blackmatter | c6e2ef30a86baa670590bd21acf5b91822117e0cbe6060060bc5fe0182dace99

Resubmissions

08-03-2024 01:50

240308-b9hw5sda7w 10

Analysis

max time kernel
817s
max time network
819s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
14-04-2024 12:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba375d0625001102fc1f2ccb6f582d91.exe
Size

66KB
MD5

ba375d0625001102fc1f2ccb6f582d91
SHA1

379ebd1eff6f8685f4ff72657626bf6df5383d87
SHA256

c6e2ef30a86baa670590bd21acf5b91822117e0cbe6060060bc5fe0182dace99
SHA512

795b10a638e289729192de6a6d9964b5ad3b8084f84d58da077ca8ec08c8b8cb1acadb5240962d4ccacf66242bab1430923fc77bdbbfacd0badd64df2ba1487f
SSDEEP

1536:HzICS4AT6GxdEe+TOdincJXvKvWLBjkl:4R7auJXSOhC

Score

10^/10

blackmatter evasion ransomware trojan

Malware Config

Extracted

Path

C:\QVbxJSXxV.README.txt

Family

blackmatter

Ransom Note

~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/GDBJS76DH3D4IKQD2QO7R. >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.

URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/GDBJS76DH3D4IKQD2QO7R

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter
Renames multiple (146) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	tor-browser-windows-x86_64-portable-13.0.13.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	firefox.exe

Executes dropped EXE 41 IoCs

pid	Process
5812	tor-browser-windows-x86_64-portable-13.0.13.exe
5900	tor-browser-windows-x86_64-portable-13.0.13.exe
5968	tor-browser-windows-x86_64-portable-13.0.13.exe
6128	tor-browser-windows-x86_64-portable-13.0.13.exe
5176	firefox.exe
5256	firefox.exe
5748	firefox.exe
4900	firefox.exe
5312	tor.exe
5280	firefox.exe
516	firefox.exe
5376	firefox.exe
1060	firefox.exe
5448	firefox.exe
2052	firefox.exe
4464	firefox.exe
860	firefox.exe
4356	firefox.exe
832	firefox.exe
4048	firefox.exe
2584	firefox.exe
6036	firefox.exe
6132	tor.exe
1004	firefox.exe
4648	firefox.exe
5472	firefox.exe
5544	firefox.exe
1592	firefox.exe
5628	firefox.exe
3040	firefox.exe
5728	firefox.exe
2184	firefox.exe
3616	firefox.exe
3968	tor.exe
2516	firefox.exe
5912	firefox.exe
3100	firefox.exe
1556	firefox.exe
5784	firefox.exe
4588	firefox.exe
3668	firefox.exe

Loads dropped DLL 64 IoCs

pid	Process
5812	tor-browser-windows-x86_64-portable-13.0.13.exe
5812	tor-browser-windows-x86_64-portable-13.0.13.exe
5900	tor-browser-windows-x86_64-portable-13.0.13.exe
5900	tor-browser-windows-x86_64-portable-13.0.13.exe
5968	tor-browser-windows-x86_64-portable-13.0.13.exe
5968	tor-browser-windows-x86_64-portable-13.0.13.exe
6128	tor-browser-windows-x86_64-portable-13.0.13.exe
6128	tor-browser-windows-x86_64-portable-13.0.13.exe
5812	tor-browser-windows-x86_64-portable-13.0.13.exe
5176	firefox.exe
5256	firefox.exe
5256	firefox.exe
5256	firefox.exe
5256	firefox.exe
5256	firefox.exe
5256	firefox.exe
5256	firefox.exe
5256	firefox.exe
5256	firefox.exe
5256	firefox.exe
5256	firefox.exe
5748	firefox.exe
5748	firefox.exe
5748	firefox.exe
5748	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
5280	firefox.exe
5280	firefox.exe
5280	firefox.exe
5280	firefox.exe
516	firefox.exe
4900	firefox.exe
4900	firefox.exe
516	firefox.exe
516	firefox.exe
516	firefox.exe
5280	firefox.exe
5280	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
1060	firefox.exe
1060	firefox.exe
1060	firefox.exe
1060	firefox.exe
5448	firefox.exe
5448	firefox.exe
5448	firefox.exe
5448	firefox.exe
2052	firefox.exe
1060	firefox.exe
1060	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
5448	firefox.exe
5448	firefox.exe
2052	firefox.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	firefox.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	firefox.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	firefox.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\QVbxJSXxV.bmp"	ba375d0625001102fc1f2ccb6f582d91.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\QVbxJSXxV.bmp"	ba375d0625001102fc1f2ccb6f582d91.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
1764	ba375d0625001102fc1f2ccb6f582d91.exe
1764	ba375d0625001102fc1f2ccb6f582d91.exe
1764	ba375d0625001102fc1f2ccb6f582d91.exe
1764	ba375d0625001102fc1f2ccb6f582d91.exe
1764	ba375d0625001102fc1f2ccb6f582d91.exe
1764	ba375d0625001102fc1f2ccb6f582d91.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\Desktop\WallpaperStyle = "10"	ba375d0625001102fc1f2ccb6f582d91.exe
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International	ba375d0625001102fc1f2ccb6f582d91.exe
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\Desktop	ba375d0625001102fc1f2ccb6f582d91.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	tor-browser-windows-x86_64-portable-13.0.13.exe
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2288054676-1871194608-3559553667-1000\{4361F634-BFAE-41B2-826C-D78983668122}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "2"	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 210188.crdownload:SmartScreen	msedge.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
2776	NOTEPAD.EXE
5652	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1764	ba375d0625001102fc1f2ccb6f582d91.exe
1764	ba375d0625001102fc1f2ccb6f582d91.exe
1764	ba375d0625001102fc1f2ccb6f582d91.exe
1764	ba375d0625001102fc1f2ccb6f582d91.exe
4100	msedge.exe
4100	msedge.exe
4956	msedge.exe
4956	msedge.exe
4020	msedge.exe
4020	msedge.exe
2548	identity_helper.exe
2548	identity_helper.exe
5700	msedge.exe
5700	msedge.exe
5664	msedge.exe
5664	msedge.exe
5664	msedge.exe
5664	msedge.exe
4356	firefox.exe
4356	firefox.exe
4356	firefox.exe
4356	firefox.exe
4356	firefox.exe
4356	firefox.exe
3224	msedge.exe
3224	msedge.exe
2496	msedge.exe
2496	msedge.exe
2908	msedge.exe
2908	msedge.exe
3128	msedge.exe
3128	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 39 IoCs

