hxxp://tor browser

Analysis

max time kernel
1792s
max time network
1800s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://tor browser

Score

8^/10

discovery evasion trojan

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	tor-browser-windows-x86_64-portable-13.5.3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	firefox.exe

Executes dropped EXE 33 IoCs

pid	Process
4432	tor-browser-windows-x86_64-portable-13.5.3.exe
528	tor-browser-windows-x86_64-portable-13.5.3.exe
1500	firefox.exe
2852	firefox.exe
5096	firefox.exe
3844	firefox.exe
4084	tor.exe
3464	firefox.exe
3708	firefox.exe
4576	firefox.exe
5736	firefox.exe
5764	firefox.exe
5704	firefox.exe
5548	lyrebird.exe
3880	firefox.exe
4808	firefox.exe
5640	firefox.exe
3484	firefox.exe
3844	firefox.exe
736	firefox.exe
5064	firefox.exe
5356	firefox.exe
5396	firefox.exe
5156	firefox.exe
5796	firefox.exe
1964	firefox.exe
2716	firefox.exe
4284	firefox.exe
3064	firefox.exe
6100	firefox.exe
1636	firefox.exe
3380	firefox.exe
5708	firefox.exe

Loads dropped DLL 64 IoCs

pid	Process
4432	tor-browser-windows-x86_64-portable-13.5.3.exe
528	tor-browser-windows-x86_64-portable-13.5.3.exe
528	tor-browser-windows-x86_64-portable-13.5.3.exe
528	tor-browser-windows-x86_64-portable-13.5.3.exe
1500	firefox.exe
2852	firefox.exe
2852	firefox.exe
2852	firefox.exe
2852	firefox.exe
2852	firefox.exe
2852	firefox.exe
2852	firefox.exe
2852	firefox.exe
2852	firefox.exe
2852	firefox.exe
2852	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3464	firefox.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
3708	firefox.exe
3844	firefox.exe
3844	firefox.exe
4576	firefox.exe
4576	firefox.exe
4576	firefox.exe
4576	firefox.exe
3464	firefox.exe
3464	firefox.exe
4576	firefox.exe
4576	firefox.exe
3708	firefox.exe
3708	firefox.exe
5736	firefox.exe
5736	firefox.exe
5736	firefox.exe
5736	firefox.exe
5764	firefox.exe
5764	firefox.exe
5764	firefox.exe
5764	firefox.exe
5704	firefox.exe
5704	firefox.exe
5704	firefox.exe
5704	firefox.exe
5736	firefox.exe
5736	firefox.exe
5704	firefox.exe
5704	firefox.exe
5764	firefox.exe
5764	firefox.exe
3880	firefox.exe
3880	firefox.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1302416131-1437503476-2806442725-1000\{2117E68C-F6F8-44FB-B3A6-192434A3ECFB}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	tor-browser-windows-x86_64-portable-13.5.3.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	lyrebird.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	lyrebird.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	lyrebird.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 311469.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3076	msedge.exe
3076	msedge.exe
1900	msedge.exe
1900	msedge.exe
4376	identity_helper.exe
4376	identity_helper.exe
1484	msedge.exe
1484	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
2564	msedge.exe
2564	msedge.exe
5548	lyrebird.exe
5548	lyrebird.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2852	firefox.exe
Token: SeDebugPrivilege	2852	firefox.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
2852	firefox.exe
2852	firefox.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2852	firefox.exe
2852	firefox.exe
2852	firefox.exe
2852	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 1356	1900	msedge.exe	83
PID 1900 wrote to memory of 1356	1900	msedge.exe	83
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 4300	1900	msedge.exe	84
PID 1900 wrote to memory of 3076	1900	msedge.exe	85
PID 1900 wrote to memory of 3076	1900	msedge.exe	85
PID 1900 wrote to memory of 4028	1900	msedge.exe	86
PID 1900 wrote to memory of 4028	1900	msedge.exe	86
PID 1900 wrote to memory of 4028	1900	msedge.exe	86
PID 1900 wrote to memory of 4028	1900	msedge.exe	86
PID 1900 wrote to memory of 4028	1900	msedge.exe	86
PID 1900 wrote to memory of 4028	1900	msedge.exe	86
PID 1900 wrote to memory of 4028	1900	msedge.exe	86
PID 1900 wrote to memory of 4028	1900	msedge.exe	86
PID 1900 wrote to memory of 4028	1900	msedge.exe	86
PID 1900 wrote to memory of 4028	1900	msedge.exe	86
PID 1900 wrote to memory of 4028	1900	msedge.exe	86
PID 1900 wrote to memory of 4028	1900	msedge.exe	86
PID 1900 wrote to memory of 4028	1900	msedge.exe	86
PID 1900 wrote to memory of 4028	1900	msedge.exe	86
PID 1900 wrote to memory of 4028	1900	msedge.exe	86
PID 1900 wrote to memory of 4028	1900	msedge.exe	86
PID 1900 wrote to memory of 4028	1900	msedge.exe	86
PID 1900 wrote to memory of 4028	1900	msedge.exe	86
PID 1900 wrote to memory of 4028	1900	msedge.exe	86
PID 1900 wrote to memory of 4028	1900	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://tor browser
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd99e846f8,0x7ffd99e84708,0x7ffd99e84718
  2⤵
  PID:1356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,17131366989587358882,11644570521456164136,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,17131366989587358882,11644570521456164136,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,17131366989587358882,11644570521456164136,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17131366989587358882,11644570521456164136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17131366989587358882,11644570521456164136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17131366989587358882,11644570521456164136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17131366989587358882,11644570521456164136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
  2⤵
  PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,17131366989587358882,11644570521456164136,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,17131366989587358882,11644570521456164136,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17131366989587358882,11644570521456164136,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:1
  2⤵
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17131366989587358882,11644570521456164136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:1748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17131366989587358882,11644570521456164136,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17131366989587358882,11644570521456164136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:2264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17131366989587358882,11644570521456164136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2080,17131366989587358882,11644570521456164136,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4092 /prefetch:8
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2080,17131366989587358882,11644570521456164136,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4824 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17131366989587358882,11644570521456164136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17131366989587358882,11644570521456164136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:2264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17131366989587358882,11644570521456164136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,17131366989587358882,11644570521456164136,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6116 /prefetch:8
  2⤵
  PID:808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17131366989587358882,11644570521456164136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2080,17131366989587358882,11644570521456164136,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6288 /prefetch:8
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17131366989587358882,11644570521456164136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3044 /prefetch:1
  2⤵
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17131366989587358882,11644570521456164136,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2172 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17131366989587358882,11644570521456164136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17131366989587358882,11644570521456164136,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:1
  2⤵
  PID:112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,17131366989587358882,11644570521456164136,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5468 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,17131366989587358882,11644570521456164136,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3500 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2564
- C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.5.3.exe
  "C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.5.3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4432
- C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.5.3.exe
  "C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.5.3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  PID:528
- - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
    "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1500
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2852
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2852.0.332154276\164232171" -parentBuildID 20240903073000 -prefsHandle 1716 -prefMapHandle 1960 -prefsLen 19247 -prefMapSize 240500 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {b0826523-6d6c-488d-b2f9-a4118a43b80f} 2852 gpu
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5096
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2852.1.2132925886\1121993968" -childID 1 -isForBrowser -prefsHandle 2388 -prefMapHandle 2344 -prefsLen 20081 -prefMapSize 240500 -jsInitHandle 1184 -jsInitLen 240916 -parentBuildID 20240903073000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {41bb955f-0d6e-48ed-ae13-94dc1b0f03ee} 2852 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3844
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe" -f "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc" DataDirectory "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor" ClientOnionAuthDir "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\onion-auth" --defaults-torrc "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc-defaults" GeoIPFile "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip" GeoIPv6File "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip6" +__ControlPort 127.0.0.1:9151 HashedControlPassword 16:253bc5f6f2666f5d606dc44ab1259d2bc0238a7ba138710dc3bf5a2cd1 +__SocksPort "127.0.0.1:9150 ExtendedErrors IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth" __OwningControllerProcess 2852 DisableNetwork 1
        5⤵
        Executes dropped EXE
        
