hxxps://www[.]torproject[.]org/

Analysis

max time kernel
1440s
max time network
1447s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
06/09/2024, 14:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://www.torproject.org/

Score

8^/10

defense_evasion discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1472	tor-browser-windows-x86_64-portable-13.5.3.exe

Loads dropped DLL 3 IoCs

pid	Process
1472	tor-browser-windows-x86_64-portable-13.5.3.exe
1472	tor-browser-windows-x86_64-portable-13.5.3.exe
1472	tor-browser-windows-x86_64-portable-13.5.3.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.5.3.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 107518.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.5.3.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1180	msedge.exe
1180	msedge.exe
1128	msedge.exe
1128	msedge.exe
3648	identity_helper.exe
3648	identity_helper.exe
4408	msedge.exe
4408	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
4356	msedge.exe
4356	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe

Suspicious use of FindShellTrayWindow 62 IoCs

pid	Process
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 3836	1128	msedge.exe	80
PID 1128 wrote to memory of 3836	1128	msedge.exe	80
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1368	1128	msedge.exe	81
PID 1128 wrote to memory of 1180	1128	msedge.exe	82
PID 1128 wrote to memory of 1180	1128	msedge.exe	82
PID 1128 wrote to memory of 1552	1128	msedge.exe	83
PID 1128 wrote to memory of 1552	1128	msedge.exe	83
PID 1128 wrote to memory of 1552	1128	msedge.exe	83
PID 1128 wrote to memory of 1552	1128	msedge.exe	83
PID 1128 wrote to memory of 1552	1128	msedge.exe	83
PID 1128 wrote to memory of 1552	1128	msedge.exe	83
PID 1128 wrote to memory of 1552	1128	msedge.exe	83
PID 1128 wrote to memory of 1552	1128	msedge.exe	83
PID 1128 wrote to memory of 1552	1128	msedge.exe	83
PID 1128 wrote to memory of 1552	1128	msedge.exe	83
PID 1128 wrote to memory of 1552	1128	msedge.exe	83
PID 1128 wrote to memory of 1552	1128	msedge.exe	83
PID 1128 wrote to memory of 1552	1128	msedge.exe	83
PID 1128 wrote to memory of 1552	1128	msedge.exe	83
PID 1128 wrote to memory of 1552	1128	msedge.exe	83
PID 1128 wrote to memory of 1552	1128	msedge.exe	83
PID 1128 wrote to memory of 1552	1128	msedge.exe	83
PID 1128 wrote to memory of 1552	1128	msedge.exe	83
PID 1128 wrote to memory of 1552	1128	msedge.exe	83
PID 1128 wrote to memory of 1552	1128	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.torproject.org/
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcb6db3cb8,0x7ffcb6db3cc8,0x7ffcb6db3cd8
  2⤵
  PID:3836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,14602628537379870152,2311440577176234802,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,14602628537379870152,2311440577176234802,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,14602628537379870152,2311440577176234802,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14602628537379870152,2311440577176234802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:2060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14602628537379870152,2311440577176234802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,14602628537379870152,2311440577176234802,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,14602628537379870152,2311440577176234802,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14602628537379870152,2311440577176234802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,14602628537379870152,2311440577176234802,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5968 /prefetch:8
  2⤵
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14602628537379870152,2311440577176234802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14602628537379870152,2311440577176234802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
  2⤵
  PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14602628537379870152,2311440577176234802,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14602628537379870152,2311440577176234802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14602628537379870152,2311440577176234802,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
  2⤵
  PID:780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14602628537379870152,2311440577176234802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:1316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14602628537379870152,2311440577176234802,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2076 /prefetch:1
  2⤵
  PID:608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14602628537379870152,2311440577176234802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:4228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14602628537379870152,2311440577176234802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2964 /prefetch:1
  2⤵
  PID:1256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14602628537379870152,2311440577176234802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2484 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,14602628537379870152,2311440577176234802,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6332 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14602628537379870152,2311440577176234802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,14602628537379870152,2311440577176234802,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2548 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4356
- C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.5.3.exe
  "C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.5.3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1924,14602628537379870152,2311440577176234802,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6248 /prefetch:8
  2⤵
  PID:1868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14602628537379870152,2311440577176234802,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=1924,14602628537379870152,2311440577176234802,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=2076 /prefetch:8
  2⤵
  PID:1776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e2612636cf368bc811fdc8db09e037d

SHA1
d69e34379f97e35083f4c4ea1249e6f1a5f51d56

SHA256
2eecaacf3f2582e202689a16b0ac1715c628d32f54261671cf67ba6abbf6c9f9

SHA512
b3cc3bf967d014f522e6811448c4792eed730e72547f83eb4974e832e958deb7e7f4c3ce8e0ed6f9c110525d0b12f7fe7ab80a914c2fe492e1f2d321ef47f96d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e8115549491cca16e7bfdfec9db7f89a