pid	Process
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeBackupPrivilege	1764	ba375d0625001102fc1f2ccb6f582d91.exe
Token: SeDebugPrivilege	1764	ba375d0625001102fc1f2ccb6f582d91.exe
Token: 36	1764	ba375d0625001102fc1f2ccb6f582d91.exe
Token: SeImpersonatePrivilege	1764	ba375d0625001102fc1f2ccb6f582d91.exe
Token: SeIncBasePriorityPrivilege	1764	ba375d0625001102fc1f2ccb6f582d91.exe
Token: SeIncreaseQuotaPrivilege	1764	ba375d0625001102fc1f2ccb6f582d91.exe
Token: 33	1764	ba375d0625001102fc1f2ccb6f582d91.exe
Token: SeManageVolumePrivilege	1764	ba375d0625001102fc1f2ccb6f582d91.exe
Token: SeProfSingleProcessPrivilege	1764	ba375d0625001102fc1f2ccb6f582d91.exe
Token: SeRestorePrivilege	1764	ba375d0625001102fc1f2ccb6f582d91.exe
Token: SeSecurityPrivilege	1764	ba375d0625001102fc1f2ccb6f582d91.exe
Token: SeSystemProfilePrivilege	1764	ba375d0625001102fc1f2ccb6f582d91.exe
Token: SeTakeOwnershipPrivilege	1764	ba375d0625001102fc1f2ccb6f582d91.exe
Token: SeShutdownPrivilege	1764	ba375d0625001102fc1f2ccb6f582d91.exe
Token: SeBackupPrivilege	4976	vssvc.exe
Token: SeRestorePrivilege	4976	vssvc.exe
Token: SeAuditPrivilege	4976	vssvc.exe
Token: SeDebugPrivilege	5256	firefox.exe
Token: SeDebugPrivilege	5256	firefox.exe
Token: SeDebugPrivilege	2584	firefox.exe
Token: SeDebugPrivilege	2584	firefox.exe
Token: SeDebugPrivilege	2184	firefox.exe
Token: SeDebugPrivilege	2184	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
5256	firefox.exe
5256	firefox.exe
5256	firefox.exe
5256	firefox.exe
5256	firefox.exe
5256	firefox.exe
5256	firefox.exe
5256	firefox.exe
5256	firefox.exe
5256	firefox.exe
5256	firefox.exe
5256	firefox.exe
2584	firefox.exe
2584	firefox.exe
2584	firefox.exe
2584	firefox.exe
2584	firefox.exe
2584	firefox.exe
2584	firefox.exe
2584	firefox.exe
2584	firefox.exe
2584	firefox.exe
2584	firefox.exe
2584	firefox.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
5256	firefox.exe
4356	firefox.exe
2584	firefox.exe
2184	firefox.exe
3224	msedge.exe
2496	msedge.exe
2908	msedge.exe
3128	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 4956	2776	NOTEPAD.EXE	100
PID 2776 wrote to memory of 4956	2776	NOTEPAD.EXE	100
PID 4956 wrote to memory of 4840	4956	msedge.exe	101
PID 4956 wrote to memory of 4840	4956	msedge.exe	101
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 5044	4956	msedge.exe	102
PID 4956 wrote to memory of 4100	4956	msedge.exe	103
PID 4956 wrote to memory of 4100	4956	msedge.exe	103
PID 4956 wrote to memory of 4964	4956	msedge.exe	104
PID 4956 wrote to memory of 4964	4956	msedge.exe	104
PID 4956 wrote to memory of 4964	4956	msedge.exe	104
PID 4956 wrote to memory of 4964	4956	msedge.exe	104
PID 4956 wrote to memory of 4964	4956	msedge.exe	104
PID 4956 wrote to memory of 4964	4956	msedge.exe	104
PID 4956 wrote to memory of 4964	4956	msedge.exe	104
PID 4956 wrote to memory of 4964	4956	msedge.exe	104
PID 4956 wrote to memory of 4964	4956	msedge.exe	104
PID 4956 wrote to memory of 4964	4956	msedge.exe	104
PID 4956 wrote to memory of 4964	4956	msedge.exe	104
PID 4956 wrote to memory of 4964	4956	msedge.exe	104
PID 4956 wrote to memory of 4964	4956	msedge.exe	104
PID 4956 wrote to memory of 4964	4956	msedge.exe	104
PID 4956 wrote to memory of 4964	4956	msedge.exe	104
PID 4956 wrote to memory of 4964	4956	msedge.exe	104
PID 4956 wrote to memory of 4964	4956	msedge.exe	104
PID 4956 wrote to memory of 4964	4956	msedge.exe	104

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ba375d0625001102fc1f2ccb6f582d91.exe
"C:\Users\Admin\AppData\Local\Temp\ba375d0625001102fc1f2ccb6f582d91.exe"
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\QVbxJSXxV.README.txt
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=873217&q=%28https%3A%2F%2Fwww.torproject.org%2F%29.&form=NPCTXT
  2⤵
  - Enumerates system info in registry
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa33cd46f8,0x7ffa33cd4708,0x7ffa33cd4718
    3⤵
    PID:4840
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
    3⤵
    PID:5044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
    3⤵
    PID:4964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
    3⤵
    PID:2100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
    3⤵
    PID:2280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
    3⤵
    PID:808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
    3⤵
    PID:3652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5024 /prefetch:8
    3⤵
    PID:1116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5048 /prefetch:8
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:4020
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
    3⤵
    PID:2408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
    3⤵
    PID:348
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
    3⤵
    PID:1272
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3668 /prefetch:8
    3⤵
    PID:3504
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3668 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2548
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
    3⤵
    PID:460
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
    3⤵
    PID:1536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1
    3⤵
    PID:2340
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
    3⤵
    PID:1772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6028 /prefetch:8
    3⤵
    PID:5252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:1
    3⤵
    PID:5260
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6580 /prefetch:8
    3⤵
    PID:5376
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5700
- - C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.0.13.exe
    "C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.0.13.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    PID:5812
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5176
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:5256
      - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="5256.0.2129650195\986257499" -parentBuildID 20240322115718 -prefsHandle 1852 -prefMapHandle 1648 -prefsLen 19246 -prefMapSize 243612 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {dc40de5b-4a2c-439e-928d-27f9dc00b04e} 5256 gpu
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5748
      - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="5256.1.1023986335\1399877898" -childID 1 -isForBrowser -prefsHandle 2972 -prefMapHandle 2988 -prefsLen 20123 -prefMapSize 243612 -jsInitHandle 1244 -jsInitLen 240916 -parentBuildID 20240322115718 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {37594ac3-6c85-4c28-8d68-756ef51d0748} 5256 tab
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4900
      - C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe" --defaults-torrc "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc-defaults" -f "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc" DataDirectory "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor" ClientOnionAuthDir "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\onion-auth" GeoIPFile "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip" GeoIPv6File "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip6" +__ControlPort 127.0.0.1:9151 HashedControlPassword 16:4d7cbf85a02128746084b48894610d272b98d94918d6693b5acb2925d1 +__SocksPort "127.0.0.1:9150 ExtendedErrors IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth" __OwningControllerProcess 5256 DisableNetwork 1
        6⤵
        Executes dropped EXE
        
        PID:5312
      - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="5256.2.1258896387\555054854" -childID 2 -isForBrowser -prefsHandle 2268 -prefMapHandle 3016 -prefsLen 20895 -prefMapSize 243612 -jsInitHandle 1244 -jsInitLen 240916 -parentBuildID 20240322115718 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {c2220fcc-df09-4c60-a2b9-ac91da03ea2f} 5256 tab
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5280
      - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="5256.3.970645536\1554032138" -childID 3 -isForBrowser -prefsHandle 3364 -prefMapHandle 2276 -prefsLen 20972 -prefMapSize 243612 -jsInitHandle 1244 -jsInitLen 240916 -parentBuildID 20240322115718 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {b987315b-0c6f-4f94-bd47-bb9692484eb9} 5256 tab
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:516
      - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="5256.4.80920750\705556151" -parentBuildID 20240322115718 -prefsHandle 2944 -prefMapHandle 3284 -prefsLen 22147 -prefMapSize 243612 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {66cd1881-6981-4472-a480-15970cd227ba} 5256 rdd
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5376
      - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="5256.5.864121334\1210133076" -childID 4 -isForBrowser -prefsHandle 4376 -prefMapHandle 4372 -prefsLen 22475 -prefMapSize 243612 -jsInitHandle 1244 -jsInitLen 240916 -parentBuildID 20240322115718 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {6c9a068d-9682-4db3-a765-02152e281069} 5256 tab
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1060
      - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="5256.6.1637008881\461023905" -childID 5 -isForBrowser -prefsHandle 4520 -prefMapHandle 4516 -prefsLen 22475 -prefMapSize 243612 -jsInitHandle 1244 -jsInitLen 240916 -parentBuildID 20240322115718 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {f847f36f-8d3f-4a4b-a6f4-3f0b90e8eeda} 5256 tab
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5448
      - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="5256.7.1116339746\184827940" -childID 6 -isForBrowser -prefsHandle 4556 -prefMapHandle 4560 -prefsLen 22475 -prefMapSize 243612 -jsInitHandle 1244 -jsInitLen 240916 -parentBuildID 20240322115718 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {f2fcafbc-7a09-4458-81d2-3b2b6819d77a} 5256 tab
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2052
      - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="5256.8.549393609\87873103" -childID 7 -isForBrowser -prefsHandle 4780 -prefMapHandle 4376 -prefsLen 22549 -prefMapSize 243612 -jsInitHandle 1244 -jsInitLen 240916 -parentBuildID 20240322115718 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {ec771777-e2f0-4e1c-8edd-f1c070ce1846} 5256 tab
        6⤵
        Executes dropped EXE
        
