inc_ransom | d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6

Resubmissions

22-11-2024 18:50

241122-xg13xaskdq 10

22-11-2024 18:28

241122-w4vc7swkcv 10

Analysis

max time kernel
402s
max time network
402s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
22-11-2024 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Size

161KB
MD5

267bec0f845b4f49610cfe695b63c5f6
SHA1

65717fff01fafc65e5d7d412168df8f818a0bff9
SHA256

d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6
SHA512

68b3513c60cd6dc6a7bff5451232661dc612724d4152c10d6ac0ff5c778eb3f08717c4bbdac4b24bd145fbd397f0b33c001bac19bf7d2a09b9378e9f457c1d01
SSDEEP

3072:YduKWsRRjHRvsfdO3Q+rSBPJasYIeuvlaEkZSc5:bYjHiqrrTuWUc5

Score

10^/10

inc_ransom credential_access discovery evasion ransomware stealer trojan

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\AppV\INC-README.html

Ransom Note

<html> <head> <title>INC Ransom</title> </head> <body style="width: 100%; height: 100%; display: flex; flex-direction: column; justify-content: center; align-items: center; overflow: hidden;"> <div style="display: flex; justify-content: space-between; max-width: 80%; overflow-y: auto;"> <div style="width: 80%;"> <div style="display: flex; flex-direction: column;"> <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span> <span style="font-size: 14px; margin-top: 8px;">If you don't pay the ransom, the data will be published on our TOR darknet sites.</span> <span style="font-size: 14px;">The sooner you pay the ransom, the sooner your company will be safe.</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Blog Tor Browser Link:</span> <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/</span> <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Blog Link for normal browser:</span> <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incapt.su/</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">You need to contact us on TOR darknet sites with your personal ID</span> <span style="font-size: 14px; margin-top: 8px;">Download and install Tor Browser https://www.torproject.org/</span> <span style="font-size: 14px; margin-top: 8px;">Write to the chat room and wait for an answer, we'll guarantee a response from you.</span> <span style="font-size: 14px; margin-top: 8px;">Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack tens of companies around the world.</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Chat Tor Browser Link:</span> <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Your personal ID: </span> <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">662cb73c7cc626fa13c9d88c</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Don't go to recovery companies!</span> <span style="font-size: 14px; margin-top: 8px;">They are essentially just middlemen who will make money off you and cheat you.</span> <span style="font-size: 14px; margin-top: 8px;">We are well aware of cases where recovery companies tell you that the ransom price is $5M dollars, but in fact they secretly negotiate with us for $1M.</span> <span style="font-size: 14px; margin-top: 8px;">If you approached us directly without intermediaries you would pay several times less.</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">For those who have cyber insurance against ransomware attacks.</span> <span style="font-size: 14px; margin-top: 8px;">Insurance companies require you to keep your insurance information secret.</span> <span style="font-size: 14px; margin-top: 8px;">In most cases, we find this information and download it.</span> </div> </div> <div style="width: 80%;"> <div style="display: flex; flex-direction: column;"> <span style="font-size: 20px; font-weight: 600;">What guarantees are that we won't fool you?</span> <span style="font-size: 14px; margin-top: 8px;">We are not a politically motivated group and we want nothing more than money.</span> <span style="font-size: 14px; margin-top: 8px;">If you pay, we will provide you with decryption software and destroy the stolen data.</span> <span style="font-size: 14px; margin-top: 8px;">After you pay the ransom, you will quickly restore your systems and make even more money.</span> <span style="font-size: 14px; margin-top: 8px;">Treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you.</span> <span style="font-size: 14px; margin-top: 8px;">Our pentest services should be paid just like you pay the salaries of your system administrators. Get over it and pay for it.</span> <span style="font-size: 14px; margin-top: 8px;">If we don't give you a decryptor or delete your data after you pay, no one will pay us in the future.</span> <span style="font-size: 14px; margin-top: 8px;">You can get more information about us on Twitter https://twitter.com/hashtag/incransom?f=live</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Warning! Don't delete or modify encrypted files, it will lead to problems with decryption of files!</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Don't go to the police or the FBI for help. They won't help you.</span> <span style="font-size: 14px; margin-top: 8px;">The police will try to prohibit you from paying the ransom in any way.</span> <span style="font-size: 14px; margin-top: 8px;">The first thing they will tell you is that there's no guarantee to decrypt your files and remove stolen files.</span> <span style="font-size: 14px; margin-top: 8px;">This is not true, we can do a test decryption before paying and your data will be guaranteed to be removed because it's a matter of our reputation.</span> <span style="font-size: 14px; margin-top: 8px;">Paying the ransom to us is much cheaper and more profitable than paying fines and legal fees.</span> <span style="font-size: 14px; margin-top: 8px;">The police and the FBI don't care what losses you suffer as a result of our attack, and we'll help you get rid of all your problems for a modest sum of money.</span> <span style="font-size: 14px; margin-top: 8px;">If you're worried that someone will trace your bank transfers, you can easily buy cryptocurrency for cash, thus leaving no digital trail that someone from your company paid our ransom.</span> <span style="font-size: 14px; margin-top: 8px;">The police and FBI won't be able to stop lawsuits from your customers for leaking personal and private information.</span> <span style="font-size: 14px; margin-top: 8px;">The police and FBI won't protect you from repeated attacks.</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">If you do not pay the ransom, we will attack your company again in the future.</span> </div> </div> </div> </body> </html>