        PID:4084
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2852.2.172709949\648911239" -childID 2 -isForBrowser -prefsHandle 3344 -prefMapHandle 3340 -prefsLen 20897 -prefMapSize 240500 -jsInitHandle 1184 -jsInitLen 240916 -parentBuildID 20240903073000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {b50585b6-5ee9-4347-8587-eb2d9b084095} 2852 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3464
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2852.3.1740345317\1537237848" -childID 3 -isForBrowser -prefsHandle 3292 -prefMapHandle 3296 -prefsLen 20974 -prefMapSize 240500 -jsInitHandle 1184 -jsInitLen 240916 -parentBuildID 20240903073000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {f7fa5db0-7eaf-4d88-80e8-93db96aea836} 2852 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3708
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2852.4.1306951861\88722763" -parentBuildID 20240903073000 -prefsHandle 3644 -prefMapHandle 3556 -prefsLen 22413 -prefMapSize 240500 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {42b76cb3-f4fe-4f0d-be53-04f77d019087} 2852 rdd
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4576
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2852.5.1581826812\412423866" -childID 4 -isForBrowser -prefsHandle 4108 -prefMapHandle 4100 -prefsLen 22264 -prefMapSize 240500 -jsInitHandle 1184 -jsInitLen 240916 -parentBuildID 20240903073000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {7052b9ad-a583-4337-8871-fcc4c4391bba} 2852 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5704
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2852.6.705608906\578761925" -childID 5 -isForBrowser -prefsHandle 1584 -prefMapHandle 1672 -prefsLen 22264 -prefMapSize 240500 -jsInitHandle 1184 -jsInitLen 240916 -parentBuildID 20240903073000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {66894576-15c4-4589-bae3-e55fe00dfc56} 2852 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5736
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2852.7.1470010533\454757351" -childID 6 -isForBrowser -prefsHandle 4512 -prefMapHandle 4508 -prefsLen 22264 -prefMapSize 240500 -jsInitHandle 1184 -jsInitLen 240916 -parentBuildID 20240903073000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {40b161a5-1a18-4cfe-a4a9-8f2f9af8db59} 2852 tab
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5764
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\PluggableTransports\lyrebird.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\PluggableTransports\lyrebird.exe"
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        
        PID:5548
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2852.8.767776513\1009524388" -childID 7 -isForBrowser -prefsHandle 1580 -prefMapHandle 1404 -prefsLen 23275 -prefMapSize 240500 -jsInitHandle 1184 -jsInitLen 240916 -parentBuildID 20240903073000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {1ae9ca22-3f35-4faa-b62f-6ecfbc343ed7} 2852 tab
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3880
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2852.9.1891417143\1743699705" -childID 8 -isForBrowser -prefsHandle 4316 -prefMapHandle 1420 -prefsLen 23354 -prefMapSize 240500 -jsInitHandle 1184 -jsInitLen 240916 -parentBuildID 20240903073000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {54841627-8950-467e-b617-dc842c246765} 2852 tab
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4808
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2852.10.732606438\195781759" -childID 9 -isForBrowser -prefsHandle 5060 -prefMapHandle 5084 -prefsLen 23354 -prefMapSize 240500 -jsInitHandle 1184 -jsInitLen 240916 -parentBuildID 20240903073000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {087f9a27-6d48-4339-b020-3aae3468c793} 2852 tab
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5640
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2852.11.1604990948\898631952" -childID 10 -isForBrowser -prefsHandle 5280 -prefMapHandle 5268 -prefsLen 23354 -prefMapSize 240500 -jsInitHandle 1184 -jsInitLen 240916 -parentBuildID 20240903073000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {27a7729b-0380-4900-8115-7c8e3da57c06} 2852 tab
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3484
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2852.12.2001744476\153683828" -childID 11 -isForBrowser -prefsHandle 4628 -prefMapHandle 4612 -prefsLen 23354 -prefMapSize 240500 -jsInitHandle 1184 -jsInitLen 240916 -parentBuildID 20240903073000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {0372e5d2-b543-448f-9dbf-0bef9c8ea72d} 2852 tab
        5⤵
        Executes dropped EXE
        