SHA1
d1eb5c8263cbe146cd88953bb9886c3aeb262742

SHA256
dfa9a8b54936607a5250bec0ed3e2a24f96f4929ca550115a91d0d5d68e4d08e

SHA512
851207c15de3531bd230baf02a8a96550b81649ccbdd44ad74875d97a700271ef96e8be6e1c95b2a0119561aee24729cb55c29eb0b3455473688ef9132ed7f54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
f035817f0bd7267d9c0a40352332a34f

SHA1
de5f11ccc8a7599077fedd44b7d5dfdfd088786e

SHA256
ba86139bbe2f000be0bd042a2f2dcd311b73b2d878a73eed8fd04ec2ab488a9f

SHA512
1b5579e0306a1884dc291038b0e35701211f6913e4ec65341e4e9c9bbb00069e4491adb77cf63c6e2811a6d1c45f982ed1b62f4ed555e01996f9b24d204ee902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
6e1b10360e7f246eff65dcc991aad21c

SHA1
2da747106a85a7f854e4444f8439daec1f3abce7

SHA256
054e674433019051ffa427c640c6688bf6b51801566100bfd74477bd86fce807

SHA512
3cb938362a5f4da45b207ea123e7e51f32b042f8a68056a28d67bcfcb1f17e57b1a6fd9d37811fd36424e3bf686a3f7c5c7e3ab08798061775577951d1b790f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
453B

MD5
30408ee4bf7aa04727942e0a4ec9153a

SHA1
3f1304f91fd39f65b8abf75e8c6f824154d03dde

SHA256
6e3838cf353303770b40e584dc5d9851c0ae77b838f9502139eb75b860b53ccf

SHA512
06bc0da07ac0ab25f970d8eb8d45f8b08ec1374c016665dff21893efd81530588861c4a5a2989f7f64a3befe656fbf62708fc05443714ca46e250aa3afd8713b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f0c89c2b35150e837f11a4dfb8d0c82b

SHA1
73c566964cf13dd5ac6d04af1311cd08bb7dce80

SHA256
06d7218973a8c7e3f69abe5871bd5a6c5f56d776011c787ac9299abfe8f98b12

SHA512
44fda5a6234b8b365bef012898e8dc1cb6864890d9b8911520fdf4a47db5298b4be1bc92c9650e1f382f36c1744be44a4f01711614cfca55d9f31250fcc3bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
afd5a1419e3151c074cae413c9b73ebd

SHA1
ba39031f5c32d72d0f27422314df07c81548463e

SHA256
ec89ac2b87f2eb03b0b09bf4f1eea763c83b32107b6d821e9835c06e6d025487

SHA512
c9829a653a22070477dbc79acf31323a10acc8711a53389f9baf4578f8acbe6a38cd6799efc9a299f5ee56e08f163e2e2daddace5f82d84794536695c9d22c05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
450ebee54e366cbb4ab42ff0e5577794

SHA1
6c9b9b7130a51f3870bd1e5889bd9825d16462f6

SHA256
2146ee23d9f4322f1ee9904462b9c88730811075deb4e9c9b90a24cc93399c01

SHA512
4d3408c3944e31a3f051040e7bb2841b69c1b19e4f9cebe1f41c7c0ddf0e195957306f806e325a20f58cf6743c3b7d5d45ecd4d90c9a42aab8e9d9f90b7e76ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
033c5687f666dd0f162fb516f226b4af

SHA1
0c60ca4d5a2c54383d2ce16e8b8c6817f4971504

SHA256
d006b134386de2abf4b53c7b4bf7c935e482ee2eb75604839172b152b5ec580a

SHA512
02b566326f6bc30831c6b5d7d2ac41e856b4525e8b48f98d8fae0f1c74eb52b6a5f51f20b1aaf951069fdaef789e7d7a5b6f10185c69bb0e3d2f57f1c76e8a37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b6c83c54b9f011382ebcf77513b152e9

SHA1
457fe0d79834abc64b768005355ca4e8d13d21ec

SHA256
8d5dd664f0b6018ec771e67a40cf489fc166d652c7852f5c04a84f86b2d588b8

SHA512
3fc5450cbb2cf3d39973e555af36d2f92256ba166426a93c3b6bb8874129710e02a352bb06093ccb71e518d2e1c064e002420c729516d7aa3cce9dc7dba0116d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6d122eae656b3ef87805c35061329f3f