URLs

https://twitter.com/hashtag/incransom?f=live</span>

Extracted

Path

C:\ProgramData\Microsoft\AppV\INC-README.txt

Family

inc_ransom

Ransom Note

~~~~ INC Ransom ~~~~ -----> Your data is stolen and encrypted. If you don't pay the ransom, the data will be published on our TOR darknet sites. The sooner you pay the ransom, the sooner your company will be safe. Tor Browser Link: http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/ http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/ Link for normal browser: http://incapt.su/ -----> What guarantees are that we won't fool you? We are not a politically motivated group and we want nothing more than money. If you pay, we will provide you with decryption software and destroy the stolen data. After you pay the ransom, you will quickly restore your systems and make even more money. Treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you. Our pentest services should be paid just like you pay the salaries of your system administrators. Get over it and pay for it. If we don't give you a decryptor or delete your data after you pay, no one will pay us in the future. You can get more information about us on Twitter https://twitter.com/hashtag/incransom?f=live -----> You need to contact us on TOR darknet sites with your personal ID Download and install Tor Browser https://www.torproject.org/ Write to the chat room and wait for an answer, we'll guarantee a response from you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack tens of companies around the world. Tor Browser Link for chat: http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/ Your personal ID: 662cb73c7cc626fa13c9d88c -----> Warning! Don't delete or modify encrypted files, it will lead to problems with decryption of files! -----> Don't go to the police or the FBI for help. They won't help you. The police will try to prohibit you from paying the ransom in any way. The first thing they will tell you is that there's no guarantee to decrypt your files and remove stolen files. This is not true, we can do a test decryption before paying and your data will be guaranteed to be removed because it's a matter of our reputation. Paying the ransom to us is much cheaper and more profitable than paying fines and legal fees. The police and the FBI don't care what losses you suffer as a result of our attack, and we'll help you get rid of all your problems for a modest sum of money. If you're worried that someone will trace your bank transfers, you can easily buy cryptocurrency for cash, thus leaving no digital trail that someone from your company paid our ransom. The police and FBI won't be able to stop lawsuits from your customers for leaking personal and private information. The police and FBI won't protect you from repeated attacks. -----> Don't go to recovery companies! They are essentially just middlemen who will make money off you and cheat you. We are well aware of cases where recovery companies tell you that the ransom price is $5M dollars, but in fact they secretly negotiate with us for $1M. If you approached us directly without intermediaries you would pay several times less. -----> For those who have cyber insurance against ransomware attacks. Insurance companies require you to keep your insurance information secret. In most cases, we find this information and download it. -----> If you do not pay the ransom, we will attack your company again in the future.

URLs

http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/

http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/

http://incapt.su/

https://twitter.com/hashtag/incransom?f=live

http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/

Signatures

INC Ransomware
INC Ransom is a ransomware that emerged in July 2023.
ransomware inc_ransom
Inc_ransom family
inc_ransom
Renames multiple (325) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tor-browser-windows-x86_64-portable-14.0.2.exefirefox.exefirefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	tor-browser-windows-x86_64-portable-14.0.2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	firefox.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Executes dropped EXE 16 IoCs

Processes:

tor-browser-windows-x86_64-portable-14.0.2.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exetor.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exe

pid	process
5624	tor-browser-windows-x86_64-portable-14.0.2.exe
3980	firefox.exe
2892	firefox.exe
3384	firefox.exe
756	firefox.exe
5892	firefox.exe
5760	tor.exe
392	firefox.exe
4680	firefox.exe
5284	firefox.exe
4232	firefox.exe
4624	firefox.exe
224	firefox.exe
2288	firefox.exe
5492	firefox.exe
4388	firefox.exe

Loads dropped DLL 64 IoCs

Processes:

tor-browser-windows-x86_64-portable-14.0.2.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exe

pid	process
5624	tor-browser-windows-x86_64-portable-14.0.2.exe
5624	tor-browser-windows-x86_64-portable-14.0.2.exe
5624	tor-browser-windows-x86_64-portable-14.0.2.exe
3980	firefox.exe
2892	firefox.exe
2892	firefox.exe
2892	firefox.exe
2892	firefox.exe
2892	firefox.exe
2892	firefox.exe
2892	firefox.exe
2892	firefox.exe
2892	firefox.exe
2892	firefox.exe
2892	firefox.exe
2892	firefox.exe
2892	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
3384	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
5892	firefox.exe
5892	firefox.exe
4680	firefox.exe
4680	firefox.exe
4680	firefox.exe
4680	firefox.exe
4680	firefox.exe
5284	firefox.exe
5284	firefox.exe
5284	firefox.exe
5284	firefox.exe
5284	firefox.exe
4680	firefox.exe
4680	firefox.exe
392	firefox.exe
392	firefox.exe
5284	firefox.exe
5284	firefox.exe
4232	firefox.exe
4232	firefox.exe
4232	firefox.exe
4232	firefox.exe
4232	firefox.exe
4624	firefox.exe
224	firefox.exe
4624	firefox.exe
4624	firefox.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

firefox.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	firefox.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe

description	ioc	process
File opened (read-only)	\??\R:	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
File opened (read-only)	\??\T:	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
File opened (read-only)	\??\V:	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
File opened (read-only)	\??\Y:	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
File opened (read-only)	\??\E:	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
File opened (read-only)	\??\I:	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
File opened (read-only)	\??\J:	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
File opened (read-only)	\??\L:	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
File opened (read-only)	\??\Z:	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
File opened (read-only)	\??\A:	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
File opened (read-only)	\??\P:	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