        PID:3844
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2852.13.797537768\417604757" -childID 12 -isForBrowser -prefsHandle 5568 -prefMapHandle 4580 -prefsLen 23354 -prefMapSize 240500 -jsInitHandle 1184 -jsInitLen 240916 -parentBuildID 20240903073000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {6939541f-335d-40a9-9665-a673c6f81c05} 2852 tab
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:736
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2852.14.371281794\1230832337" -childID 13 -isForBrowser -prefsHandle 5604 -prefMapHandle 5748 -prefsLen 23354 -prefMapSize 240500 -jsInitHandle 1184 -jsInitLen 240916 -parentBuildID 20240903073000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {e795a61d-372f-47c4-9cba-d750e8dbac1a} 2852 tab
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5064
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2852.15.1396865372\1129009584" -childID 14 -isForBrowser -prefsHandle 5312 -prefMapHandle 3548 -prefsLen 23354 -prefMapSize 240500 -jsInitHandle 1184 -jsInitLen 240916 -parentBuildID 20240903073000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {680a4cd7-251e-41ff-864c-a48b2d15d79e} 2852 tab
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5356
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2852.16.1990751681\453158208" -childID 15 -isForBrowser -prefsHandle 4740 -prefMapHandle 5440 -prefsLen 23354 -prefMapSize 240500 -jsInitHandle 1184 -jsInitLen 240916 -parentBuildID 20240903073000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {943a342c-6ef9-438d-9f75-ae745c8939e8} 2852 tab
        5⤵
        Executes dropped EXE
        
        PID:5396
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2852.17.2078075581\1542035443" -childID 16 -isForBrowser -prefsHandle 2908 -prefMapHandle 4812 -prefsLen 23354 -prefMapSize 240500 -jsInitHandle 1184 -jsInitLen 240916 -parentBuildID 20240903073000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {274c9fc9-6086-4197-af54-4d7b4cb4a458} 2852 tab
        5⤵
        Executes dropped EXE
        
        PID:5156
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2852.18.1003643354\1366955302" -childID 17 -isForBrowser -prefsHandle 5704 -prefMapHandle 5656 -prefsLen 23354 -prefMapSize 240500 -jsInitHandle 1184 -jsInitLen 240916 -parentBuildID 20240903073000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {5eaa8596-4da2-4957-b83a-81b9498ee7cf} 2852 tab
        5⤵
        Executes dropped EXE
        
        PID:5796
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2852.19.1106861023\829142093" -childID 18 -isForBrowser -prefsHandle 2300 -prefMapHandle 5376 -prefsLen 23354 -prefMapSize 240500 -jsInitHandle 1184 -jsInitLen 240916 -parentBuildID 20240903073000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {4992e71d-4ddc-4040-afb9-d83632eb919c} 2852 tab
        5⤵
        Executes dropped EXE
        
        PID:1964
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2852.20.1160723085\60912888" -childID 19 -isForBrowser -prefsHandle 5332 -prefMapHandle 4144 -prefsLen 23354 -prefMapSize 240500 -jsInitHandle 1184 -jsInitLen 240916 -parentBuildID 20240903073000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {a063369d-4bca-4adb-b471-08a1557844d5} 2852 tab
        5⤵
        Executes dropped EXE
        