SHA1
9f875ed5740c51d0038c4d2504daa5939d5706cb

SHA256
5244086850427c3771da4804230d0d7264ce79f809aab0da19b199e0760d8434

SHA512
f5694d6fbbbab126e65693c7d35a977ea42c307c3dcb179e54ee017f08e3fb5c11b980fd2e52e2dec6bc99290e618095ed516e59d0cdf96ab7b9f6592caf468e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
372B

MD5
a16b8bb1e1cb16e15ef94b0c7185d16c

SHA1
6901dc04b7bc7f015bd262b810fd3576f1881da0

SHA256
372d680aadea132570c8b60f8f6b71a71d553dbd3d86a4dc35b03160a0b4ef12

SHA512
0b93f8a514c5065196d165f4fe35281aeb16f1813e19a6d9a24ed4d77a66d1749ee6021704e2996b5797e53b48fb68de88af55050fc1f8e1e9025b9e430e12c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
540B

MD5
70e03ef7f45abe90cd3e2823b8725b8e

SHA1
7ca9a1057e5aee10c65f2f0541898f9f62a014e3

SHA256
e41ef686d3bd12883b09a3b003cebfb52202a40911c9ea00a41470ffe07baba9

SHA512
3cb168fc0cd8ccdb3eb056346cdf0dce759bd2385427087da3779a5b2a440bc82343a5741746e5a3013c8937674a0e5fa01e24eb0a1d406ca421da2f6fd061b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e222.TMP

Filesize
204B

MD5
5f111d67e07a38e4939160dca433b560

SHA1
aa812a18117310bf2b0ceccc8243016e23a4bc79

SHA256
aca550800d99221a322bfad46255516412a1c26a6414ed516550e4980052f7e6

SHA512
cb8fdc2744a8c8129f057af57869d0772f072f991282906241b38b915ff27e3e02d8d7fc57ff7dac1af3437cdf95d8b018173cfae0f136de1ecb024aa04ba03b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
11f171cd582b4acb043becf114e63b54

SHA1
cd5c8b95f09f90946d3dfa61dc2ea78bbc172c56

SHA256
e8bd89bbe2a08ab217a04d4831b83f9fdb07ca6d742161c05adf1e1cd93292c6

SHA512
fad7e22abc3e730d2e519e2b9bd7884140a5cbc8fc60b9e7a417c4162e517c599666267d31ab4290ba65be7ad6d805b624d0b53ee2c02aeffbbf354a4e180f53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6f1f9349a104570d492b592750f07430

SHA1
52976adf5b2935f409de85b2d4ab40dd2d22e9ac

SHA256
5316606b7ce3e52d69684cb019c7e727e70e5df6f3ce3c2ab879aba4efbf919c

SHA512
39c976b09c38bf99e77052f2e621b1e44e6f6e48ce5f45170dd58fbdc28dbca2368a9fec187df5c2817aaf93bcf4b8e1f02d79d5107b06b52e26da656520531a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqF758.tmp\LangDLL.dll

Filesize
7KB

MD5
d02e216c527f97b5cd320770cbe03a0d

SHA1
76a0bea3650c393341e240231cf999d11a3d8eb8

SHA256
cda679d62e2852d900f412239e7c01a64a928db6c0cc03b8fa0c1eabdfe815c4

SHA512
39d99ea0045e332f197f0d6430a71adaeaccd1c8e1028ad997ffa5527e5a0fe5dbdda62e02329ae1824abad43eedd64dbfb05a1e8e19010745bfe8d53e83d990

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqF758.tmp\System.dll

Filesize
24KB

MD5
62a6f7756aabaeafe2eaa8a1b19eeb99

SHA1
24b7ec2cf0712f03911fad6b7ccf933e0879fe5b

SHA256
4c4d8324fc74a61ed5477b6602fecd1f404f524e6c17c6d7a0b682f8521a29d7

SHA512
7d30a35811f4dc5e3c4714224ac2b143d17f6a1de744db230b3a74409c6705233831e340b13d468c612b9e924cf69a62a15164e601e62609c98a46cf4ec0562f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqF758.tmp\nsDialogs.dll

Filesize
13KB

MD5
6cac9c4cbadc065beeebe16e57279a9a

SHA1
26bcac80ab11c56d8d9de74a85ef2314044f96ca

SHA256
f33b3bfbb97fedfe2d77ebb894c7db5c32b8905bedab6c58248108021cf96bdb

SHA512
854b505ca4d17127fafabc8e4d903e097b6e77d4adcb2873185333a7fac68d6e903b2e8f3ce0df639ec3c44feb3666489405ee74d49f512700ab86cec4bc9e44

Download Submit
C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.5.3.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit