBuildID 20240708120000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {387bc0bf-6ca1-470a-bc65-ae019eee2b9a} 3932 tab
    3⤵
    - Executes dropped EXE
    PID:6808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\284cd0d1-b663-4658-b75b-83cc6310183f.tmp

Filesize
100KB

MD5
7c5f135f9b1ec2a723d5b0f24f16127d

SHA1
5d7fc528dc35bc3731a2fe75d08378030564a73c

SHA256
15c8a0a83a4c0347fdc4e11166d13ae89d5fd0ceac7e8174497ca324aab23822

SHA512
f9b059ffc7a60f49b5099e0ddc4c46fa58f9b337f7b5f23313f363180e303cc8302a2e65f5d43a0640d9db6e58255c67fce320b27142daab2cdf732038dc3aaa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010

Filesize
210KB

MD5
5ac828ee8e3812a5b225161caf6c61da

SHA1
86e65f22356c55c21147ce97903f5dbdf363649f

SHA256
b70465f707e42b41529b4e6d592f136d9eb307c39d040d147ad3c42842b723e7

SHA512
87472912277ae0201c2a41edc228720809b8a94599c54b06a9c509ff3b4a616fcdd10484b679fa0d436e472a8fc062f4b9cf7f4fa274dde6d10f77d378c06aa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
8493b16f44bd9b47525c7e14d7040306

SHA1
7b61b4e3fb10fef6ec80a79027e5d57deda03035

SHA256
c0978f3ab532d85d0bca5686b56e5b8062acfdbf8e2d565fd0b46c1572f4cee5

SHA512
2428fe44c14c60fff1966a237611f03496faea3b96ac55cb76b359e5cfe7e69fd1c478b345ee027433729f7384679c83e3d29cf6306cc26312d4ab64459b6ba2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
ddff5e1f0f846512a6a4a1f616d77528

SHA1
ce0002ed9617e6b6025fe48ebab89ba24fdd6b70

SHA256
25428cd0f1aa9caf81f251d7682b3b1ee7d7098a64675fb5f57cf8846cf1f74b

SHA512
7264a5a76eacd8308a041b072cd2bbf3695f532df77f119120d44a2b51c3af96b35e3f86687b9485360d192517312ccc230778b8588c1baca9b444abf860b388

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
50ee52817b6871645f4e97ed53bbd383

SHA1
15381b759641d18cae251e0b49140f791c9c6ca8

SHA256
1c918fda232edbec287e2a2b4f85cf2a184e042e4b79bfa16fec4ef55027a2c8

SHA512
7f55200f86b5336140ba39a63765c2db1cb5635451627e22743798a01fd80759141820a4cfb80b7fd1f2efcf399d220d69ef787b43f43c6300b112f8cf07c426

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e3f9dc15d9f198cd8c38121fe102180c

SHA1
cb7b4281b39ec248df07c759d56adb7aaa5f5c78

SHA256
0805ec4605f88443479a9abd9040846f38bc2e7794f80d63dc978acbddba8029

SHA512
1efde241c527a68da129599772aa01fcba3e2f6212592ececde4324cbaca50f429c52902c69940e9e585f5e0f4635f1a126a14feb2a2f6a88e944fb3d5ae3995

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1f30758522201c914b53ff7d94d3ae30

SHA1
0324ba385f9aa94228b1549849e7bace49897b5e

SHA256
455328cff874bd119ee96c2d2e9284c1dd49452920824476698326d20444c33a

SHA512
082d32b5b7ae54fe7b2464ea8af7e18c57ca7a8050cd343876852e91ade8f3d498d26b9daab02811e249fd0c18bc864df8e9412ab63178c39ec85b879510efb7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3d0383498d57ec20842c066b3763aaf1

SHA1
855d302c38b6bafb0a5b4e14f1eacd5da83b7ea2

SHA256
aabe84a37515590bdba2be46067a105bb93a8d5faa97859ca0584654147eb2e6

SHA512
31b1ef56e554f0bbfeaabd4f3635df9f44f287bee695a6a183d0628b355b3c7322b9da16e0b6b66817a4849403b6cffb9e3f64f63b02c3dd2efc5f3fb0170b8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
95d4af035edfe80b56796fd357c9f664

SHA1
94fe1b9face2c4de846b6437eb6d3f250ac8f67c

SHA256
659ab8dc99a3f205fd63abf15e12dfaf98b62bad394a5fd6062eb00575f94c9c

SHA512
91a2c95588235484fb5c1eebf5d57cfe92fef8888d9daedf5568b80333984c1533235391282d4cc0e46ef30b5568985e752bd679b16c3179291f62d9694c2469

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f03ec179e8db7cb2146870d9017039b2

SHA1
b2ca6ff03dbb0299e96e87c2e9b9afa886fd2f4e

SHA256
0843397f9167edb6bd9b369de6b42f749f9ce691321401ec73904cc723d4cd93

SHA512
4ad8d77f6d5535266cccf9c6b125c53009998bebf6a475d677020b407152250eeb593ab628445ad734c0bc12fcb36f535b20a21d95ddc5b3126fedd875575744

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5ac077f6cf80e610031e028b29f13e91

SHA1
0c6ce72181151a25382a954fd9300c00e68c2619

SHA256
f5a254f2cfdc154a81af6e5aecf983a117f60674ab44d963633fcd3851aa51f7

SHA512
00adff5a66333325130b7df0cf3c2255bbda1aabfffcd6c624e09c7419b504c1fbdf20e6f7f5132721e95b75c3837450d778f31bcf1a0f07b4ca32c2d7d9d418

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8131f5aa2c5c56c3234c12795b97e845

SHA1
68e4e55b55002e05e10a60a1e0556be00dd8855b

SHA256
81b5d389bbb08b43a0e3d240c95199fbf7b1dee78e552f0b54d92cd6a31a7af3

SHA512
a997fe0939f920fce284cf0c06eb5cecca0530a9dff1200cb5fb0fd74f9b7dfca743b420964d7ca8f2748a4733e1102fa1a1482f60a27adf58f7932900718bac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
82dcbb9d009c74f3e352d2283babb754

SHA1
c9bc4a7e335f295527fbcd376d1139031a787940

SHA256
3d81ec637a28cf9b0de38d5c6ed7ac4cd40d310434fec0a6792a9a8f33c09484

SHA512
6327aa103dfd4a7e1c0bb56fd481c0541e32cdcfdcccd2e95936c6d7913a241c3ff1cf6134495080ccd0417218564072777edc18e060bcf27430db23281a6fcd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
82b70ee661c3b9babc03373e44f87e9c

SHA1
bc336c5d52c153199270190c8273cdafcdb9848e

SHA256
b1cb5de59f01f41024a60a063ebc5deb1edbe36d3478d737cd0619d581317c55

SHA512
e59f47f6f8985393da6cc5dcbaa642d8c0481a192fad566b3b94bfae9785af7607ed3d5e9033160bdad793906b57430387b2eb0055a527ff7fa84ea4424e24b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8532d1b5a52b43e28cfcf46d2b5fdb97

SHA1
c1df25637136444c7d412072b4a4d946ae3420da

SHA256
60268ed3f3440c162373374eead9449e024e845b773a0da26cfdf5f1e96e6fab

SHA512
a1a4acd6991a7207c3187d762c8455ee7caf28c2010d5b6efc1b4c043ee4e34540321eb4967ca75c7f1ea671b28369275db92eadefbe9ad2f5a137c5a2e7e45d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6a4d1885650d3b988a532f669b6a87f7

SHA1
b2f4b1032c3652b40f8e65e9fd79692db922c9f4

SHA256
91195f419638f9d4419319560b689c9ef4ab124300e62f8a1fe152e4f7585d45

SHA512
651a3b3ddd8445a9745a60c8f8336aa3dee1867f71185fd81264620d09beb2dce828353d51d9fb640a0d97f1c649768eed0c1d00e6f38c6fa9d33ba194ea0786

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
16a1af86f6688f00821530ed367b75d9

SHA1
8372ff24303e45937a84bf60a96c6dc4870f7f16

SHA256
dbc823d63267164d08854dafe1ecdd7ca4e3e8915810926a3372a7ae886c7501

SHA512
3345e6599dde5472241fe1cea3bff7ebc30c2bacf93b2ac7c45d7f152596a752bbb63ec58f8929d9cc8cfbaae117c35e24992d5a50b001615fb94e41a1ed0f78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c87d8c1a2132128dfaf1aebf6aa2e846

SHA1
3bf254585877bd1bc334adb16722c7ecb7a4d69a

SHA256
4e9c7d16e33f2e4e450c8a3b1e6a2e637760683e38adaaba0e5e9b7f70765b86

SHA512
4e26815add46c6d0858c2b38e2d534796dd1709947c8dd6693eb1ef9bcf94aa90232f9dba48d36143a3447c9b1bfb3341b109908bfc8bc610f01c29568472acf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7bc502b8b9384c3ee2c0f0b405c9ba70

SHA1
1e47511bd027b1a9526a7b5d0224405a30e38bf8

SHA256
27cb395f7c713af40d625bad46322e9bce8067870920bd167add405a13492ba2

SHA512
4889a20dea79093b9eba002c56f0a4e278d21cf2a4037eaae86c8c5a72c4073ee725753432d2cb8b15e2733da695974ce8951011dab40f0b77483833a6ea8724

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a3743904cf7864cc8a56f1b8de0f473e

SHA1
d86f42b41c0762aea36d902358f826e9a9615f2e

SHA256
a6fdcdb1401a252168cae0c1e573179404164627d3c46333e27c09127925de6c

SHA512
3b9d1da509a0a0380ff532e8f4f16381a88bd37370aa335ad50c988f58b70fd517b5864105858f1507eb94d50751d719edcc6aa5bf88f9118ed0469768775e58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5ae0a88df9fb1fd6d393fad16c81dad9

SHA1
3d5f47d6030906d13609fecd7f230fc47659f9b4

SHA256
caa13a7996554ec94f193917ad1601b21df97d3f5d128ce88b78304d89fec315

SHA512
d6f8eb348cd9a341f00b8b2518939684e974c0556b0cca7c58e00ae8a1b4448c2fe1eaeb40a86ffd2d81565ae7200422a786cc8a3d3a078dce4098157a76ee4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8e47191b7e60f1024a62107b6812e51a

SHA1
b835d3a2606f3a8025b9c7011d10b991ea7016f9

SHA256
3cebcb4167406301ec3f3bafbd5ae854bd93c7e24f4d92698ade2987fd7d7686

SHA512
f2894d590398a6b843d89462484c439e72fc876fb614c3af6eed07b8407839645a39be54f1b5748e26e8f0ae294e87757eb4522e72dc6450a63a1ff16924dacc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
164df5b422fe960f106cff0e470f0a1e

SHA1
7ff780775ddb87856189cd76b0550675950fd800

SHA256
5e7d27db85898eed48eb16f70544a8baae406e16f22877d1e26047f6a1a13ad5

SHA512
cf751d83f609eb17d87d4ffc82c88cb15e8efb306e174ec198b83d56e48065c4c51c91e5e4df68f5134181c37f9eb2da0829ab268e7991cabad37575f0ff647c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c38130ab8af59c6434185f54fd2b1d7e

SHA1
9947f9d9e6675da74385fb11c152088753f420ee

SHA256
86adb0f77ddb8d9fd4f0b14a2e2183350d5176507cad9fa3b97fb68611ebf686

SHA512
7bf98cfad0899ef01689b388a01d0530642c05a3a68e1573dfa4aa402c79ff81ce5f348e7b64c43da9f3c05b00e1aaf5d1e04cf453118cc7bb896626b6c73bf5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
857de950939ec8437be99b4bb9688a9d

SHA1
95232c23a3f89554ab37ed87971b4ca5015bc353

SHA256
1f45f559219269a1ce3978a9a98ee37964b7e0536f3efd4ac813809ea0384e0c

SHA512
b86d2fa1eb12796a3a3188993aa16e2f697a45a882930680d25d6f52f9a75a85bed96ff4db0986b0b4bb9eb9723ed99fe52653ad292e1f2ba26fdebaf5576f77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
303a34e1892b5f0748539af039104f71

SHA1
d04031f9e5747138a7c8c3c2e2227c729ed0bb62

SHA256
62a93d3c882f40ac33457571a2a2a35a9cc4b5b0ca4fae6bf41d62d3fb241b84

SHA512
7eb8cce465613a202f6a02474f74addb43b6b764073996b508e261b1e2874be00b72349de1e696a1b6cd6600b5c69a83bdc1a9f2f827ed2d32ad96782feb7ed9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
af83612548fcd68a20690206e9fbdeb4

SHA1
8f859e3d3af7959b41dab0c86b02e6dee023cee9

SHA256
eb8799351b2dcdd9dc9fba0e1c1bea01cb27f0736ec8ed0470219dc10687ca2e

SHA512
1dec468a9616f17c2de80a239e952918a54d7cd2c70ae8d62f6e45a81098f99a76a22afc867029db9d3a99ba91e26c3ea091e51d8ec9303b89109ad9ad5dc077

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b2913d263f6370e009342d8c913631cc

SHA1
d7b0b9143a3c7c9dda74a64cb89c8446a61ba0b1

SHA256
c1b494cc6b6d7a79c94871b6c570b20f4c4f8cc8cda05ee6d485f627fe5b378b

SHA512
0fbc74eac6e847b0ffcf1faf0a65422a51242e8c5f88e82cf16726bbcff1bf7eaa3836681c16f65d85fab3b56b835e2fc6e9fedb0c45bb0228d915ecc946b8fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
546d8c795c56a1672c923ebd4887c6b1

SHA1
6c34a5ffd4ba7842319c48443153438cdb852e01

SHA256
598526f337d7b34f8f4eaec48950cbebba821bc526855396621cb4743694230a

SHA512
b1b0898a7e7f02daac912d9ece9a6aeeb5f614845cc62ca1269894f4c4e9c2946e622040dcb20ef806dea26a4e21a95e1a045f551f224d1733574abb375006eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3dc567af085ccad9d9b5813f77f76acd

SHA1
5b898a757564779b6a4886ecc80d59bc65faf5cf

SHA256
6f3265782a4bb2c1c1aae8b7ab1ebfa5e7d361ac44ba4768d3ee561e71c3971a

SHA512
d4c84bb3a6feff3ad88c0bda2bf18706044acf20b5723750fd201c1e40e7da306def1975d9c0485b84a56b4af84151185bd311f79fd066fcef27e547518ceb5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7eda54bf56872578ee0324ef4478b866

SHA1
0f31d9b6e6e058cedeaa1e8cc644adc04b5ba3b2

SHA256
06f77c3c1809cd6bf82fb059f2d9dfc7ec638f833f3f625cd9090d73af18662a

SHA512
e503978dc1a129e996d62b399080e543c5eab403101bc85affed71b8447636cb885f932f07a225189e699db8441f12ee1d545a9c74c7bc331c88ba6d120020be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a476cdab159504f79aa18b38178b2589

SHA1
3166c7c49e1f4c0ba30348cb020217e1b77374d8

SHA256
b62fa24c735d68ee2cbe7074596a15779363fe14029b5c509f55d3dad9c54286

SHA512
17c681da2499edb231a8086054fb9705a5e7124ddcc93fa9e7eabab9ff24188b951d8d7c4834b8d0acb3a760a27a91c4264d29d108dc857bed7eb04ecb588f12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5f350562c90f5cb62296b9e1d4f224f0

SHA1
d2272331777ca860e166bdea98b6eabc2d059a3b

SHA256
1a86f0a9bbeddd067e2ac0c5e631ee32a863c796569ae655e925880d34263379

SHA512
3a2f8e0902fbd3492764611a43452ee6415535a3b24f1990eff072cdfeb1958a6e28c748ea33892bac8b84e72ea38ef4ac8b00aeadf1f3024de62f285b4a025d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0b208a1b14b9f38b2a77873d9b53ab91

SHA1
563b6cd7ef728837594f9df75803b1d393653f98

SHA256
b32c35d6287baef3895f92106db3a8adadf913cf9028e8caf95ceb90413f6668

SHA512
46c440c7612158dc8ec3f27e7192516d4d563cada37b3c417ddb241e0baae95cca9cbe59813fca4b13817bce52db8d91939b9f223f235d9c2eec4ca4612e981d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5fd664318043679915a6e5610edf225f

SHA1
2f3d16f8f91def6ecf16e724b6c2bbf1263fb010

SHA256
d275fa450c2d0582c1b1a7f97e41222431c066db023199a12f786fb0ef123b5f

SHA512
c3dff25159d898f10b47014fd40e0c57a0ab48624a45da4a6b2bba30dcd345484c53b240596d28172d9d2cd1885ee943b1b99b0fd6821312b578732c661e47d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
505651a4a2225cee3af6033145e1696d

SHA1
904c922279e7fbaf4bd04512e0ca3f0a400cd657

SHA256
80e44eea4f345f2cbf3600f97d0e1d3126e5e34b0455d018c142079cd7460f1b

SHA512
e998da91385deccc6465ced1c52f4c1df47512e946e82abb16bf2d16117cd737f2ece23d58c26e09449ca975aa2307c0879ebd44cfdaa1ea8ad8b0288755d28b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
100KB

MD5
ac215451aeb8e4e3a83d31ec2d59a034

SHA1
edd2daa539f1cf07c16f8f54d050d93adb3f0fef

SHA256
536c903b0d8e46a68ef26c8c1ae4c6ea2e8730648ff88d0d5afa764bb6928e45

SHA512
46c5d790e6e6c7b264bdffc20fd6a68b8de0d27290a93be677424feb1ba84fe9b7167d28529a196dcff4b89ff95c4288b9383d9f64ecf7f1477ae0e89afaea3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
100KB

MD5
10efa20494293d66cb74d9c37b7ebd93

SHA1
70404b419ba77dee2986cc42e500a9334739a23e

SHA256
5d3f2f8764af7c5913c1e88694b3dc25f8d2597640092b2a1c8a9a30a6f9c1ac

SHA512
e517f3c25cbfd784e08d2b80dfcd4feca841d2dd9c51674c3cfa9ce60f7e02e7769f73d4178bac7f3a326495028539d512f1a23443a52f4336fafa797cdb22ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\7b7e6ea7-54c5-4cb1-b13d-5bacc90fdae1.tmp

Filesize
11KB

MD5
979bd7175e7f7e271f9e8a98afd9ad33

SHA1
d45ab448986b17009868d5f36742014b262f72fb

SHA256
112ae350143586f162469faeddf922697976cb2aa046b0a1ff5b44c322004382

SHA512
953812ceeb79966811ddacfe0bf7418684f849d792a37789cc0e5a5c452ca944e8683e1ec062cbdb856ead6d0e515a00ad0f2245c81a67ab03a44537349e205b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
78d53c4ecb4f237a195804abc28ebb1e

SHA1
5b036abe11431d0c164cc5427aa7eaaa2d8d1580

SHA256
b1ead24150c5c17d1e8cdfaa64b4395cb1b0872c6f4bb25eb8e024ba0e39c847

SHA512
90c1e12b736dc1a644262a44141f4bd7eb5fe935249978d1ff083e39017652ab847107add5b5fbeec6318db181cd22a728938fba7c384c8023ed8e3c03e61496

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
28KB

MD5
4aadb2baab3e3281f196310a81b265ae

SHA1
dfec2e7f89bdfa61d75017b4f841778959ca281e

SHA256
776198e51a720d00e6fbdf21dc6595f02c3567ac572cdc33d59c77983f6551f9

SHA512
1d7d768c85cc1aff3f9a89a61e898acf449b229302cc483becb71641aebb0804f4a86a250c4c4111e4ecbc5bfc750e8156743bbc00f4a0f54fe38a8a2a1c2d52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026

Filesize
46KB

MD5
7767f7d29e2a6b84d4cdcc7f27d1d5f6

SHA1
9a4040e4ca968554f67933ae5b5f73cfce3e31d1

SHA256
5d879cac1ca0da0c78aae1cd5e893eabd4a39da426c0efdb5e0069defc706efb

SHA512
c194be5c2172c5238142d8f0235b2d8ff43cadea6b3386e5bfcf40e69b235a0d87deacf3aad8e6ce3a2a8c799e7340ef2f4593ae91e4bbe7a62afd4cba082147

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
4adcb7b17ce7493fffa5e7b78ab56736

SHA1
f33c47f47c63c6029fe70785d0f99eeb98f5b903

SHA256
682b65c8467af85fb63bfc61e355543a8e5e658fdeafd54572c0265df82e8d8c

SHA512
3b9110f01c966af0e381bafb91d72b02f030f67aae3fd500ffb5b086d04a946a0bbe3b53f08229468febecb75bb8d26da92aac46c64426644774834dfef18bbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
2fb2914c91acc6866ac4303c2bdbfcf1

SHA1
94c78cb2520123050d93ef1381269ee3821b8727

SHA256
a3323cfb9204dc565141a1f09aa8ce10145e2f819718314e052cf84a375871de

SHA512
4745819df7ebf8a49769a96dee24a4619239025e270208cf34e05c7579b2af77e004beae0271c3c9c28e33aaf46088cee84109fe2dac2cb752c6ddd1b5f48b81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
f855549071d144e347e2884da07e342f

SHA1
1da749034989c5f54e06ace4bd6444dbc13a6bdd

SHA256
0bd392d3baa207c563cb30a39075dcaa7f7e991645e59d3dca24cdb2cbee90cc

SHA512
b5b9f1c24d309b355640c8d29b4f651e94f190606fb78037411bf3e4c082888a2743b0180cefc9e848c3dd571766a99de94f2f3c0aca7331789ec03c12d17a2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ba3bc8cdb35959dc862f8932cc9c2d4f

SHA1
7cc966210b664d9ee4205546aa37ff8256b27431

SHA256
1ef8218bf5e170c744fd8dcd8dc95ed314776db99cbe7a25b5160539b27bbb63

SHA512
444ea9346285af0dad726164d0a0841db624a5f23eb25f4686b8ddae2dcded9bd133c92e9fb6637c987e16aa5dbd90e9f4a65786c1dfdb0e6b979f4d2c0743ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
78a43182d010545f889c675e4dd089b6

SHA1
82620a9e38355af2aac761335daedc4e79e50f63

SHA256
6276d6c46258f50281320af10e3a6a9b31b86a5703c93c9d9989034bf9c9d9a2

SHA512
25d713b0ec45b61d2082b667fe32bb5be5d6f12c039e681d3dab78363e2abdc3a5d26a5965e3657d174231d03401e69053a4f3b56edf1623cffc21b3efbd5b52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2a4062038f2d36ce3aa8f1aa1d3fadf8

SHA1
5d3dabd2eba3324cea3052d2cc0cd5eb4c1c68af

SHA256
9be2915af6dd6d0833100775d52b4b3f89f88c2a6bc2b5c5ed9b885ac49c1e5c

SHA512
ad597c1ddabe3a62780283c154d441e8f98d41ca8184b597e17b3ba2a55000769a5c2f508a06053c25bf7aa60c61e917180a27eb5ce30b8fde6ac7bd1822008b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3cd65f443cf8668c3fe101bf14e64f15

SHA1
43a7f80028aec6ca550806ce2a89598ba52b2b73

SHA256
0de547e80c5d9e2f0868399b6ae0f7df2fdac5d78906022b7b1a3393bb7e292f

SHA512
755471db5017cdf64911ba106281016ce8006ddbadc7802f0efbec0267e55db7f94ee2281abbde73fec507e8351b6d0b524e2304800f1de71760471f8bc967db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2d32ea22aa187514fd7a9b4073699762

SHA1
17a5e361a0357dd6cfc4cb607fba6ccfba018874

SHA256
701dfcce444213af9940e2513d5c23dd11af53a59d505b5a7157c047e0d1cee4

SHA512
2025e5fd25f3ff1ae63976b9781dcda5e841281386e3231629f83521347fb1b866102182ea0326766a1a8b2339a4fae5b24ada2a05040b384b50e797a9d01689

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e00bb3f138a55e448afafa9d3419fe4e

SHA1
386632fbc4c952eb48dce5e3951e3692de3d4441

SHA256
f5d2a5d6e856db127da8b51ac4c7746bfca89ac4339c86d31e10b05495b42358

SHA512
b3025f6841924ffa7e446cf93797a381145a2388e399a8b2d8aa69cc3b2cba3594cbc3ccec7130e55dbf1dde2808ee26490bf7061f4166e50c39b8e21f4cffe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
cdebb7a7cd22d5f4c3fc1ddf4f7d9f03

SHA1
373c21b1b342742ae8b43f86d94abc6dc51bce42

SHA256
a9c4cd827fad734485ee0c381313931ceb435e4fc0e01f861e9e1444c2a3a283

SHA512
fbf940924a322ef25dbe7810225a01372de7b3a0840f856e34df2ef909908cfdaa039ca4eef4a638090669c503a68111d0a173254f1d2f713a7591d0ce5b34ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
708B

MD5
802200c1b5833a7bc5582570e21817a2

SHA1
0aad9dd1e97768f7d83d12d9a318cd26e0ca5548

SHA256
4bd0601731f459e725dbfc4fefef672a6db97d3f786fa45bcbdf9a5de0c40ffb

SHA512
f7cc9d6457e5d05033e4e9606ee181a64f18d9d1d85e98d21bc23dbd9d5fa9489932ee7f849bf835b2d269a56add407c71d72ccdfe6df129caf6c4cd68c3219c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
d9ff6e460e4bd2751f0bd6695aacb86e

SHA1
caad4af05a2ff2364d8248e057c3c298d3a20991

SHA256
22bb01d34e03c6990350a3a8e8fe23adab33b417a33e70107dcbd21aace144dc

SHA512
7f9235f0173ef708bc91873b569e73bc6a5289f92700a58132a68234ca2b02307984e880d5a4a3a443149729cc95d602d57a0072c76d2108ad3d1f562249b0e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
372B

MD5
1cede67fab7b6c8062e3a41b8532fc99

SHA1
852bf8451c9487cae1a2a75f941b33592031d1a5

SHA256
aeb618f2f2ba885bfbd7b29c8c73a3f92474450a4982fb88fef7b1a59a7e96c9

SHA512
b149bd582d7f866e897fbdedf549e1af56392c4e6dc47267a507c7dadc525b1bb2f0285774ca1a6e06c3b5cfcdd7b6aae75b64b2dd3fa8b68604f6ae75bcf377

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
708B

MD5
13858297eb6ab2197ab8b18327cf7678

SHA1
57de97aacf3bfcbc93347f4f016f09306a2fc3a0

SHA256
19692f5272763e22d5cf9b198870a0ae4e6e14f17bd46f852c2c03ba44e26efb

SHA512
334e5b84eef86c75d1096d734ae271868e0d2c005d0274c038091d9a4c4355d1a778c0eb4550f1caea59217217fe6aed26e61ee2dfc6f79401fc8e8d15068928

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a2b67.TMP

Filesize
204B

MD5
8c83b1fc353fb499fa71bda06b94d09a

SHA1
b1989dd60f11e37f55d60bddbee4bd0bc3835694

SHA256
c98a0af1e3494384f62fc061479ebd91d396cfdc726abd6738440441b86bd090

SHA512
f428d1c9a0d72abc30dc163c6acb6c6171bcc62363c6644311bf8dbdc943a0fc3cd5a10d5d6f0ba75e448bd3a50c535c4edbd5ac41783d457423a22bb88d6b2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
330275e0e57d9fdf6afdc2ff3feae0ca

SHA1
1c3a0c0d658ff837bfc9ddf0c2aa94b7e3275e12

SHA256
4162aed58e0c9748a9fe7659fe169b810382b86b292ba5f2b5d5cd2fbf33d75a

SHA512
60b20b01f78f23220a204ac69c066b3f858417f67ddaec88c5ff10889d29b50932f56d94d92ebf25dee41544d65a9d9f705e6d92abe18b2e0213be83dbbf63b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c9a31d477e317556bba08a4c742b498e

SHA1
81f904a6b9c849abc02706509c43af1e10967c34

SHA256
3fefa14a14a218c9efa063dd1fe80e9bc0e7662720df4640740eb8136e6589db

SHA512
951112a5d323a139fb39989a7f79a5f283c937bc6e730704078c1fc6618480d0e6a7a2c520b7ed17a4103ae4eeca5f7d47cf27cb8d3bd085913b7ef592ee6c01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
56d6d0055e9146af81da7f06e44e36d9

SHA1
e87b069e13dfb795081d9195e9ccbb1256c02bf2

SHA256
86779069cf4516c872a271e37e68bb63bacbf0eb756f362cf4e15d9f48c0973a

SHA512
ed0bebb66bf59310337349352280c3ce1e443f7926f9c664c6a001f1ce26fcbb8ae056d30842ce44cf91269d96283692184cc119325f3bf454e5da4cd2b20896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___A8OY3UHK_.txt

Filesize
1KB

MD5
d022bf1aa1d51cc787dba916c406d54e

SHA1
9d59a89bfe6230733cd336b4ff35bb960fcbb3db

SHA256
9a887d19b2bd93cc6eb052c79e15b09a4e8aba45026cb11bf0c934023b1adb5c

SHA512
9eb2e3e6cbcd8641af30a77c49bf484ff53ad12e265add63d4de037b8bffdc0d710e3ea8556fe7aa74ee75d12fc0b9dd41a4db6d2e5dac45601d2197924e36e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso7032.tmp\LangDLL.dll

Filesize
7KB

MD5
d02e216c527f97b5cd320770cbe03a0d

SHA1
76a0bea3650c393341e240231cf999d11a3d8eb8

SHA256
cda679d62e2852d900f412239e7c01a64a928db6c0cc03b8fa0c1eabdfe815c4

SHA512
39d99ea0045e332f197f0d6430a71adaeaccd1c8e1028ad997ffa5527e5a0fe5dbdda62e02329ae1824abad43eedd64dbfb05a1e8e19010745bfe8d53e83d990

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso7032.tmp\System.dll

Filesize
24KB

MD5
62a6f7756aabaeafe2eaa8a1b19eeb99

SHA1
24b7ec2cf0712f03911fad6b7ccf933e0879fe5b

SHA256
4c4d8324fc74a61ed5477b6602fecd1f404f524e6c17c6d7a0b682f8521a29d7

SHA512
7d30a35811f4dc5e3c4714224ac2b143d17f6a1de744db230b3a74409c6705233831e340b13d468c612b9e924cf69a62a15164e601e62609c98a46cf4ec0562f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso7032.tmp\nsDialogs.dll

Filesize
13KB

MD5
6cac9c4cbadc065beeebe16e57279a9a

SHA1
26bcac80ab11c56d8d9de74a85ef2314044f96ca

SHA256
f33b3bfbb97fedfe2d77ebb894c7db5c32b8905bedab6c58248108021cf96bdb

SHA512
854b505ca4d17127fafabc8e4d903e097b6e77d4adcb2873185333a7fac68d6e903b2e8f3ce0df639ec3c44feb3666489405ee74d49f512700ab86cec4bc9e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-phf.xpi

Filesize
932KB

MD5
251150b67c4a694555ecd4a6bdcf5993

SHA1
92b571569aa6c265a6dcf715c04de50bacf712a4

SHA256
b22c007534471a8fb74378e970ba79a536a44f88d81ad3852273b82a466d10c7

SHA512
c525dde844ac84a92ee4098369a8e8c958e475cc785fe1a6c514618a59dd48a1d75ed30523ae20b044909527d0d29102fd644e5e7853568b584663c0a0221d09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___440YQ_.hta

Filesize
75KB

MD5
39caf6c3e12dd6dde8be355b120c8729

SHA1
1868b75a89615753024ef48d323267aca907cb07

SHA256
1aadb5f5372b59d2d6d99e29c88ca3897fdd6dd692d2661ccfd0defa061d0305

SHA512
9de16f0cf035fc5ef35d48603984acd86ff5c075c509f4ac8f12fd77c2350bd324d01f904eb279ce5b1b8af6bef66da5119343573666327b8724102656183970

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\datareporting\glean\db\data.safe.tmp

Filesize
182B

MD5
b1c8aa9861b461806c9e738511edd6ae

SHA1
fe13c1bbc7e323845cbe6a1bb89259cbd05595f8

SHA256
7cea48e7add3340b36f47ba4ea2ded8d6cb0423ffc2a64b44d7e86e0507d6b70

SHA512
841a0f8c98dd04dc9a4be2f05c34ecd511388c76d08ca0f415bfb6056166d9a521b8bc2c46b74697f3ecdac5141d1fe6af76dd0689350caca14e9f849ee75a8b

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\extensions.json

Filesize
27KB

MD5
8fdc1fe8c42910db69a5faeec7b97c99

SHA1
f9c04d4d206f5d733ab6bb6530d509e42a3b3cce

SHA256
4186754df858930a64a396aa7a01341750cccc48bd7b80d3509da99ddb5d735a

SHA512
83160756936766d80539eb6091b6696e80708eb6cb63d6f03fd35e50c286d11867481df3b3447ba93459fdd5ad4bb0640473368137da81f5592e000d94af828c

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\extensions.json

Filesize
27KB

MD5
6eeec6287b661dd1e19bb977bca9ff66

SHA1
9a02fdeefaa5713a2cea2f575108d537fd8ab727

SHA256
7d61b74e550a8c9fda68ece43203ac07ad9036c82f742593704b5b147389f1a8

SHA512
107269ae17f6cc8f34fc171722fb618d53dcbdd39f6e1f352ef3c4c70ad8f05f21f9d83e58859d8b5c6d87f362bc36c7e68b5efee6ad531765061e110d62e5c7

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

Filesize
5KB

MD5
3a80fbcf39533c5fba931df494ab8a1d

SHA1
d37eaec0a52769f500ca757f6c780e79dfaddbc0

SHA256
7c09f47c71edefafe314bf0360ea579eba00e9898c11d4cd434259dd8ab57de0

SHA512
4b7250299d3ea3a4d44a14bec6eadd3d3a1190d5740520e3a47749c788957afbe0909660ef687a0abc024726834652ccf6d58dc492364ef47515120ce58d17a2

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

Filesize
5KB

MD5
84cc49fb97dc56a9384c84e5b5812432

SHA1
bd85e6b70b011fd140cd765f3c61cdb696a839a0

SHA256
e5866e94d0d329d156461c72a428b7cdc7f022956fecc2af99ee0ad0b820eba2

SHA512
7815db44c877077702201faa3c8165a55f83e7222f727f7087d4f245edaf2dd1a7912d6d3bd4c8da23425c7512d0edd593de9ec1d98447a36aca992d29ed273f

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

Filesize
5KB

MD5
d4dbe07346073cd926d84dcfeea05582

SHA1
b6c88ce41ef53d1624735b4f8b2a2c143c2869ec

SHA256
dc72f0ae2cfff82efdca6bcbdf1ec98a14dc388bcb0066787f1601b0bea0b07a

SHA512
cd2f0b5c6974fe9f10c761415ebb7c964a8ddf7f75b5577bf5093760ce39a450f21f4cc763f396e83f244fd3160f6d5e233994c3962f9d7ed11ef70fd911264f

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

Filesize
5KB

MD5
887caef0013aad5dd763c2963a559667

SHA1
d72933130c4a14e1439d40b8b6623cf26d89a6c5

SHA256
1c7d99fc42542698f56a00a338027a0e1cc52e20bd065f443f8cc1047c64fd1c

SHA512
9397f82f633e13e131356a710eafa2df47d704118ac3e9f2fc1d2980d2135460e126ef6bb09a595811189f617748caee556d2faa76a9c3a4bb66e31b459f17b4

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js

Filesize
867B

MD5
de7a049fd7f15c502fe4395407b29bbd

SHA1
2be75233310901dad432cdc63adeaba8e46c4cd5

SHA256
444d8d8e0cc4b5f04175e45bb8a29942bb2da978abab9ad73a38fe26a8f7a423

SHA512
83ded87329e7fc9047ea33b7478b940274912b05289eae6332b3571f321296d2b34951c8b3c043174e3a8eeb70568576d0789e46d2e3c9bed1885551118f1612

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js

Filesize
5KB

MD5
a5a14ccdb49149be5dd89d9e72a4acd8

SHA1
f28a1dacb4ab46349de4a43910f418d60ae205ff

SHA256
27b74edc716e85844f3b97e489cfaa9f9de0014efec4ea82307cc6c2bf4dcb04

SHA512
86b652bf2bcfce6107365bcfc0410f140da4b2a1e1c2b9e92c19aa72a7ee6ef0d6e9065b42264931c815e4404f4c088f51184dd04f213c615ce67d6cb2de9e60

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\sessionCheckpoints.json.tmp

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\storage\default\moz-extension+++98f9c25f-e662-4e2b-9922-29f12c89571f^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.sqlite

Filesize
48KB

MD5
873b57feb3a367b5aeb1d7945adedf9a

SHA1
cea98d9f8d88f8593456719165648ffbeffe4367

SHA256
5fd3a991458b64057ae316410709a2cf53de775686d9f45637d9fb10d6617a32

SHA512
34f4be1ae90ae8e988797def209f5a76ad569675213200152518a3f3dd89bac15caed5b0d30f93874a8e492932a088de9e05d35d996406a1e7ee0a2838b58eb8

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profiles.ini

Filesize
103B

MD5
5b0cb2afa381416690d2b48a5534fe41

SHA1
5c7d290a828ca789ea3cf496e563324133d95e06

SHA256
11dedeb495c4c00ad4ef2ecacbd58918d1c7910f572bbbc87397788bafca265c

SHA512
0e8aafd992d53b2318765052bf3fbd5f21355ae0cbda0d82558ecbb6304136f379bb869c2f9a863496c5d0c11703dbd24041af86131d32af71f276df7c5a740e

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
0e7d883e830e256a3cdc304265594b06

SHA1
2b88c0ae629263ab04fe37204262c7da52c3b270

SHA256
b8b90af3e8d52dab906bef7013168bdf120b1eed5eae88592a7d5c38ae413b9d

SHA512
fcb93dad72ff783efe6c3ae876c9ce000ba78d61e950b8e5fba26290834b26ba6b802d6a464148433011cd6c1369333ce41ea6b6ae2194fb3fd1e02ef7c03083

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\cached-microdescs.new

Filesize
17.6MB

MD5
2c1ee8a776f202ea13a7bf9546fa5356

SHA1
9fd299fa303055852367b602f7190501787db3bf

SHA256
64e967e2f122a7d7f83524f454c8c68705113d744b8fa49cbadfe0ed4abcd4cc

SHA512
505c87afbdb80aad7ea00f20e84eeff6f51c8a7f9c8e1e0df0a47ba7144d07a1de7ddc24e68550f276bd42622377d29c943b2a480697061ec06ececd160ed757

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\browser\omni.ja

Filesize
24.8MB

MD5
66dddf1dae49706c992cfceec3f3ba23

SHA1
074cea24e40f3b6ce7bbc68ff542b462be1c7fe0

SHA256
f13063c411765c6ee1190fb2870c1bb794cfc367aef9a53b7ca44019347c2eef

SHA512
1e4f60e286e87a9720e1c41fa584e69036c20e77fa139f4e2af2bc2e2037441b7522e2fac3224116de011fcd2d2419a35f1e3c296f20157fdf91827e5c4d5630

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\defaults\pref\channel-prefs.js

Filesize
429B

MD5
3d84d108d421f30fb3c5ef2536d2a3eb

SHA1
0f3b02737462227a9b9e471f075357c9112f0a68

SHA256
7d9d37eff1dc4e59a6437026602f1953ef58ee46ff3d81dbb8e13b0fd0bec86b

SHA512
76cb3d59b08b0e546034cbb4fb11d8cfbb80703430dfe6c9147612182ba01910901330db7f0f304a90474724f32fd7b9d102c351218f7a291d28b3a80b7ac1e5

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\dependentlibs.list

Filesize
42B

MD5
70b1d09d91bc834e84a48a259f7c1ee9

SHA1
592ddaec59f760c0afe677ad3001f4b1a85bb3c0

SHA256
2b157d7ff7505d10cb5c3a7de9ba14a6832d1f5bfdbfe4fff981b5db394db6ce

SHA512
b37be03d875aa75df5a525f068ed6cf43970d38088d7d28ae100a51e2baa55c2ad5180be0beda2300406db0bdea231dde1d3394ee1c466c0230253edfe6aa6e4

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\distribution\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi

Filesize
930KB

MD5
a3fb2788945937b22e92eeeb30fb4f15

SHA1
8cade36d4d5067cd9a094ab2e4b3c786e3c160aa

SHA256
05b98840b05ef2acbac333543e4b7c3d40fee2ce5fb4e29260b05e2ff6fe24cd

SHA512
4897aefe3a0efffaa3d92842b42fe223f0b9882031a65bea683f4554d1fec92b8a66ea15c67e9b95c7fc12991cde3245010ccfb91768ba233711ced3412c13bc

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe

Filesize
1.8MB

MD5
67f708f227c0338550952313e5e382f7

SHA1
43511dfa2d91f6cc4c429336678cbcf08ddb6489

SHA256
a2ebed521db5d43af62eff32b7ee77a7a342ae6661a0fda60be785329b3956ba

SHA512
4a0fdece1ed1a290731ef21e976f3074b70660c957cdc2067d506e4f08f3af7673f578afb108263e7a61ac6e773c0f747ff325b7fa4a3eaa1f77872743813614

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\lgpllibs.dll

Filesize
43KB

MD5
f6392fe326919b1db4aeeb8aeb6820de

SHA1
0ff0f4c214344eabad089ae87d26a94cafc722dc

SHA256
9c9d86ba3a50de00dc85ea5c04b7e1e65176405732b5c95e9f099411b051fa34

SHA512
4bf9a7d0f89f5f5cad63e18fdb798c247b9504157f9ab771ac6240fd8cbde8e948aaa0764ec312807bebe0139afd20a964d4bdc77b96420236ce68240f53d0fd

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\mozglue.dll

Filesize
1.4MB

MD5
eb388726725c57ccd28cad1dccee33b6

SHA1
35429d8a907b07286a884c0e9cb2fcf78e93f8a1

SHA256
a6bbd19e33a9d2b539c798261ed400c74b239527ad17109ad549a972bd6cebd6

SHA512
dc9aa4f26a86fbfa6caf7d476e59975fc79da314eab8cdf5e2899d681e8b9d3767e531a656471e3ea2129f4e688ad1e0c472eb5d20ea8a8ed94c00d9fc66a48f

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\nss3.dll

Filesize
2.5MB

MD5
43cd2b07fa362a2f229968c0e834093f

SHA1
2f637aec344e6bca1df4a51cb05c0cd10d3d6dc7

SHA256
4625cfe435db2f7d9d2bc722a2e8e7b46c6f74a6f5954cca2daa2c94c3265f7c

SHA512
c32c982ac99fead6b8d7f0f3bad200c4d54f5d5b7187ea44ec79c9361603ac5438ace94bd5fd614f41f49684195b7777de195848dc004d7c7a1d02a29c6ae5cb

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\omni.ja

Filesize
18.4MB

MD5
8fd3941992025a21c4822049d0e06e63

SHA1
4c9f80b5e14ada595e59257bd833c716d73042a8

SHA256
f13a14ef31a833630c85557906706e6af92f3c4f0a42bba8103de4b21a12b22f

SHA512
a9ea6315b782e28d8af2db746867c786b6fd4a16c1393db98309d705437eefda0fdb1be6fc8ac745ea6a743d3672f6c47dced7de2836846383b78ff962240f8d

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\softokn3.dll

Filesize
288KB

MD5
cbcdffcdcd140b9ea3dc081ecfcbbd46

SHA1
ab44ac9317b82edb780a2167da6d459b9a423a74

SHA256
16ef79086baa56c10589ec945fa3760ddbbbcf4061612ad4a6992bfc24cd26ba

SHA512
5e46812981012f29011161740736c35d356d49b23062cf8d73a5f1ea1b08f107e8db29086881d9c556f7783cfab9d580bc67b0ee813192ddea28ec2f46415129

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Tor Browser.lnk

Filesize
829B

MD5
68ea3fa57d8c0c4a57e386db4c854c75

SHA1
ef0b22ea46b252463e566b7fc8ae7bb844a4c174

SHA256
68d9452b92d495fdde1be04567f08182a1c1a6df3a4d36ea19694519ba2372cb

SHA512
e1d7a812e958749ea5a7c2dd153411d74dcfeed23131b135d139074f79e57ebad6a509b54f3323112728f7c63df865afbf22e94383884bfc16a9f29a95539a81

Download Submit
C:\Users\Admin\Downloads\Cerber 5.zip

Filesize
181KB

MD5
10d74de972a374bb9b35944901556f5f

SHA1
593f11e2aa70a1508d5e58ea65bec0ae04b68d64

SHA256
ab9f6ac4a669e6cbd9cfb7f7a53f8d2393cd9753cc1b1f0953f8655d80a4a1df

SHA512
1755be2bd1e2c9894865492903f9bf03a460fb4c952f84b748268bf050c3ece4185b612c855804c7600549170742359f694750a46e5148e00b5604aca5020218

Download Submit
C:\Users\Admin\Downloads\Krotten.zip

Filesize
25KB

MD5
1aea5ad85df3b14e216cc0200c708673

SHA1
e3ee16e93ba7c3d7286dc9ebbaf940f0bcb6cad3

SHA256
8dfa496c93680adc10e77c0946c7927d3e58d79900013c95dfca3411d766bd16

SHA512
06faa190350e4558c6d4f1f201dc0698587495897593aaeac16f3ea3d8c1c7f81d65beea6bc7e730ca1df9bdfdf3cd2bcc84bf50f64787e0b1dbd21492796f36

Download Submit
memory/2412-278-0x0000000001520000-0x0000000001551000-memory.dmp

Filesize
196KB

Download
memory/2412-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-702-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-722-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-282-0x0000000000440000-0x000000000044E000-memory.dmp

Filesize
56KB

Download
memory/3884-2849-0x000001C766620000-0x000001C766630000-memory.dmp

Filesize
64KB

Download
memory/3932-3049-0x000002D0A0420000-0x000002D0A0430000-memory.dmp

Filesize
64KB

Download
memory/5732-1533-0x00007FFE5AC30000-0x00007FFE5AC31000-memory.dmp

Filesize
4KB

Download
memory/5732-1532-0x00007FFE59C50000-0x00007FFE59C51000-memory.dmp

Filesize
4KB

Download