        PID:2716
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2852.21.2000662271\758394268" -parentBuildID 20240903073000 -sandboxingKind 1 -prefsHandle 8596 -prefMapHandle 8924 -prefsLen 25347 -prefMapSize 240500 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {5fb7bc5f-7004-49a3-98b8-7baec6cc88c5} 2852 utility
        5⤵
        Executes dropped EXE
        
        PID:4284
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2852.22.863471171\1608688280" -childID 20 -isForBrowser -prefsHandle 4492 -prefMapHandle 5224 -prefsLen 23354 -prefMapSize 240500 -jsInitHandle 1184 -jsInitLen 240916 -parentBuildID 20240903073000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {f88d3ef1-e18f-4fcd-93ea-cb740dba9953} 2852 tab
        5⤵
        Executes dropped EXE
        
        PID:3064
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2852.23.1089104692\1458910346" -childID 21 -isForBrowser -prefsHandle 8368 -prefMapHandle 4160 -prefsLen 23354 -prefMapSize 240500 -jsInitHandle 1184 -jsInitLen 240916 -parentBuildID 20240903073000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {0188407b-8afb-451b-98e4-efb91e241b05} 2852 tab
        5⤵
        Executes dropped EXE
        
        PID:6100
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2852.24.745938461\2067178833" -childID 22 -isForBrowser -prefsHandle 9240 -prefMapHandle 4608 -prefsLen 23354 -prefMapSize 240500 -jsInitHandle 1184 -jsInitLen 240916 -parentBuildID 20240903073000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {1d138a03-d537-421e-bb3c-696134963f70} 2852 tab
        5⤵
        Executes dropped EXE
        
        PID:1636
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2852.25.1500306971\886761230" -childID 23 -isForBrowser -prefsHandle 4612 -prefMapHandle 3948 -prefsLen 23354 -prefMapSize 240500 -jsInitHandle 1184 -jsInitLen 240916 -parentBuildID 20240903073000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {ed5ed135-ee93-4ddc-ad3a-ee2c97b3fa3b} 2852 tab
        5⤵
        Executes dropped EXE
        
        PID:3380
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2852.26.877465608\1387927271" -childID 24 -isForBrowser -prefsHandle 7960 -prefMapHandle 7976 -prefsLen 23354 -prefMapSize 240500 -jsInitHandle 1184 -jsInitLen 240916 -parentBuildID 20240903073000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {2e1c8813-86c4-40d4-9183-89e0cdc97fb5} 2852 tab
        5⤵
        Executes dropped EXE
        
        PID:5708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
35dd3966875b8f753095e1368bdab8ca

SHA1
0be3e5a127fb86d7e9ac4ee63c3b369a6d261d2a

SHA256
1b91b7448bcc2b3c514459b2dcc18df1ab61d0d137ceb6b8ab1217ebbc7faf4b

SHA512
86267d371f6d14b8a33b8b3fb3afe0ef5fe5709b12091f5126ff8968fe27cd6239d83e90fd76a7b6cbf5ff6ba0df4f6899fa18d1be631b3edcfbe8a6a756fb51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
835B

MD5
2ace1a5f30dcf22905fb3de414035c82

SHA1
fd68e9fe5d24d2148716ff9c49a813aa5b691c75

SHA256
4c37ae24ad9a5335a3e264fa36d8e56aa5ea832e9c749f4a03fc0bf22f5a562e

SHA512
d1a3f10db4f5c6435c27ae1d400c845435735ff00d218240e9d4bd0a91799e104e9ddc4faa15b42eead72aa321c55e96bd22d75b95ffd3474c819de0284d3987

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
743B

MD5
66843fb078881207102516bdd11c4f9d

SHA1
919dab5a36dccd820757981ab071ce1131e104c3

SHA256
ed7661df57a9b8ff75987482f0fffa5a9ff738dcb5d927c4613f828384a88259

SHA512
70a46bd420ccb21818577cca19958f907ebc873cb1574498cbe3474a83e680a7a30ba557f170f1e043b20a15554ee0195c4867f3fd202a6c4e0ba61c40e2f0d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
833B

MD5
017d1ba173ef1addbce1af6cffa0a417

SHA1
a79d026672a66bd3a7cf07873a49de71732e32f9

SHA256
6bf2b05aeb5b4f1797199e3a245f485cfcf4c16943d1eaa4cd44c43c0b8f6ab7

SHA512
0f77e3c8caba5ae94e451b1ff75dc90c11902350b4311041cd68f3a6da5e8b41b69f65a295bc319bbcefa00f782dc94874f23fd09de120c4259022caeb672a95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
833B

MD5
a38707c9bec5ba58ee82b59c328179cf

SHA1
c5bb3916bc7fdb11e35041e355a0f7a36714e7ac

SHA256
c312b1d5af81101488e1fabdfcae1b69299725aa57c6035141ac19cac1ae9421

SHA512
58dd9226962d2f03a7c5fada02f40a28012069505268d27cfe7f0708900ec45f029060756e6775494605da439c04305b654a68d3a0b6c121360f154a3705c720

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
833B

MD5
268389d47e6c72870f30ea1bb90fc446

SHA1
7297dfdf7fdb7bb8f57cb4ccd7ec162486f99948

SHA256
f4d0e0e4e9ac09cc01c23fc5729502a9824ed9b083fd47b2a8361030c81272c8

SHA512
1d97bb8385b40dabdd7f4199422c76275fcfaa619fe46c69f909f7fd790911852826928edb792079610fe53414b8f26319b2de9f6e7c29cbd51b4c2712409a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
833B

MD5
bb63cae502ebb7318b55fa269549f05b

SHA1
b5b3d9c0998133d3c85e7c5fac9b53bb0a5aa0d6

SHA256
7b4f49ba02568f48b66193862b3be6b8b36dbe9c73ca0316ce3562688bec7b4a

SHA512
9e5731059457b388dcfa9d0db1b6fc72a696539f3be325cd214b9a6d3ab720e2148644b2d6928c155bc9a4f6ea744176ad112d0a1698379d0fa1fb9455b793a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6f61e1bde73789a7bdcad182cf90cf64

SHA1
2c1a079eb4a565de35988a8c303590d38aebc6f9

SHA256
a4bdb47c9d56b81c628744c46af61a8d19b915eda56b6bcf87f389ce88a9513b

SHA512
e3608b0509b8c3c5a088e922e746c5a51cc3f7216b207b0d4a791390f7b9ece9637c6c197c5671464e4f65834c7f566b88ed1eb62c112a9eb1c3ef17436d5318

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6ac08372cccc4cede248fa496af8a847

SHA1
37d7cb8baff8927b1be4b630671056039057fb70

SHA256
c50e7b3b045072c2696f067cd5f51828bb1dca56fc396a30041947b3f0aafff3

SHA512
d40693fed26a4533b6c1b5261581195a4f2bb83db8da77303d176c1494e37d029309626081a1fe114b0bb2290ddde8b68209ca1104e1ce70b0f7cdf12f6669ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c699f7249cfa6169108c9bfba28619f6

SHA1
aa706525354aae135d028778bc4583692009fe17

SHA256
f15ab943fe67987fcf506bde353fd27d6f4c9126e4bb4e964a261a177fdeb3ca

SHA512
a2f3fde1d29989dc1fff5d4905cd637ade55cb072154114c9bf2b1c4c637088761cafd4fae45879b58b1930da49b7232b86c994abb2fb8de6092960a0eb9b7cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
56bb8d4269567b826f7486a14d0e7c40

SHA1
ae822e914a1b6180cefd755f91ba11fa78cd6b82

SHA256
3487d4ce6a70f60e996d4f5ab24fa902579827ea7e01efb7ea9d2d7451cde6ba

SHA512
79f3c6af6948c5b82c9850d304bc320358043a9af55a473d5004b02b9353c7dcffa4b71d12e0050233eb290a27a593cbfd0b9822da516471ecff95059fa06bc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
866B

MD5
7328cb1a0a8c5752f63ed177d47adcf1

SHA1
df37b5256b89c1cc88b1138cccb38b1e3e692da4

SHA256
13eb403aece426fa6af48fdddec7d1f5b35e475fc1c6e5adb67436dfac28fbbf

SHA512
594ba58a9c3bc85161dad73d905bb380d2e050875e718bedda942669c3d7c6a10a36baf898902ce270808292952773eafafb46989b5d9d3ff3f14925c9897659

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58269e.TMP

Filesize
702B

MD5
d667acc8a9c8cb326edabaa957ad77de

SHA1
d124f7fe867a3279761ec8966f1eaede3721d0f7

SHA256
85ac121fa2895f0b82f12ed777ee56cae508323dbe7ee8943098fa1239560a8c

SHA512
41d607e0284acdcec0352230b07f7f50c88b2e2e1a7973c688fc0d00758a19e0f65903bff580b632dfe969aef9f77e360347b46206bc9b30a86a3fcb01d354fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ec315ec0b69df3191b93b39e3c5face0

SHA1
955ba83c0ce3f950c957a8b45af05618edff04e9

SHA256
ec524e5ba8230428abbba6d69c8dfb666cc2a2bb286ecafdf2834d7e2546bfe6

SHA512
88d88a76b1c033a23e584d9f6349500113102913602c2cbd155b8dd40e1104f1803c7ed0538ec8c5780e66024628466d53372e4151af6b4b4cfb427b0f6f50a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d589dd1721fcd75a2820b026cb6d9dfe

SHA1
72c9870229128eb34caebf4c7687fa9f6e6ecded

SHA256
3bbc4392b19e88b36e31210b6a4decd223902192c5a936324f6568e7813beeed

SHA512
3852cb69efeab77ab3816c573f56875fb7179bb52e8d81403af3da07052a3b80e5c71d770c508e4767d05278e4d9cd3cf44fddda9c1ca295b907b68d93c14b20

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw562.tmp\LangDLL.dll

Filesize
7KB

MD5
d02e216c527f97b5cd320770cbe03a0d

SHA1
76a0bea3650c393341e240231cf999d11a3d8eb8

SHA256
cda679d62e2852d900f412239e7c01a64a928db6c0cc03b8fa0c1eabdfe815c4

SHA512
39d99ea0045e332f197f0d6430a71adaeaccd1c8e1028ad997ffa5527e5a0fe5dbdda62e02329ae1824abad43eedd64dbfb05a1e8e19010745bfe8d53e83d990

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx6E9.tmp\System.dll

Filesize
24KB

MD5
62a6f7756aabaeafe2eaa8a1b19eeb99

SHA1
24b7ec2cf0712f03911fad6b7ccf933e0879fe5b

SHA256
4c4d8324fc74a61ed5477b6602fecd1f404f524e6c17c6d7a0b682f8521a29d7

SHA512
7d30a35811f4dc5e3c4714224ac2b143d17f6a1de744db230b3a74409c6705233831e340b13d468c612b9e924cf69a62a15164e601e62609c98a46cf4ec0562f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx6E9.tmp\nsDialogs.dll

Filesize
13KB

MD5
6cac9c4cbadc065beeebe16e57279a9a

SHA1
26bcac80ab11c56d8d9de74a85ef2314044f96ca

SHA256
f33b3bfbb97fedfe2d77ebb894c7db5c32b8905bedab6c58248108021cf96bdb

SHA512
854b505ca4d17127fafabc8e4d903e097b6e77d4adcb2873185333a7fac68d6e903b2e8f3ce0df639ec3c44feb3666489405ee74d49f512700ab86cec4bc9e44

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\bookmarkbackups\bookmarks-2024-09-13_15_sxMRnx5JFrXxwfXg+uZOWw==.jsonlz4

Filesize
1KB

MD5
fa206836f4971790ea9e903f5d3e2cee

SHA1
c5237d2c8241be68efc281011ae1a8fe9db61805

SHA256
2be3f744a5913c456e98ac69cc0d81f415dcaee2298fec66eb1b6ce0be924546

SHA512
48ba6c757643ce4b0c62e5dd359c4c5a6caa28392af0258ca81adb61726bba573460f203f2189882babad18116c4f055dda5ff9ae237c3bf1c0ce6677dd34cb5

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\datareporting\glean\db\data.safe.tmp

Filesize
182B

MD5
63b1bb87284efe954e1c3ae390e7ee44

SHA1
75b297779e1e2a8009276dd8df4507eb57e4e179

SHA256
b017ee25a7f5c09eb4bf359ca721d67e6e9d9f95f8ce6f741d47f33bde6ef73a

SHA512
f7768cbd7dd80408bd270e5a0dc47df588850203546bbc405adb0b096d00d45010d0fb64d8a6c050c83d81bd313094036f3d3af2916f1328f3899d76fad04895

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\extensions.json

Filesize
27KB

MD5
c375f68b57277b5f1f21e0b3d244e616

SHA1
5513b321ed6201712e39f1d802169b1f47c01e87

SHA256
d7aa59863101b2b2b537cc9cf97ddadc6cf9f5a3ce59b67d8a56367f9f790d4e

SHA512
3d550186cd10abfc74e51024031857395d71bf20b0cf4fe832dcdaa201e5511d46ecbcd24b6ac332108b1161536118ea8d02e814807a1e5a20cb1bf004bf03ad

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

Filesize
6KB

MD5
e19e95556b0e6e1759b585ebad367d24

SHA1
106f2d5626340d28605dbb48b33ea593f44853a8

SHA256
089db8bda07a2a52a27b6bf1f9dbd8fb8d751ada6b22cf6948af807b046f4d14

SHA512
d877e4258326e1cf9b64d196dc49a4e6df1419a6db6a6d99f00b569aae278852a0865ce0d6fa8b30a5df84d997d9faae74c408ff96a5801b5a441796622a2eb5

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

Filesize
5KB

MD5
1cc9bfda62e4b3ccbc82323fa3c6862d

SHA1
e19e36a630f301ffd15da145641f9cd42dd955cd

SHA256
14626c7031f16bd7f0a159c2ccfbee079793091b4f684866f85c966d7a748a7c

SHA512
9d70457cd2d7b6352ae631ad6240363b4f05dd8ce1fd6baaaf5d0848a0e17ee9b8c149d0060354075440fcafbf8900e2dd06c0c77ee5304a8995cad427fb6280

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

Filesize
6KB

MD5
469d9fc255747152d0257dc04ebe382b

SHA1
544a1c6e979593de67b56732e5a72482d492c8f4

SHA256
85e27ff7fa30f603a5ed2d1d565530f1058ff85c4caaa166f15258a549744c75

SHA512
d90c62020d79bd09d5473c9a57d0414b1e0b138698ee03ecaae5acc2cde8a577d2fca295e74987a18d15fafa3a1a107e35f5b2808ef206a0beddb6dc5078706d

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

Filesize
5KB

MD5
3e5a6a99bae08d5eab6c200f5c819c51

SHA1
960d1e8bdbb47c5c21d9933beae6ad5753d1c683

SHA256
709808170636eda156ee291dde3f7beb2ddb6654db779a0a20c98df3229e1fd9

SHA512
80b85650b6ca6a0d7f94478e66f480192a02f7b928ebaa3dfad205bf4e2302d87021aa61e62a8b3e11c0c6d335a927ec1a3523b9d394fc1ea7ab6dc4cf7e6960