        PID:4464
- - C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.0.13.exe
    "C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.0.13.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5900
- - C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.0.13.exe
    "C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.0.13.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5968
- - C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.0.13.exe
    "C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.0.13.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:6128
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5664
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
    3⤵
    PID:2776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
    3⤵
    PID:2916
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
    3⤵
    PID:2140
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
    3⤵
    PID:5200
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
    3⤵
    PID:908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
    3⤵
    PID:5712
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6872 /prefetch:8
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6160 /prefetch:8
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:8
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3128
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
    3⤵
    PID:6068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
    3⤵
    PID:5888
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
    3⤵
    PID:5208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6804 /prefetch:1
    3⤵
    PID:3408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7348 /prefetch:1
    3⤵
    PID:6048
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7464 /prefetch:1
    3⤵
    PID:904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7716 /prefetch:1
    3⤵
    PID:5808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8120 /prefetch:1
    3⤵
    PID:2500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7456 /prefetch:1
    3⤵
    PID:1412
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8424 /prefetch:1
    3⤵
    PID:5956
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7684 /prefetch:1
    3⤵
    PID:3532
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8172 /prefetch:1
    3⤵
    PID:5820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9260 /prefetch:1
    3⤵
    PID:6124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9396 /prefetch:1
    3⤵
    PID:4132
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9524 /prefetch:1
    3⤵
    PID:4008
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9548 /prefetch:1
    3⤵
    PID:5384
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9772 /prefetch:1
    3⤵
    PID:1324
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10172 /prefetch:1
    3⤵
    PID:3536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6940 /prefetch:1
    3⤵
    PID:5400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9100 /prefetch:1
    3⤵
    PID:5076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3666370500255459445,4830144064893061476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8800 /prefetch:1
    3⤵
    PID:5972

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3612

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4500

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
1⤵
- Executes dropped EXE
PID:860
- C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
  "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4356
- - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
    "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="4356.0.1183603938\665823536" -parentBuildID 20240322115718 -prefsHandle 1664 -prefMapHandle 1648 -prefsLen 18663 -prefMapSize 243432 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {1d68791f-6cbb-43e2-b568-848d177ded98} 4356 gpu
    3⤵
    - Executes dropped EXE
    PID:832
- - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
    "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
    3⤵
    - Executes dropped EXE
    PID:4048
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Checks processor information in registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2584
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2584.0.1799308067\1503451773" -parentBuildID 20240322115718 -prefsHandle 1700 -prefMapHandle 1692 -prefsLen 21784 -prefMapSize 245336 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {4a026b9b-1673-4699-bf71-cba3cdf97ff0} 2584 gpu
        5⤵
        Executes dropped EXE
        
        PID:6036
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe" --defaults-torrc "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc-defaults" -f "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc" DataDirectory "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor" ClientOnionAuthDir "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\onion-auth" GeoIPFile "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip" GeoIPv6File "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip6" +__ControlPort 127.0.0.1:9151 HashedControlPassword 16:eb4e317a58deaf0260ca470558a392d9e43bdd1f5d1618f441025b8a0b +__SocksPort "127.0.0.1:9150 ExtendedErrors IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth" __OwningControllerProcess 2584 DisableNetwork 1
        5⤵
        Executes dropped EXE
        
        PID:6132
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2584.1.466785366\1721344015" -childID 1 -isForBrowser -prefsHandle 3056 -prefMapHandle 2816 -prefsLen 22221 -prefMapSize 245336 -jsInitHandle 1092 -jsInitLen 240916 -parentBuildID 20240322115718 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {74fe4811-9293-443d-ab5c-55c6a8d0f046} 2584 tab
        5⤵
        Executes dropped EXE
        
        PID:1004
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2584.2.178585401\27604614" -childID 2 -isForBrowser -prefsHandle 3056 -prefMapHandle 3052 -prefsLen 22294 -prefMapSize 245336 -jsInitHandle 1092 -jsInitLen 240916 -parentBuildID 20240322115718 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {c2b1aa48-2e50-47d6-81ef-d7c8ac3c76d6} 2584 tab
        5⤵
        Executes dropped EXE
        
        PID:4648
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2584.3.1652714302\782120498" -childID 3 -isForBrowser -prefsHandle 3820 -prefMapHandle 3816 -prefsLen 21126 -prefMapSize 245336 -jsInitHandle 1092 -jsInitLen 240916 -parentBuildID 20240322115718 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {f89bfa6a-377d-4eb4-b1b1-5904b110583b} 2584 tab
        5⤵
        Executes dropped EXE
        
        PID:5472
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2584.4.179627626\538682561" -childID 4 -isForBrowser -prefsHandle 3988 -prefMapHandle 3996 -prefsLen 21126 -prefMapSize 245336 -jsInitHandle 1092 -jsInitLen 240916 -parentBuildID 20240322115718 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {f5de97e2-8fd3-4e70-9bee-958c15159b8b} 2584 tab
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5544
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2584.5.2122946710\1336255106" -childID 5 -isForBrowser -prefsHandle 4200 -prefMapHandle 4196 -prefsLen 21126 -prefMapSize 245336 -jsInitHandle 1092 -jsInitLen 240916 -parentBuildID 20240322115718 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {c669b25b-a749-424d-9875-0620bcf50559} 2584 tab
        5⤵
        Executes dropped EXE
        
        PID:1592
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2584.6.854727214\959258107" -childID 6 -isForBrowser -prefsHandle 4680 -prefMapHandle 4676 -prefsLen 21274 -prefMapSize 245336 -jsInitHandle 1092 -jsInitLen 240916 -parentBuildID 20240322115718 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {524d62ab-1ae2-4abe-ae05-08067edb80e2} 2584 tab
        5⤵
        Executes dropped EXE
        
        PID:5628
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2584.7.1424179763\1902105247" -childID 7 -isForBrowser -prefsHandle 3844 -prefMapHandle 3356 -prefsLen 21274 -prefMapSize 245336 -jsInitHandle 1092 -jsInitLen 240916 -parentBuildID 20240322115718 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {2eb9211e-8923-401d-a2f1-563eb0cdee5a} 2584 tab
        5⤵
        Executes dropped EXE
        
        PID:3040

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\QVbxJSXxV.README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:5652

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3752

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
1⤵
- Executes dropped EXE
PID:5728
- C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
  "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2184
- - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
    "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2184.0.1928101549\1492757109" -parentBuildID 20240322115718 -prefsHandle 1656 -prefMapHandle 1648 -prefsLen 21816 -prefMapSize 245336 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {2061623d-9896-4ade-b7ac-36e20f6487ac} 2184 gpu
    3⤵
    - Executes dropped EXE
    PID:3616
- - C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe
    "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe" --defaults-torrc "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc-defaults" -f "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc" DataDirectory "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor" ClientOnionAuthDir "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\onion-auth" GeoIPFile "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip" GeoIPv6File "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip6" +__ControlPort 127.0.0.1:9151 HashedControlPassword 16:d88b92e9e6fb874a60eea13e34f390740d35a6a88cd6b60ed316962d47 +__SocksPort "127.0.0.1:9150 ExtendedErrors IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth" __OwningControllerProcess 2184 DisableNetwork 1
    3⤵
    - Executes dropped EXE
    PID:3968
- - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
    "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2184.1.853339101\592249310" -childID 1 -isForBrowser -prefsHandle 3028 -prefMapHandle 3056 -prefsLen 22294 -prefMapSize 245336 -jsInitHandle 1260 -jsInitLen 240916 -parentBuildID 20240322115718 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {c4a3fd33-1113-479d-a5ac-04401cecdf60} 2184 tab
    3⤵
    - Executes dropped EXE
    PID:2516
- - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
    "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2184.2.203724070\368016869" -childID 2 -isForBrowser -prefsHandle 2752 -prefMapHandle 2988 -prefsLen 22335 -prefMapSize 245336 -jsInitHandle 1260 -jsInitLen 240916 -parentBuildID 20240322115718 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {f5be01ae-0a5f-4b3c-a94d-263a20e7cd7d} 2184 tab
    3⤵
    - Executes dropped EXE
    PID:5912
- - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
    "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2184.3.362861557\118549186" -childID 3 -isForBrowser -prefsHandle 3684 -prefMapHandle 3688 -prefsLen 21315 -prefMapSize 245336 -jsInitHandle 1260 -jsInitLen 240916 -parentBuildID 20240322115718 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {4a4a7521-e8b3-4000-a4c1-4086243916bc} 2184 tab
    3⤵
    - Executes dropped EXE
    PID:3100
- - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
    "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2184.4.1732689556\637230288" -childID 4 -isForBrowser -prefsHandle 3940 -prefMapHandle 2972 -prefsLen 21315 -prefMapSize 245336 -jsInitHandle 1260 -jsInitLen 240916 -parentBuildID 20240322115718 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {b4f1699a-1824-4b34-b9ed-bc1ac8491fcf} 2184 tab
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:1556
- - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
    "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2184.5.1387851776\164717599" -childID 5 -isForBrowser -prefsHandle 3956 -prefMapHandle 3960 -prefsLen 21315 -prefMapSize 245336 -jsInitHandle 1260 -jsInitLen 240916 -parentBuildID 20240322115718 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {03851825-51c9-415d-bbad-eb843cf60bd6} 2184 tab
    3⤵
    - Executes dropped EXE
    PID:5784
- - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
    "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2184.6.1985671643\143788656" -childID 6 -isForBrowser -prefsHandle 3956 -prefMapHandle 3960 -prefsLen 21315 -prefMapSize 245336 -jsInitHandle 1260 -jsInitLen 240916 -parentBuildID 20240322115718 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {3fbb38ae-37cd-475e-8493-026317d0f882} 2184 tab
    3⤵
    - Executes dropped EXE
    PID:4588
- - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
    "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="2184.7.1727516252\1334627065" -childID 7 -isForBrowser -prefsHandle 3860 -prefMapHandle 2872 -prefsLen 21315 -prefMapSize 245336 -jsInitHandle 1260 -jsInitLen 240916 -parentBuildID 20240322115718 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {111e6c1d-39f2-47d8-9cdf-1c4b00810781} 2184 tab
    3⤵
    - Executes dropped EXE
    PID:3668

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x500 0x4fc
1⤵
PID:5204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\QVbxJSXxV.README.txt

Filesize
1KB

MD5
8a485e9f1237d69236522d2409a7fc3c

SHA1
fab1b7c56399623ae49ba840d0a88deb20099b5d

SHA256
d9006d5c753c364b27388831f03332f404b719a66f344ce8b1a340da24e93d53

SHA512
d0f2416496c77ad305de712ac8b6b42d9b57337eec88e66dddd8fc59309acda7a08ab3a492b961a850e8e501eafc0b23f6371af78210b86beefaae980e014483

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7e0880992c640aca08737893588a0010

SHA1
6ceec5cb125a52751de8aeda4bab7112f68ae0fe

SHA256
8649a39877c190ec740a5422284ec5f9ff509b30b2d7896635476873dd8824e2

SHA512
52bd0a38ca7f43b26731966035045b1cbd8b60b2d81bdf9aad791cf444da8af8b722ebf3cb364a6e660bebdf23084eb0e30bc23562575b704801669817549f8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5e2f0fe48e7ee1aad1c24db5c01c354a

SHA1
5bfeb862e107dd290d87385dc9369bd7a1006b36

SHA256
f13b3ebe8d71bd0086d5bb82364c35f59a95d32b39753af251e8639360e291a9

SHA512
140d026437fd5e8a874cd00b03950c8f010e1a0732a0a1cc5bdde477e7f8315ccb95790bb4c15b8dbaab9468ad532eb885b6c429300a64e39412d976d079324e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\44a7d822-0dc4-4b6d-9ef5-3ee0401993fd.tmp

Filesize
6KB

MD5
1d51b20847e54a81a229c325bccb63df

SHA1
a3d1844b6ccd9c33eb9a858cc40151c9ba465960

SHA256
a31b9559c5e4da21c90ffcbbcd4cefa23b8cb0358fe177418c3ca29a0564517b

SHA512
ea898f6ba45e96c0d71845756ed570d34afb9f3c80d44087a59848651fd4d21b0f1c6cc2550f443936642104cc5a94a9a45958e8da974be1bd9cad96bc7b9eb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
69KB

MD5
aac57f6f587f163486628b8860aa3637

SHA1
b1b51e14672caae2361f0e2c54b72d1107cfce54

SHA256
0cda72f2d9b6f196897f58d5de1fe1b43424ce55701eac625e591a0fd4ce7486

SHA512
0622796aab85764434e30cbe78b4e80e129443744dd13bc376f7a124ed04863c86bb1dcd5222bb1814f6599accbd45c9ee2b983da6c461b68670ae59141a6c1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
36KB

MD5
1548c5f675f1d1fb0e51d7c1f506aa78

SHA1
4170f4215c2c9ea4eadcf3770dac2ced5e11f413

SHA256
2149403b038e0b92af4544cabd1b5b0cebe5b3caf3bfd17b0a4d8fe96fb3bc48

SHA512
b724040d3d6228f9b08c3f4a94148585ce385ee25af0eb83ccb78edbaaaf4efb94a81e19e27770adc5f34f34a8fd5ef90234e02f25d773aa09b4fd3f13c2664e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
1.1MB

MD5
d404b61450122b2ad393c3ece0597317

SHA1
d18809185baef8ec6bbbaca300a2fdb4b76a1f56

SHA256
03551254e2231ecd9c7ee816b488ecbde5d899009cd9abbe44351d98fbf2f5fb

SHA512
cb1a2867cc53733dc72cd294d1b549fa571a041d72de0fa4d7d9195bcac9f8245c2095e6a6f1ece0e55279fa26337cdcc82d4c269e1dd186cbbd2b974e2d6a70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
33KB

MD5
3cd0f2f60ab620c7be0c2c3dbf2cda97

SHA1
47fad82bfa9a32d578c0c84aed2840c55bd27bfb

SHA256
29a3b99e23b07099e1d2a3c0b4cff458a2eba2519f4654c26cf22d03f149e36b

SHA512
ef6e3bbd7e03be8e514936bcb0b5a59b4cf4e677ad24d6d2dfca8c1ec95f134ae37f2042d8bf9a0e343b68bff98a0fd748503f35d5e9d42cdaa1dc283dec89fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
74KB

MD5
bc9faa8bb6aae687766b2db2e055a494

SHA1
34b2395d1b6908afcd60f92cdd8e7153939191e4

SHA256
4a725d21a3c98f0b9c5763b0a0796818d341579817af762448e1be522bc574ed

SHA512
621386935230595c3a00b9c53ea25daa78c2823d32085e22363dc438150f1cb6b3d50be5c58665886fac2286ae63bf1f62c8803cb38a0cac201c82ee2db975c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

Filesize
21KB

MD5
a77d6af96572edc92d069f23a496a6ba

SHA1
c9bcbc506af9e5166d1c6ce1c1e67db6244f698f

SHA256
43150b44348532ec40ec57c58897bd8fd53d35ff39e241763c911a77d13c3a72

SHA512
a27f796a30af998a1bf06a6d2e0d74d5320831c35eb6817eb9c52fef8421ec995e807c4873fd780d50a5cd33dbc5b8e01bbe66f23a663ea7885adb1de9ef98f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002f

Filesize
20KB

MD5
01d54c5e277afdcfee5a2a569c6db36f

SHA1
3820fe2a497d89c040f7816196e54bd2c266e9a2

SHA256
37845cded375ea0431d5d1b087db8d9850bc74ec1d31af30eb6398d99a0c593c

SHA512
e681bbed14f4263dc9933b0e9b44facf7d79b21641c6781ec0ff5fa32596805a30b1c8b7a4fe4904dccbfb1ecf8c26258bcdfe40cc9bf7bbfe822121633d88f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000035

Filesize
198KB

MD5
319e0c36436ee0bf24476acbcc83565c

SHA1
fb2658d5791fe5b37424119557ab8cee30acdc54

SHA256
f6562ea52e056b979d6f52932ae57b7afb04486b10b0ebde22c5b51f502c69d1

SHA512
ad902b9a010cf99bdedba405cad0387890a9ff90a9c91f6a3220cdceec1b08ecb97a326aef01b28d8d0aacb5f2a16f02f673e196bdb69fc68b3f636139059902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000074

Filesize
62KB

MD5
a1049ef0608a6ddb0ab75cb79ea8fe19

SHA1
cb4693e21215e7d9a59bebc2c8b56b9d127dc137

SHA256
bd762e8d2cc3fdb113012bdb3d340aef64af2a1b91d1a787bc3de8198cc11346

SHA512
e52517ff69a27f3d34a20c67b3b3d5cd86b8228287ed3b924e97a8f893f0aab09ecb1f19c2ea4dfd54cac507b4ec99e8f0ea23638d0384d4337b30294db619e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000075

Filesize
31KB

MD5
44c814efc5001b046870408993412f9b

SHA1
4eef0368867c99e6f174fcd3c9eac2b8034e612c

SHA256
c4f2c55404dedc4a65520e0007f50105d5d6927219c45da46d964633bf42a4d2

SHA512
f45bcc13a09bd311fbf8bacabce9bdd9927e73b90075ea6bf500f3ebd0636368d65761d2ae2d9c295266f2393e6b67c4007efef1add09cb44cac5d34cbfb3e81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000083

Filesize
19KB

MD5
3c08ea28594c96031b19d0a42e717539

SHA1
c071b1cf58173811299272af7857598f7f923ea3

SHA256
a98022da7bbf7eba3c74954b67c237417e7511c0a6b282c3c00213fad46d31cf

SHA512
0fcff0835a56760fe26b1814799fb92b1604675a933f02b5e104e79ea3ddf8d4eb20159c5887a4baf9ff4f4dcd552f3dba1e8419977329a5951bcd10a075b541

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000085

Filesize
38KB

MD5
2b7ec9fe5044c75348bc52964bf50b78

SHA1
039e784c53ba423877c5c845ffb044abbf4c110e

SHA256
71c9403962b1f930169325d2c812125a0088d2a695609486bb6f31185e84ff97

SHA512
92cb64599e198177093bda32e1c962fdccaa049d9875292b97c6b014d0d0afde750dcef27151751dda3f8639df41bed611bce7816c04d4e581b17b132d169016

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000087

Filesize
102KB

MD5
cd2e8092a1e03a51c6cc2b1623b5ffcd

SHA1
17809ce118c6d917452f211931924a45a4148328

SHA256
7b351f6818dd149bff3f70ae51926ef9d0b26c6c6d533c9af5f059fc23234b8b

SHA512
2617edec7c9e1bd10f5c28fc86fd6daf00247ed8d6b84be9b88e9bd2703b1e7c6102f9435d3b7d089a028fdb771b71b6217e43ab2127e10ebb326be01c8d952b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000091

Filesize
45KB

MD5
552e1bec0461586b8a503c5b4a62235e

SHA1
bfb0e280634695b06dd8a8193600556438e77e34

SHA256
925dc30b1335fdb733e89841bee9fdaecc4dffc435efc1ceaf7fed96488b7495

SHA512
e0cc4adc1a6f61d02e71e3c6d42170dc9e0efc55060c771483b3c381fa3fc99dc0602c7da03f22b59f8872a9d8d21c63bce8ad72cb6f0e55feb3bebb2fe5d0f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000094