File opened (read-only)	\??\Q:	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
File opened (read-only)	\??\S:	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
File opened (read-only)	\??\N:	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
File opened (read-only)	\??\O:	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
File opened (read-only)	\??\F:	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
File opened (read-only)	\??\G:	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
File opened (read-only)	\??\H:	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
File opened (read-only)	\??\K:	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
File opened (read-only)	\??\X:	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
File opened (read-only)	\??\B:	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
File opened (read-only)	\??\M:	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
File opened (read-only)	\??\U:	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
File opened (read-only)	\??\W:	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe

Drops file in System32 directory 3 IoCs

Processes:

d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exeprintfilterpipelinesvc.exe

description	ioc	process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
File created	C:\Windows\system32\spool\PRINTERS\00003.SPL	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
File created	C:\Windows\system32\spool\PRINTERS\PPysz8811dfihqegk5f1_q1eib.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\background-image.jpg"	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\3b45be59-f6a1-4bfb-bfd8-31446fdd84e7.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241122185100.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exemavinject32.exemavinject32.exeDATABASECOMPARE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mavinject32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mavinject32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DATABASECOMPARE.EXE

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEONENOTE.EXEfirefox.exefirefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEONENOTE.EXEmsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 34 IoCs

Processes:

firefox.exetor-browser-windows-x86_64-portable-14.0.2.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e8005398e082303024b98265d99428e115f0000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	tor-browser-windows-x86_64-portable-14.0.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	firefox.exe

NTFS ADS 2 IoCs

Processes:

firefox.exemsedge.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\Order Jul 20.xlsx:Zone.Identifier	firefox.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 97716.crdownload:SmartScreen	msedge.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

ONENOTE.EXEEXCEL.EXE

pid process

5320 ONENOTE.EXE
5320 ONENOTE.EXE
116 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

ONENOTE.EXEmsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
5320	ONENOTE.EXE
5320	ONENOTE.EXE
2740	msedge.exe
2740	msedge.exe
3964	identity_helper.exe
3964	identity_helper.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3392	msedge.exe
3392	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

Processes:

msedge.exe

pid	process
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
Token: SeTakeOwnershipPrivilege	4440	d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe

Suspicious use of FindShellTrayWindow 44 IoCs

Processes:

msedge.exefirefox.exe

pid	process
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2892	firefox.exe

Suspicious use of SetWindowsHookEx 31 IoCs

Processes:

ONENOTE.EXEfirefox.exeEXCEL.EXE

pid	process
5320	ONENOTE.EXE
5320	ONENOTE.EXE
5320	ONENOTE.EXE
5320	ONENOTE.EXE
5320	ONENOTE.EXE
5320	ONENOTE.EXE
5320	ONENOTE.EXE
5320	ONENOTE.EXE
5320	ONENOTE.EXE
5320	ONENOTE.EXE
5320	ONENOTE.EXE
5320	ONENOTE.EXE
5320	ONENOTE.EXE
5320	ONENOTE.EXE
2892	firefox.exe
2892	firefox.exe
2892	firefox.exe
2892	firefox.exe
2892	firefox.exe
116	EXCEL.EXE
116	EXCEL.EXE
116	EXCEL.EXE
116	EXCEL.EXE
116	EXCEL.EXE
116	EXCEL.EXE
116	EXCEL.EXE
116	EXCEL.EXE
116	EXCEL.EXE
116	EXCEL.EXE
116	EXCEL.EXE
116	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

printfilterpipelinesvc.exemsedge.exe

description	pid	process	target process
PID 6136 wrote to memory of 5320	6136	printfilterpipelinesvc.exe	ONENOTE.EXE
PID 6136 wrote to memory of 5320	6136	printfilterpipelinesvc.exe	ONENOTE.EXE
PID 2740 wrote to memory of 1904	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 1904	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 2568	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 668	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 668	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 1080	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 1080	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 1080	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 1080	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 1080	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 1080	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 1080	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 1080	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 1080	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 1080	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 1080	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 1080	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 1080	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 1080	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 1080	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 1080	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 1080	2740	msedge.exe	msedge.exe
PID 2740 wrote to memory of 1080	2740	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
"C:\Users\Admin\AppData\Local\Temp\d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:5948

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:6136
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{8E13932A-F9BD-464F-8382-5FC866D0704F}.xps" 133767750364950000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\INC-README.html
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x140,0x144,0x148,0x11c,0x14c,0x7ff87f0646f8,0x7ff87f064708,0x7ff87f064718
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,9328262059287199529,1077283140606619969,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,9328262059287199529,1077283140606619969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  PID:668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,9328262059287199529,1077283140606619969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
  2⤵
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9328262059287199529,1077283140606619969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9328262059287199529,1077283140606619969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,9328262059287199529,1077283140606619969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4328 /prefetch:8