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js

Filesize
867B

MD5
5d23da6200dab2faec302d5b0ceb50a8

SHA1
91629231c09b75f5b7c81bade721b34a5b5f7097

SHA256
bf9000c2f99612eafbc715c4331c3509aea88565b6b9f35b62054e3f0773436e

SHA512
473a670aa455987e9e2e7f372f425e7cd1449e6bd14ba7396908c749a5978ee4a315a51601c8c0250919f96640bd87c4ebad3f97b2d1b851018bf37f57902196

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
48KB

MD5
72c34ae272247e4955ce396a5e49602c

SHA1
dc59dc67eeb6c6eaf8cdff2c6e65d7b577d4b226

SHA256
196566873b7fab822a0260a5a392b8927dcc2a200b62eeda23654aef42cecb71

SHA512
86870eb9a11fb5f3ffa689b856a3f1e1f723f9ef8074aebe54e9be74f95592e37cf1a93a40914cc722b6400e7b5ef8fdc2cce8bebd248442264e281098125613

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profiles.ini

Filesize
103B

MD5
5b0cb2afa381416690d2b48a5534fe41

SHA1
5c7d290a828ca789ea3cf496e563324133d95e06

SHA256
11dedeb495c4c00ad4ef2ecacbd58918d1c7910f572bbbc87397788bafca265c

SHA512
0e8aafd992d53b2318765052bf3fbd5f21355ae0cbda0d82558ecbb6304136f379bb869c2f9a863496c5d0c11703dbd24041af86131d32af71f276df7c5a740e

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\cached-microdesc-consensus.tmp

Filesize
2.7MB

MD5
962852494dbd0c5dac00fb1689dcc617

SHA1
3e897c771a2fef586cfce868d0ce13fafff3d08e

SHA256
90123081d45d398be733e6f5111e3045dcef3a48429aba5351eafeacd6cdc7de

SHA512
b52cf7d6ecfd4d48e28c6ba7c860f4a5c118ca2dd5499638963e1aaaea0c24520511918ffe86c6d447c1720a926f8d284e2fd7da82663e0673c7f3c498163a21

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\cached-microdescs.new

Filesize
10.7MB

MD5
72b8e5262216a5dec4d1bc979a4be55f

SHA1
9e9ebb2097f5676ef7e9375038279505065f182c

SHA256
10f3672b7446790b0bebddf24268ccf0c3f001d94ec872472d277372d730fb05

SHA512
98e331c1a192b5543675ddedab1e964df62248e2c319d2eb081e4d4c33a0445aaa6526c3c893b97227f1f320cdf9c65e33150da523af733999224027c804272d

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\browser\omni.ja

Filesize
24.9MB

MD5
34dd09bb415552f3f8f0f5a442decd62

SHA1
4750a36b7cd0a2a882843358c3cfa2ca67d23283

SHA256
220dde83cba0e31ddb203c625b883a03c1c0fc57094ff290baa94e70c89d6308

SHA512
400c4da0a2b9f486be3f6806f13153e7585ac5510811c4d587526abf6c0c33065e52678151205896878b7e916717cf4551706314a1445acd48e861464698e982

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\defaults\pref\channel-prefs.js

Filesize
429B

MD5
3d84d108d421f30fb3c5ef2536d2a3eb

SHA1
0f3b02737462227a9b9e471f075357c9112f0a68

SHA256
7d9d37eff1dc4e59a6437026602f1953ef58ee46ff3d81dbb8e13b0fd0bec86b

SHA512
76cb3d59b08b0e546034cbb4fb11d8cfbb80703430dfe6c9147612182ba01910901330db7f0f304a90474724f32fd7b9d102c351218f7a291d28b3a80b7ac1e5

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\dependentlibs.list

Filesize
42B

MD5
70b1d09d91bc834e84a48a259f7c1ee9

SHA1
592ddaec59f760c0afe677ad3001f4b1a85bb3c0

SHA256
2b157d7ff7505d10cb5c3a7de9ba14a6832d1f5bfdbfe4fff981b5db394db6ce

SHA512
b37be03d875aa75df5a525f068ed6cf43970d38088d7d28ae100a51e2baa55c2ad5180be0beda2300406db0bdea231dde1d3394ee1c466c0230253edfe6aa6e4

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\distribution\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi

Filesize
934KB

MD5
660c5631a0b6381f3c11327c9e37867a

SHA1
dc2a4b88c1a84536657662892bab9e8ee5f42d63

SHA256
a448e4c2e0eb7ca5fb1b6d3189bc586b91a7ee6facecdd0424f1bfbf2b3016fb

SHA512
17df941f337a2908dfa79f6fa255f5d6c96035476238b6852dba8c5b14b3d7368a885f0fceef4e923c7720cee3221ecb4ffb19695520bec809c2fbf6939aed1c

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe

Filesize
1.8MB

MD5
3adb2f762f2f1767e5d4af55b59d3e32

SHA1
89b4c3981961a02d824205d1e577fa178416fb4c

SHA256
578257ed4baa0b9438fdcf596d2b5a79f64b81f9985ddb066b6ddce72e50b996

SHA512
42a6adc1000eb1441725dcec200117f311339b3e62c2370cdf7ed4b7ace384259fd2505286543e6eef527e08787c3ff62e73fc35145d2f8bd62d672ebbaba0dc

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\freebl3.dll

Filesize
690KB

MD5
077e62d6a81022c5fec6ebf0ba013ac4

SHA1
e0743b30b16c5fb514bf882ccae14c77b2662af0

SHA256
88c1635804a7904de347cb4fd7d74f626f2a3b75e7eabe52625d40e71063b6d2

SHA512
b51c6ed76d512374f7b64a49c8cb039a04bb76ab11179ff333e2d9987d9aab1a4f88475906f667e2286b8b6d10b0031647e88144b2b09a912b3a0c25c2a362e4

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\lgpllibs.dll

Filesize
43KB

MD5
60981f1615158a584539d81e1cf14de4

SHA1
0ac8a9c480c1a077c5806246a85e8a9474e9c9e4

SHA256
2498e4a28f3b91afd83544b8d43bcc13a10f41b3fb7beb5882ea344788aba4e8

SHA512
4d194452ecd0a98d09a52e0523b95e18fbc7497b9769907a8e026f00e103379b6d32abc6698d7f3fe590e41f907dacba378fbb101ce0539272faea38f0e38c9e

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\mozglue.dll

Filesize
1.4MB

MD5
1724528b9f6f561b82689ff0a6aa59d5

SHA1
f43b21963c62ff9862489c3b9e085ee8f13e679f

SHA256
2e579303a8950ab72a036d61af318a612b5471c5eb7fe7198ac2a256cf0d4b87

SHA512
cb8deea52d3753edad8c022e98c752595236509ed86358638030ca90a7baa100324556622f69f568cae978a096143dcbd91f2c67069629add8e161e22a986ab0

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\nss3.dll

Filesize
2.5MB

MD5
eac306aede6231e6ae0fcdac251f2eeb

SHA1
5c767f4b4df0bd7f2125d3c4541c9874bc20a014

SHA256
18c53f28a3905dfced30209ae12b470b1e0089432e6a5bafc4adfcf41eaa28ac

SHA512
ac90e9d40beaaf75e28d545366d404811dc1ada6d2b30beee402360d9e7bb03dec72c77e1c3e8c84d406d613b7d5413252bcb857c5a29dbabfe3c4eef953be26

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\nssckbi.dll

Filesize
472KB

MD5
b6a62cc3fa4b3544b9cdbf1d1ee6a2c8

SHA1
3a0259d66d0000bb8251ea50f3ae97d80b9802f6

SHA256
73075840c54e778b110e3ef62f5a2a62b762763bde5f54e3e6978494cd405f4e

SHA512
796fc40ea786a820da28165723e062b030fc9506130005d24c35551e467834c265b6e4345d88098fd0bbfbef1aaf5869bcb05ee05ad7a80691a084ad706cc675

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\omni.ja

Filesize
18.3MB

MD5
2c5eb0819f1234efbb9daebf3432acb3

SHA1
4c03b24986fdee78c1521aa227eaf5ffe8fcae4c

SHA256
0c690a19a5d486dba157c1cf0632768b260b21eacea8708a64787c38e78af3d8

SHA512
d364b16f8a0c5fa29ccc77711fa54568fc50f42b29b561ce689ff5eb117e3e0536ec30f72350031019ad2b01be3d779a398ae8be85ef7fe10690b5446fee12cd

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\softokn3.dll

Filesize
288KB

MD5
3cd76df1ced23796d4ef977ddef30b67

SHA1
31e0b27b05ea2d2d9b42f34677c6296f95ca3886

SHA256
79218815d492460433b429c0cd9f43d0c44892278b7b763372e92fe09a713504

SHA512
94c1d51d5f06c69e1d2e82afc6538069d6944c62eeb812e2ebdb19e9256ecaba7b251e0f02813bb7156064386b01ca1c8fe9355ba2e143b3fcee5fea534ccd79

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Tor Browser.lnk

Filesize
829B

MD5
4577267da72aaefbf5a8ba06ffcbbda7

SHA1
aee864284e3fcc6dbe87c7d806df50ddc2e58463

SHA256
3ea11c636bfe2d28d0e2cff9dabd4223b2f9ac08036fa049bbe76cc994e2ea4c

SHA512
da796f17387f2e1de73f4953143ba621c6c6f0c4f8623063ff9b7a15857ab252044e0fec0e9dcb712f2be3e59361e4c3b1cd6d17cd29fb15321af35b2f5ff7e1

Download Submit
memory/2852-970-0x000001DC40400000-0x000001DC40570000-memory.dmp

Filesize
1.4MB

Download
memory/2852-886-0x000001DC4AE70000-0x000001DC4AE80000-memory.dmp

Filesize
64KB

Download
memory/3844-749-0x00007FFDA9230000-0x00007FFDA9231000-memory.dmp

Filesize
4KB

Download
memory/3844-750-0x00007FFDA7720000-0x00007FFDA7721000-memory.dmp

Filesize
4KB

Download