  2⤵
  PID:2444
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:4508
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x134,0x138,0x130,0x290,0x12c,0x7ff643155460,0x7ff643155470,0x7ff643155480
    3⤵
    PID:5592
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,9328262059287199529,1077283140606619969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4328 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2172,9328262059287199529,1077283140606619969,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5972 /prefetch:8
  2⤵
  PID:5640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9328262059287199529,1077283140606619969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9328262059287199529,1077283140606619969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
  2⤵
  PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9328262059287199529,1077283140606619969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9328262059287199529,1077283140606619969,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
  2⤵
  PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9328262059287199529,1077283140606619969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
  2⤵
  PID:344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9328262059287199529,1077283140606619969,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9328262059287199529,1077283140606619969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
  2⤵
  PID:5360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9328262059287199529,1077283140606619969,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9328262059287199529,1077283140606619969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
  2⤵
  PID:2624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9328262059287199529,1077283140606619969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3108 /prefetch:1
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9328262059287199529,1077283140606619969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
  2⤵
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9328262059287199529,1077283140606619969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1324 /prefetch:1
  2⤵
  PID:3304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,9328262059287199529,1077283140606619969,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3132 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9328262059287199529,1077283140606619969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1768 /prefetch:1
  2⤵
  PID:5720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9328262059287199529,1077283140606619969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9328262059287199529,1077283140606619969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6548 /prefetch:1
  2⤵
  PID:3264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9328262059287199529,1077283140606619969,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1756 /prefetch:1
  2⤵
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9328262059287199529,1077283140606619969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1328 /prefetch:1
  2⤵
  PID:2768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9328262059287199529,1077283140606619969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2172,9328262059287199529,1077283140606619969,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6952 /prefetch:8
  2⤵
  PID:5200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2172,9328262059287199529,1077283140606619969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3900 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9328262059287199529,1077283140606619969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6724 /prefetch:1
  2⤵
  PID:5976
- C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-14.0.2.exe
  "C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-14.0.2.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  PID:5624
- - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
    "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3980
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Checks processor information in registry
      Modifies registry class
      NTFS ADS
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2892
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=2576 -parentBuildID 20241112185024 -prefsHandle 2532 -prefMapHandle 2524 -prefsLen 21012 -prefMapSize 252129 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {e484becd-05d3-4b95-ab3a-a8d9cdfcbeee} 2892 gpu
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3384
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=1616 -childID 1 -isForBrowser -prefsHandle 2088 -prefMapHandle 1860 -prefsLen 21821 -prefMapSize 252129 -jsInitHandle 1344 -jsInitLen 234780 -parentBuildID 20241112185024 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {d1c70be2-6b52-4cd4-be80-d82ff47d1104} 2892 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:756
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe" -f "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc" DataDirectory "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor" ClientOnionAuthDir "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\onion-auth" --defaults-torrc "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc-defaults" GeoIPFile "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip" GeoIPv6File "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip6" +__ControlPort 127.0.0.1:9151 HashedControlPassword 16:acfc1b2578bbc7e960cd1c69337de97a78ac158c3f4392f5e0a9d7d38f +__SocksPort "127.0.0.1:9150 ExtendedErrors IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth" __OwningControllerProcess 2892 DisableNetwork 1
        5⤵
        Executes dropped EXE
        
        PID:5760
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=3128 -childID 2 -isForBrowser -prefsHandle 3120 -prefMapHandle 3116 -prefsLen 22592 -prefMapSize 252129 -jsInitHandle 1344 -jsInitLen 234780 -parentBuildID 20241112185024 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {a099058b-841a-4320-8fe3-a206c4d6bcab} 2892 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5892
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=3324 -childID 3 -isForBrowser -prefsHandle 1800 -prefMapHandle 1656 -prefsLen 22705 -prefMapSize 252129 -jsInitHandle 1344 -jsInitLen 234780 -parentBuildID 20241112185024 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {6a076ee0-dc2a-4d8b-89b2-4221d42ff1b3} 2892 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:392
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=3560 -parentBuildID 20241112185024 -prefsHandle 3376 -prefMapHandle 1876 -prefsLen 24225 -prefMapSize 252129 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {7deab2c1-2917-41f9-8872-61bda8d6af1a} 2892 rdd
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4680
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=4112 -parentBuildID 20241112185024 -sandboxingKind 0 -prefsHandle 4148 -prefMapHandle 4144 -prefsLen 25414 -prefMapSize 252129 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {e4e18f2e-022f-403a-aeb4-34dc08b47254} 2892 utility
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:5284
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=1624 -childID 4 -isForBrowser -prefsHandle 2064 -prefMapHandle 2336 -prefsLen 24349 -prefMapSize 252129 -jsInitHandle 1344 -jsInitLen 234780 -parentBuildID 20241112185024 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {a833ddc7-6ab9-4c1e-a1cd-592fa6c5217e} 2892 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4232
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=3580 -childID 5 -isForBrowser -prefsHandle 4404 -prefMapHandle 4408 -prefsLen 24349 -prefMapSize 252129 -jsInitHandle 1344 -jsInitLen 234780 -parentBuildID 20241112185024 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {d8587058-ee1b-43a0-8e14-de2571a82229} 2892 tab
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4624
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=4560 -childID 6 -isForBrowser -prefsHandle 4568 -prefMapHandle 4572 -prefsLen 24349 -prefMapSize 252129 -jsInitHandle 1344 -jsInitLen 234780 -parentBuildID 20241112185024 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {722ffb0b-3517-40ed-8ce7-308ff33d89af} 2892 tab
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:224
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=4368 -childID 7 -isForBrowser -prefsHandle 4872 -prefMapHandle 2152 -prefsLen 24570 -prefMapSize 252129 -jsInitHandle 1344 -jsInitLen 234780 -parentBuildID 20241112185024 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {e4d58ffb-0759-4236-a9c7-f56a97c4fcf0} 2892 tab
        5⤵
        Executes dropped EXE
        
        PID:2288
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=4440 -childID 8 -isForBrowser -prefsHandle 2156 -prefMapHandle 4396 -prefsLen 24570 -prefMapSize 252129 -jsInitHandle 1344 -jsInitLen 234780 -parentBuildID 20241112185024 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {6eccc8d0-a6cd-4d44-a83e-60fdfc86c843} 2892 tab
        5⤵
        Executes dropped EXE
        
        PID:5492
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=4048 -childID 9 -isForBrowser -prefsHandle 4172 -prefMapHandle 2248 -prefsLen 24769 -prefMapSize 252129 -jsInitHandle 1344 -jsInitLen 234780 -parentBuildID 20241112185024 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {89d8cf12-361d-4ddb-96d2-4d8914462bf2} 2892 tab
        5⤵
        Executes dropped EXE
        
        PID:4388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3856

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5412

C:\Program Files\Microsoft Office\root\Client\AppVLP.exe
"C:\Program Files\Microsoft Office\root\Client\AppVLP.exe" "C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE"
1⤵
PID:4888
- C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE
  "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3096

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\mavinject32.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\mavinject32.exe" 3096 "C:\Program Files\Microsoft Office\root\Client\AppVIsvSubsystems32.dll" 1
1⤵
- System Location Discovery: System Language Discovery
PID:5172

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\mavinject32.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\mavinject32.exe" 3096 "C:\Program Files\Microsoft Office\root\Client\AppVIsvSubsystems32.dll" 1
1⤵
- System Location Discovery: System Language Discovery
PID:6036

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Downloads\Order Jul 20.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Windows Credential Manager

T1555.004

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\AppV\INC-README.html

Filesize
8KB

MD5
e4b361f59f748d20b15e0d5508c2dc33

SHA1
4249544063935272917970c4233f57a7de887b53

SHA256
06bc0bce8c8790e33546ea84fe4cb9d08375501a5cd594ffc77646725bd1979f

SHA512
c4131a48d2dc3c26282309e1f7c1fc6f8865f1db0ebd1360cc33f3cb039b2d43d9ff117144e1697556545621259d34d5e394f2381a459ce877257b299d37b424

Download Submit
C:\ProgramData\Microsoft\AppV\INC-README.txt

Filesize
3KB

MD5
4047372b2c516b72b514ed81cc94026f

SHA1
0e039cffb138020435b076eefc8885eefed0250c

SHA256
6fe80757787cd41cf28b2b65ba65ad4103c934ee8be90289409cf75152afda9b

SHA512
d0fc67d28a5d14bfa87ad45ef04010967add1f17701dd1a115b9a292031b075a9c193c775d840cbb2dad132181ea37b731de29479c5272c9e208c679358a9e8f

Download Submit
C:\ProgramData\Microsoft\Office\ClickToRunPackageLocker

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00002.jrs

Filesize
64KB

MD5
fcd6bcb56c1689fcef28b57c22475bad

SHA1
1adc95bebe9eea8c112d40cd04ab7a8d75c4f961

SHA256
de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31

SHA512
73e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
4b5ddf608c382552a642f304ce498e25

SHA1
d85588dad41959e841648a0ade87f8ce3cc880b1

SHA256
a867264f811943354c79964e6dcc80945c307575b9f8de07d9d0184cf076fbdb

SHA512
77334651b9b6a23a42daac5008cbfa1d2638f3ed774e1b6815b58c3d1e1960c4d138c0eb4bc2c13d8cf3fc070fafb15a0c979f7b4411664ace9269c1680ec399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
1b9c8c21fdc31e4b4084f67339b59969

SHA1
a404adbd5e0d72f2978090f02e02283e41f25d23

SHA256
2fcb9bf58d103c79d1bc339be4a419aec90f813a36a2436f850231b1d65a3d22

SHA512
a6d99c9ab037b9313bbb042ca2caa2c57655711fc5ec6b58697b1a1819d84335797f2657f0cd976047d0f3d4d2691441df8cd298d0914481c8092c1e0c071672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
39191fa5187428284a12dd49cca7e9b9

SHA1
36942ceec06927950e7d19d65dcc6fe31f0834f5

SHA256
60bae7be70eb567baf3aaa0f196b5c577e353a6cabef9c0a87711424a6089671

SHA512
a0d4e5580990ab6efe5f80410ad378c40b53191a2f36a5217f236b8aac49a4d2abf87f751159e3f789eaa00ad7e33bcc2efebc658cd1a4bcccfd187a7205bdbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ef84d117d16b3d679146d02ac6e0136b

SHA1
3f6cc16ca6706b43779e84d24da752207030ccb4

SHA256
5d1f5e30dc4c664d08505498eda2cf0cf5eb93a234f0d9b24170b77ccad57000

SHA512
9f1a197dccbc2dcf64d28bebe07247df1a7a90e273474f80b4abd448c6427415bace98e829d40bccf2311de2723c3d1ad690a1cfdcf2e891b527344a9a2599d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
2f50630130933fae74431b25b7f6b8bd

SHA1
d1a462ad2d5f6c625148781b0584837f4f17a309

SHA256
1fdf409ad8ba833ed7fd3fabfa0b4aa1cd0ca7036a7253a2fe51d9f4bc6cec75

SHA512
6027e24457b4de51ec6df56db20dcae87ce74a90fc947f27714b784431e997fb25ad06efe0e8234ca743b511e36988429e579f64c143d14e46b601b40009c1a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
d00f68af4a161ca2192d017fec05aab2

SHA1
9b204c32aa29baee55daf2514d84b6dd36c1bc68

SHA256
4671c222e19b629fd2a1a84990e8dc5b8a1e325ba93674b8688798f87c4120e1

SHA512
a1cef8a770a5743748a9c7c224b49ceeb8ff9bcb14b1143ca1ae643b2d6d0683208beb1a4c7a0eaf4cbc1b2d125e0dcbf668ca2b265b542b5d41faa5a8cf6717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6acb95e7ed0c5d457465a9e36537ee84

SHA1
f2301b2837f8009d69fd8452c586186ea80bed17

SHA256
038b47d2213824b6c029576a4c3ee2d5ae4147b82fd54201d9e1299c0a36b1f2

SHA512
cce774412e2de3ff6d1cc37072e725418b5e487ee297c85bc3f69448f60f3663c878d68f17dc6ea66c8e2881e893d3ebf8371237ea8f759c0ea72167711c7415

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3e5f546e8d6b434bf945cc6fd4a48b78

SHA1
469ca2778d64c650462acfcd5f594c39ea162fee

SHA256
1a242c1ceb656547e4a7da750b5c091ee1cc4f80de5cd6d894c7643512a8227a

SHA512
55f83161ac9810ad7b5e7b64e8f51a17615ee26b2769c50b0d16e8f6272b14d6f9951aef8527ad324e2d06a6e4045d9c75c0ff04719eaf278573894520301558

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
de766d4cd15929545752e0242ee76b91

SHA1
3ff5b3620de198e79830f321d871dfd10027e8a3

SHA256
72305c42938e121606d8e3bc83d6bb3249e998e1036bf0d9bef6a28a99deeadc

SHA512
0401f0213914193d6576e54a2d02c85fd7280c9fcdc3eac70ae174563850001bcd3d54279e19b3c813b1f5915ea12dd6f32948af8a226ac845c4e2c08c05a31f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5941cd782f4a2b219c20e665db8f7284

SHA1
0ef2e0da213f63e6b6f7c82abd5b266be98a5c7f

SHA256
014eeb02f63e31942453502923b359ee4f4ca569f8565dec4154c4d6e6922ad0

SHA512
438626f889a3ea0f0e33d5efcaa3179288552d55ae2c900ccaed783fc2dea6991e5cea2d86fdddd00a97cbe0bcac6f1f15e3ffcba812b1cd5c79c3562eb162a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
5439f9dcae547fa70b2958ebd23bdb63

SHA1
79f852923487e2f20b56e6914f4ee38cf630e9f1

SHA256
16bc903ea21679df84b63616a4cca27dd78f6ab2bc2065f3b7cdc233aaaced81

SHA512
135bad9d4bd37b128c4911a6cbf6f49ff0661aad5f4adf2e8d08b5aebe7294be20ff8bca8908dea3c26d5415e864a751b1c4d664a30b072323cb7370e2ac1f12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a7593209468e0f793db5abd7f4f048a3

SHA1
2e97ea746f7058498dcedfb1e36cbddd9ca24da2

SHA256
aee5bd6ee739cbe56392ae926416ae0b4b08946cd894ced15c5fadf5c20bc8d8

SHA512
9b3e871179231ec31cd570ae17ed48a9fe14862fc23a911486d1de9dd2309aa4c333f655d43c468a9d55c8be765b2b006289ccaeb0d645b3bd1e3fa7a5d1c8af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e9f1bdc8dc4723a32b4a41da07f891dd

SHA1
32bbd50564e45b8fb8fcdb1c8b398dc011d8eab7

SHA256
550a99a5440096da2b05108ae572f0dd0a2cef11bcd6806f702717786175d917

SHA512
8cced572a3d3334872930e2b9746badf04e2a85106075840d3733c3a9ee0ac44b1d088410cb09d414828ae82f2c6acf942ee87fa23792932e651ca43907ffd75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ec5efc8ae5303e8fc86548c2ec28b564

SHA1
1c44b7228ab5413c37fe6fba071da5872b7d2356

SHA256
a09c8a4b13c5368d8b10de6cf5b0d2af158fe13950adf86fc9d148aa8e606d53

SHA512
c1bde90ca2972ec4d190adfbaa7fe879acd28cc3018d5198d328d06520a09a8417ed48c4a1fa38c21ea2ef205604c462c5a66eb09c12ac0833c08917b79b4b92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
60d82bd601d64fd00bb0373f5ecd65b8

SHA1
0e8bde426270dfa3ea285c2c5b7282ab37771d4c

SHA256
bdec91a5061c6a400ef33c2dca5b1d0c16c1fe9e464f8ec99a72442b752e6a97

SHA512
5ea1b33784438acd246c02c95716f72c78293bc8d8e8e6d71aeaab370ae9fc2063ba8ffa443bbfc26c96e45a95549b62894b846a459c986531b34a110d0be38d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
0e98d1679e15688ad133f11eee8458ee

SHA1
a4b1a83f0a3f2867954d3146d95d314441950606

SHA256
8aa7eaf918f2969424996a8f3575478006d9d74b308a750f996fe4f5f045554e

SHA512
eb34d52a8df4992444000a93c8d0d11254069b5f43a68a6def21061be03a538f36c42b2e968a8637f12b93235de3140002b0212aa2cdebe0950fd115c04bc72f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
84b7ddf34ae6a0407ce31eeed3ee136d

SHA1
6f0b82273d3f566538d537e71c0680509f81db93

SHA256
a6d5baf77dd0aae066ae81a3c6ea8962d1efaea28bf4bfbf2acca56ff692d85f

SHA512
dfbd27d3e90bacc61331ee16d584e18e7a6ea1dd9bc32ef1f7f68c4167bb8e6eb8669d5d00a53e4d0610ce02bdb23cee40db8ad52352b303c69c2fae49dff071

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
c4d4b76ef0b6e9778571dc2e6c0316b5

SHA1
0f5d60a2d438b2bdeb9ee134710d0ade5191ce2c

SHA256
179d855f1eb3049d0068f1ddb4754fd086d1fe06ad6abb06b1f2f37427a58435

SHA512
15c55ab4fded487b4d2d2d0eca295762c9a09e77322d2501eeb52c62dfbe0edd6cc812fcb61eb16115d4b0cf88d062cf4b8d6628b750ac57e803acc2537e785b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
527134d2dfc28769c8a8d6a38fbec088

SHA1
b28358b8498556eb47bf071579ab25dcb0af571e

SHA256
029b7d629d6e2a6616bd27e4e3af9cf081d24de3dfdaf4f2e4d9baabdc99eacb

SHA512
b9c86f1198ea29d5d115e685e68f69324a5587ae091622264a21bf65f4b0e8a9f55b0937effcae7413ef1505e42b73b1b42501b5521c4d763618abef9349d0f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
47d0a06776d4c8e096d866f193b1cf6c

SHA1
c690835a8c740454121fe5469515da2ac6e9f190

SHA256
488d86081c9e27277edbcd3c45a37d453a20b5660de63bee885b26e46ffdd01d

SHA512
a0554d2db8948515529af16a3347db5965d63cf653e5d096a6edd6553cefc3882889ba2ccc02db512b669edf228a101311c75c258da88256bb525f5bfde8189a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
e0f58e418ec863722416293fd127d8f2

SHA1
d8d9c5951c2e323c71b3e39faf37f51d8d0d84b7

SHA256
6e6c91642fd9c9cba2899e65fb2b7d65a9ab8b20526e1b19d1d0190ef92de8fd

SHA512
626e3f441ed6a31ba06060d99311fb573cc77902fe2d5144ba80761282309583f3604dcc3983ced585316c33694e3d6aeefa265d193fe0e357281de991472f04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
0ed9d752f7d702749a23d588b9b12fa8

SHA1
298388be72d2b5f9f1ef1682b88ac707b4c4be50

SHA256
71d7e95e277eb1235bd275f0f3e23ef0998dea2b5f610874b25409ad7bbfbe1f

SHA512
2b1dc9415837159b8bff6ba852efb0d33ffe8d11b63bc5489884cc2471828a4401bd5cc54c845732785d474ae83577d0df3470d2ada7b80918b79d6a92973410

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
28KB

MD5
da43dad93330e51442268ca6e1142960

SHA1
5f274f9ea10c1356b7f6a009b05bbdf4f7231150

SHA256
19269c8910b706df89e71a34798e0bf1aa565c234b44568504c2b340c5609e99

SHA512
fa0e1103a8915817a9ecda0be4b705262d937f952618c15f10c79c06dab55980ada01658f98f40a41dcc879827b7bfb17eb69f04cd509d7761eab4a01c0447d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\k8aOBeIp.xlsx.part

Filesize
392KB

MD5
53e2f15fc33dad45024420ae993927d7

SHA1
131d450c8c5d89ab7d43ee469c58e33a8abc51ea

SHA256
3783444632d842d3932011e6459f405fba06db718d85efd4001e65589933a028

SHA512
00f3befd840a72fa69f2e4e617251250018a889e96d8b67e2c0da64946cac49257dc7dfd33a6b58e0b1136712805967af3822130e4e56f036fef783ce97890a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseD7A6.tmp\LangDLL.dll

Filesize
7KB

MD5
9888fb6b91a680305b2a3e7b71d6561d

SHA1
4a7935da38f88e9f74f425078ee39eb6269c4e63

SHA256
81726604d47b192620bcf90d6e42ba8ee8b4c54935b0081655e08247d6b6c675

SHA512
f50755e5624bfc3a60a23a7dda012509c1e31d9772d6a0ccaca88e32ae8d4602e10e38003d78b1626464502db7ea7c47d772efb7b3ea7c3e2238bf3b9809f833

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseD7A6.tmp\System.dll

Filesize
24KB

MD5
d997606c77e880be2744c44128843d60

SHA1
92bb9003dc14ae03963f503e82a668877ca4295f

SHA256
abb2613ff851b2cbfb61bf97e4eef9d4912abcb46e04774ad84812ab75d4dde9

SHA512
714d7ce786e9fbb6f0d0e537a146a3a24aa79089669dd168b7c110dfba667fa7afb794b3dd2b93fa76e1d1771af3347a0f568cbb0fbcc8d9755de9e6e54382b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseD7A6.tmp\nsDialogs.dll

Filesize
13KB

MD5
bd0d7a73d0fc619e280372587e9e3115

SHA1
0cde473dda5d4fda8190e6460f3229cae2571af5

SHA256
c7f2afe3a2424e71563e69d862dc027d299d84fba4ac1ba11e593361daec0a80

SHA512
914983bfa336f9ea019bf5dc9ee403af56a6c7c1d88b8092609e4026a3377daa6ef9a8e51a93537f6769ae165c264763645a363fb6a89f8689f59caf985c18b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
343B

MD5
ac6d9f6de61a3f0118033e88b8e86834

SHA1
b776c33026ef7b6ecbfe1ee76b6bb6429ddf84be

SHA256
83b694344f014b2c7c60212b56d57f50c359db89ac31a2ee07d2c66c49a5b07d

SHA512
07e1ad7561409fd4830ef997a78f855fcf0ad921a2c3b05f5708b913bf027ee802b1120a73cb1bc4818e43035af7099ac1ece9995304ac62d695601311af387b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
676B

MD5
976ab2d124f49aac09edd5524c4935e7

SHA1
eff1807aa6442fceafe35ac0cb0dca3824bff45a

SHA256
e4308c2de0fb792e2beaf51ee2bb765094b0ec83766aebd45bd119e836dcf661

SHA512
6902e2af1b9d2571557d9073257bb3f8a45ddabf65707e22b98a6b2e5e4858b33fd1fd6bdbbaa75fc32f9dfaca98e19a2fa18af72922c62d3c7e8f225aa4d9aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
db77e80ccce7ee6340c36000a97d20ba

SHA1
02ef9da9df58f15f5f5fac0c09c6d81d6feeb95b

SHA256
9ae63d523d9cf9d14e9418a0939898809bae63b309eefce37bb4c8926bb41709

SHA512
630853aa78f70e817019999f3f7ef2e0307d84922fe0a62484eb9a7499b880ea333950d2f6970913943006df6671e8234e0f266badcdc5a1e0b33544c3867a7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
21e89d34da5b3bf51ec736b73f4a15df

SHA1
cfb5af8328103fbfd5a9859dd1ca8ccb5d526873

SHA256
4ac0d5c1ac833bcbee42abc67c96a001295ce78af393549133457c09f03b4be2

SHA512
9a687e518b92f86f5d3a8e77542773302c229082988f5f3d741d017c86268325e882025dcd495c67a6c74d42095e137f8e99aee2feac0914eb78d28d0b48a3e7

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\datareporting\glean\db\data.safe.tmp

Filesize
182B

MD5
7d3d11283370585b060d50a12715851a

SHA1
3a05d9b7daa2d377d95e7a5f3e8e7a8f705938e3

SHA256
86bff840e1bec67b7c91f97f4d37e3a638c5fdc7b56aae210b01745f292347b9

SHA512
a185a956e7105ad5a903d5d0e780df9421cf7b84ef1f83f7e9f3ab81bf683b440f23e55df4bbd52d60e89af467b5fc949bf1faa7810c523b98c7c2361fde010e

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\extension-store-menus\data.safe.tmp

Filesize
245B

MD5
4739996064bc69a04af122214e11dc8e

SHA1
862b1f36b4d700a5d9d5caf12099f0a28f697cd7

SHA256
10d1811fbfa9bab315b60f991ca0370d3e250ff0d5f2a9e83f8f838ec14ad120

SHA512
d3aef729c70e0f7ce3ca83f88b1f70f4c0e5cf1be154cf37f12174ddd50a92a8b7e65b8cca3af81f5d4a238c91c83ef20c9ad0eb041dc2f8ff2dbbffc3501e52

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\extensions.json

Filesize
16KB

MD5
c951fe0de99387f66059c9a6b2604853

SHA1
9fc71aa7e59c91d21b5aa334bbc2ebe6081ca853

SHA256
14e9ba8f7df534690fac08554f2db62141cf4b6d04df0a5670a3b73944d1d479

SHA512
229e5e8b80197dc3345bcedd9fce2672186b768a379fa47d299523f68b0ba8be4c076542b5039a75faa1467ce993d5a5f3565f5cb30f51b1f23518685bc12e59

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

Filesize
5KB

MD5
09f921da9aa369e0ad791f86f5973281

SHA1
8c0228818a62518ca1be64dbec7399e0e1d4d2e8

SHA256
e1abf8205d4cf7457cbb78a80fe1a56e44daf566b1ef8243f70929ffcf034365

SHA512
1a359ae7f2d0b8d6cb70db8def6a5a1a06e81c42bf17feb3222e4620de6c0ff7bb8cee8d442edf5c0190cc170ac1292f18360fabe2f06405a6eaa31b4d71ab29

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js

Filesize
1KB

MD5
46263ea6ccff9de67add598d18a65a75

SHA1
57925a89cd8457cd21d0e6a0cfd6a497e0f7c14a

SHA256
d978d597b61ace51b75451e5d88851612e4b9fa74b38dc0f13c6662663197d93

SHA512
47a2d441311b35bdad095b5d898b68e1969dbc21652e3e6c7cb64bd5b823845d74854bdc4582176e3f421990b97bc744eb06984b5145069a9827a71248f47eca

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js

Filesize
4KB

MD5
bd1b51d2adfe60617e67d7ff0e942e7e

SHA1
7568f9ef3ece70762823c52f809e37f770115cf1

SHA256
f03b02f9787d5fe181b1fe97aa8f6db8355d7345c68759faf37cf7c2b0844758

SHA512
10511ffe098774ea0bdabd5d1021855e9a5c094d550f301642e84a12d17a16a90bfc7d47c9edcd2fd4614b4787bb0abe142f57f909f135adf8f558c0722dac5a

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
152KB

MD5
c0e3052a0b083eca902bc5f9c8c3e8ef

SHA1
a4c7a1d7febabc7b2e3e6e61edfd654b54124960

SHA256
aeda9917a43a4da1254a218b4bdd183060a1cbb64382f3ceefe75976b49f4e18

SHA512
0fe12713739feb5fc0bd3e30ff447c46a1d1c05a4b45756595ae41e6ea78768a1fef6064ee6b52d937576865e666ef0e6ce8d72b947eba6684ca41f9353011a7

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profiles.ini

Filesize
103B

MD5
5b0cb2afa381416690d2b48a5534fe41

SHA1
5c7d290a828ca789ea3cf496e563324133d95e06

SHA256
11dedeb495c4c00ad4ef2ecacbd58918d1c7910f572bbbc87397788bafca265c

SHA512
0e8aafd992d53b2318765052bf3fbd5f21355ae0cbda0d82558ecbb6304136f379bb869c2f9a863496c5d0c11703dbd24041af86131d32af71f276df7c5a740e

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\cached-microdesc-consensus.tmp

Filesize
2.7MB

MD5
86983981d9b2cfa3102cde2a17d484d1

SHA1
2e24960dd842b9e044a54e30b7521fdbf346d240

SHA256
dfdda41b729220dda811e22ffebfe8a0902a308102688653cf107682e9972742

SHA512
8225f269a0d94f238817c0303e1c495e4ddb78b298fa5d78d0986ecdcb3956a6191b217ec6231099a58e1d9616d603fc38fabbeb25fdce38d9bc2856146202d1

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\cached-microdescs.new

Filesize
7.3MB

MD5
b0f5b4c320ec0c38661afeb25b18a012

SHA1
d90dc2d6d9bb235eacf505335ed298a6e175a527

SHA256
6c8d23df322b8880f253eda1b58be8600f4a400e854b4312d12c23ca669ed4c0

SHA512
e8aa7c6e869a01a007fc615ac1d4d5a019905c56cacc26489f36abce7af18784cb5e49abd42fca09cdefc032881aaae62b06df02e26bb492ecc1385743632619

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\browser\omni.ja

Filesize
25.8MB

MD5
387191fe8d38a9f7d1b2a0c5d305e7fd

SHA1
5149e768fc041c419b0fb2f9e6ab301062d39329

SHA256
c987e44a3c0449d469315d3fc9044760cbfad170c48e4f06e012e7949e6beab0

SHA512
fadce6b56e5e4e03511e4a9c95015a9220b458e4ab98e03937165529d2b054b41844ffd856ba57413a22e2bfea69c5ea9a489993260589654d3ca38cfddb0199

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\defaults\pref\channel-prefs.js

Filesize
429B

MD5
3d84d108d421f30fb3c5ef2536d2a3eb

SHA1
0f3b02737462227a9b9e471f075357c9112f0a68

SHA256
7d9d37eff1dc4e59a6437026602f1953ef58ee46ff3d81dbb8e13b0fd0bec86b

SHA512
76cb3d59b08b0e546034cbb4fb11d8cfbb80703430dfe6c9147612182ba01910901330db7f0f304a90474724f32fd7b9d102c351218f7a291d28b3a80b7ac1e5

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\dependentlibs.list

Filesize
55B

MD5
a515bc619743c790d426780ed4810105

SHA1
355dab227f0291b2c7f1945478eec7a4248578a0

SHA256
612e53338b53449be39f2e9086e15edc7bb3e7aa56c9d65a9d53b9eb3c3cc77d

SHA512
48ecd83a5eb1557dfabfaf588057e86fb4b7610f6ece119d6d89a38369d1c9426027520ce5b6d1cc79a4783b9f39ac58afb360cc76e05bbe8bbbd5128c5d395b

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\distribution\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi

Filesize
937KB

MD5
f48958ce295af595f261850e33793617

SHA1
cf13f6800b5fc4217a5cc1d0b1450c1c753b2098

SHA256
460aaa6484bf8422415dfe08260e8536866e3731ed5b8b7913cf4b7b1333493a

SHA512
7a9de625cc9b7d6ffedbad19201558b191d1e32686c7f4417571b25838c47dcf8e16ca63772c94827a3abd6b646c8216962deeede6ba713180e0dc3bc7871649

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe

Filesize
1.7MB

MD5
f3a5e136e846c3fb57569a13db724953

SHA1
7283efc6c6b152d939814f9b5e45976b03ec5b7e

SHA256
9291ac920f4e61836b2443b4db0f9c139a2c5e0eaa875af013f9da15057f8d20

SHA512
ad3369f2115d319785935478f5ebe06a06f618e65272a13cd13b29bd4c97774738ce35c203ee227fe67cf3668df436b3d97d8d2ad8838b8fa6d74a3c34ad6bf2

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\gkcodecs.dll

Filesize
10.0MB

MD5
53d2d077680c6e0eff2626f3218b1c2a

SHA1
95478e4550e62e3900064eb25f1acafd1d193c67

SHA256
250c2964f1b4e155caa7bccd7e1ea2e1b28643fbbe452879f153bca6c3a26673

SHA512
85cb19e27f3d36af9241ba756449e43bfd4c18dfd590c8843c06a71ffec4b5d774df183cba50aee9ec4a171965fcac2f7e14ea5745f66b50b6d5f1ed4dc5074f

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\lgpllibs.dll

Filesize
493KB

MD5
34e22e8a40e522b294d1cc276b4a5cbc

SHA1
19b96b0b4fbd569b98c3d6c3e2100b5f594ebbc5

SHA256
c22de5319e4e6406b27af6d7cce9a4b3c7cf9fac9cb901cd1642c7382afb4a9e

SHA512
ac58703725282f17223f02537c6ba58177a9ca26c35d018e6d2f24d332518592f00e899c346954719294b6db6622ad13887e1526c1c220bed907b3403e230501

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\mozglue.dll

Filesize
1.4MB

MD5
3cc68d7fff64c2355ff241e133b1787c

SHA1
7fb00e634e7b8ddd10a787f44884256da5da9cfa

SHA256
5cf6ac9bc6c86a09aed73eb2356213669c521a0a36dc477ca1a539a76c2df84d

SHA512
7e7a9ba0b3c627d0bb056d0dd96fc53cfd159b133ed3e0f00dae7b61e993823880608b86546a0c05228ca96fc1564191ebcbc021658fa30b9488a8a334faf45a

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\nss3.dll

Filesize
2.6MB

MD5
64487e234be7ab3659bb38c6032f3f23

SHA1
b4357fa7f97df8095ac7c0529d53229195ecfac5

SHA256
18e2231b61291f496216dfcd413b1c16ae2b922e5ac48316912152b3a911f9dd

SHA512
e87894e358f556c8b8dd0d13beaa96b3a0b81e280e1bb6ddbd145d0886b41bdccc89394fb9bb62175b91aa577a98b440d66d59ef58e6cb6ef4f35d771e5b3dd4

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\omni.ja

Filesize
18.5MB

MD5
0cbce5fc1270fd480249726803237f2d

SHA1
410cc9e8b3209d4aa0713e66128ef9f8c0bf9177

SHA256
77152dab3ec8179337f7cf0a7dddf36f794978ff258eb18984f8c3dde808806c

SHA512
e33e61848be753cf41d7ef26444c31b5a8e5eef1d3aca0ea32d283f03f72c47687f2fa450e8916cee37dd8c3d376ff8778bb3409aa9e61293fd675bfddf61474

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Tor Browser.lnk

Filesize
829B

MD5
d05b82c5968ed84dc57734c75823d96b

SHA1
c950107fa6de6a03ea1951718589b9be3e904fd8

SHA256
5a3c2bb8d09f8c55a215ea719264d68e606f930009bcaf3d886e241e74cd8f52

SHA512
f4d142735170886fa99925c575f62c756d94ccccd74a5564ed66f99f7dfb9d0a0c0e8da20b54caacedaf42738020d0fda04a26c0c15a076b78a67e88af75ffe8

Download Submit
memory/224-2699-0x000001E2A9D90000-0x000001E2A9E3D000-memory.dmp

Filesize
692KB

Download
memory/392-2680-0x000002C87C900000-0x000002C87C9AD000-memory.dmp

Filesize
692KB

Download
memory/756-2434-0x00007FF89CF90000-0x00007FF89CF91000-memory.dmp

Filesize
4KB

Download
memory/756-2433-0x00007FF89D550000-0x00007FF89D551000-memory.dmp

Filesize
4KB

Download
memory/756-2600-0x000001B3A2400000-0x000001B3A24AD000-memory.dmp

Filesize
692KB

Download
memory/2892-2615-0x0000011BA8290000-0x0000011BA82A0000-memory.dmp

Filesize
64KB

Download
memory/3096-2048-0x0000000005160000-0x0000000005706000-memory.dmp

Filesize
5.6MB

Download
memory/3096-2046-0x000000006F380000-0x000000006F390000-memory.dmp

Filesize
64KB

Download
memory/3096-2052-0x000000006F380000-0x000000006F390000-memory.dmp

Filesize
64KB

Download
memory/3096-2050-0x0000000004E00000-0x0000000004E0A000-memory.dmp

Filesize
40KB

Download
memory/3096-2049-0x0000000004D50000-0x0000000004DE2000-memory.dmp

Filesize
584KB

Download
memory/3096-2054-0x000000006F380000-0x000000006F390000-memory.dmp

Filesize
64KB

Download
memory/3096-2047-0x0000000000330000-0x0000000000360000-memory.dmp

Filesize
192KB

Download
memory/3096-2043-0x000000006F380000-0x000000006F390000-memory.dmp

Filesize
64KB

Download
memory/3096-2042-0x000000006F380000-0x000000006F390000-memory.dmp

Filesize
64KB

Download
memory/3096-2053-0x000000006F380000-0x000000006F390000-memory.dmp

Filesize
64KB

Download
memory/3096-2055-0x000000006F380000-0x000000006F390000-memory.dmp

Filesize
64KB

Download
memory/3096-2045-0x000000006F380000-0x000000006F390000-memory.dmp

Filesize
64KB

Download
memory/3096-2044-0x000000006F380000-0x000000006F390000-memory.dmp

Filesize
64KB

Download
memory/4232-2697-0x000001BAAC100000-0x000001BAAC1AD000-memory.dmp

Filesize
692KB

Download
memory/4624-2698-0x00000253FABA0000-0x00000253FAC4D000-memory.dmp

Filesize
692KB

Download
memory/4888-2039-0x00007FF85ED50000-0x00007FF85ED60000-memory.dmp

Filesize
64KB

Download
memory/4888-2034-0x00007FF85ED50000-0x00007FF85ED60000-memory.dmp

Filesize
64KB

Download
memory/4888-2033-0x00007FF85ED50000-0x00007FF85ED60000-memory.dmp

Filesize
64KB

Download
memory/4888-2035-0x00007FF85ED50000-0x00007FF85ED60000-memory.dmp

Filesize
64KB

Download
memory/4888-2040-0x00007FF85ED50000-0x00007FF85ED60000-memory.dmp

Filesize
64KB

Download
memory/4888-2036-0x00007FF85ED50000-0x00007FF85ED60000-memory.dmp

Filesize
64KB

Download
memory/4888-2041-0x00007FF85ED50000-0x00007FF85ED60000-memory.dmp

Filesize
64KB

Download
memory/4888-2037-0x00007FF85ED50000-0x00007FF85ED60000-memory.dmp

Filesize
64KB

Download
memory/4888-2038-0x00007FF85ED50000-0x00007FF85ED60000-memory.dmp

Filesize
64KB

Download
memory/5284-2696-0x000001A9C0300000-0x000001A9C03AD000-memory.dmp

Filesize
692KB

Download
memory/5320-1597-0x00007FF85ED50000-0x00007FF85ED60000-memory.dmp

Filesize
64KB

Download
memory/5320-1595-0x00007FF85ED50000-0x00007FF85ED60000-memory.dmp

Filesize
64KB

Download
memory/5320-1596-0x00007FF85ED50000-0x00007FF85ED60000-memory.dmp

Filesize
64KB

Download
memory/5320-1594-0x00007FF85ED50000-0x00007FF85ED60000-memory.dmp

Filesize
64KB

Download
memory/5320-1560-0x00007FF85CA30000-0x00007FF85CA40000-memory.dmp

Filesize
64KB

Download
memory/5320-1559-0x00007FF85CA30000-0x00007FF85CA40000-memory.dmp

Filesize
64KB

Download
memory/5320-1558-0x00007FF85ED50000-0x00007FF85ED60000-memory.dmp

Filesize
64KB

Download
memory/5320-1557-0x00007FF85ED50000-0x00007FF85ED60000-memory.dmp

Filesize
64KB

Download
memory/5320-1556-0x00007FF85ED50000-0x00007FF85ED60000-memory.dmp

Filesize
64KB

Download
memory/5320-1555-0x00007FF85ED50000-0x00007FF85ED60000-memory.dmp

Filesize
64KB

Download
memory/5320-1554-0x00007FF85ED50000-0x00007FF85ED60000-memory.dmp

Filesize
64KB

Download
memory/5892-2679-0x0000023DED520000-0x0000023DED5CD000-memory.dmp

Filesize
692KB

Download