Filesize
16KB

MD5
9c6b5ce6b3452e98573e6409c34dd73c

SHA1
de607fadef62e36945a409a838eb8fc36d819b42

SHA256
cd729039a1b314b25ea94b5c45c8d575d3387f7df83f98c233614bf09484a1fc

SHA512
4cfd6cc6e7af1e1c300a363a9be2c973d1797d2cd9b9009d9e1389b418dde76f5f976a6b4c2bf7ad075d784b5459f46420677370d72a0aaacd0bd477b251b8d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000a2

Filesize
65KB

MD5
34717ce01e946a0d385473ec97d2e845

SHA1
a369937730ed782bd4ff490db7168da743d24d65

SHA256
3cc6335d28f8eaed16356da8786fdd98b861605f34b685e1ab011b152b34f27f

SHA512
4e389044e0c2095f8365353aed53f25e3f5138622f1c34ec33d4b7f4c19c3f07df21435b1b23e2f97b562562ed02d92edfb6cee7cdf60c1c78d97988860095d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
5KB

MD5
d988a77ed64da2719c1c38b868fd5421

SHA1
ceba65e0afec3a551145aa917638594c7d21a15c

SHA256
94486eb516b8830f17391f6b85dda96b44ec2a7decb02c4623d29ce7b201e12d

SHA512
6ddf61a30e3e898318f0112affd65c99eaaef34d162d1f807259b33d5d98b1e0fb42c202f8c8fe47f550afe77567dd0a45eeb7b28b775e0e1ec13165797fe98b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
5KB

MD5
24f921d6d3f5d470705a655af8fddc06

SHA1
4d39dbe7384190e1de27e53c96889ada8f2a310d

SHA256
7c010f7db1b43214339705cbeb0f6c98ade7a37316691435a4cb12b7d243f700

SHA512
2845929e229e58c1b28b1c3209aa26e02c34aeaede76816258ede28e7b7e7d4e83afb5c7cab6fbef0e3288cb78e5daa7663b2ef1d8605b82bd3a43bc4316a1a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
595394b5c553bdcd682b5c490fd55555

SHA1
2ba679bcb697c81f7adc9f89e5bcb73d34ad8797

SHA256
32575a169881773cb02889381f4e16502a8cf17cdebb29a9474f6173267a3022

SHA512
9c45bdc71ad9f3dbfa412dd3b6e05136c126f70f3693112475efac9e6f586b8bcee1f322666f47a4fc244ae28d334886b0e2eccd96fa1ada9d7aa5ca46c4d21f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
8f8aa0e678b755ffc4183798c8671f5f

SHA1
81fbbed73054a7f0c308cf0cd0722f0a5ca80660

SHA256
26303b96f7d92247aa2120918d3d512843428413c2ecc957ff0abc54be8fd479

SHA512
121b4d476a9638412809011035256b7269a14fef5edc3f19b6b119e3f2857e52c838635d89a2af8de4a4abc3a246ba0b5caf099e95889d69e576e9993904c3f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
e115cf1e573ef779df27b348d9076ca0

SHA1
8bced7622717b0bb6656ce91e3f179acbf1d1c4e

SHA256
876df59babeade8dd245c468a5853e8e8b3614210976a797d1d342805e0cf915

SHA512
25429656642c61027e573af0f332ae49d1779d2ead2230e717a277bb2bcae72349ff7bd3745175497217ce89895a01881700951f3ccc4acedd82260bf15bcba0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
e53855fed4f7e42b3c91311223b85656

SHA1
de366927e7b9e5d6e932b7fb0fc272df247d26ae

SHA256
bc3e1fffdd451758c9f7f109c5fa9773aaf3b05fe639d52bd1536fd297476cf4

SHA512
27f1ef6164aa4e1a35b1804346e2a7397bcf43343fe4303ae4b06ec90766a83eee4f80177b57b9baddaa16b169a24c9ca07dff2e735863fec9302eee4a01b6b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
4e07c7da5f7bd7e72e335ff968b95a32

SHA1
8fdd577f172bed5e61bbd97be232c9855bd8b10e

SHA256
04221db1c698d8f23eb89b2536055bdba6f76acb7d73f65f7c44afb86059884d

SHA512
3a71144ba2f0c4aa2cb466e1dbf834772555ce940dd65e7895e25a3b9ef9f9100ac0694f53af8a2180fb7f3adeb80f36c828c9df39f750fbb18ca62e7ec06ce3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
cd2f760f87d158c71c432ca9d7b81660

SHA1
88c039d7437b5f8f7a15d9e9165105f29459cef6

SHA256
855beb9c6746bb1f57e8f2b55623b6ce1040aec61e60f3ca1d173a02e0a168b3

SHA512
c77ee305c04f6807540695401beab8c9d3358b745d026dc5496fc4b9844642e7365c35f23cdf092b430bceec42761145bc7e4a9b6d6e84c717897a5eb18d8ffe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
467B

MD5
6a58d46c3169bec1e014ff0012aaa05c

SHA1
32ad39402f57a857694514ed0be15b7a586f108b

SHA256
b7cfea7e27f25a32d41b95160ca1b4c15dc4e383728722607d7fab49f3e78ede

SHA512
ba2a3d788f918a8b514b81594452e4c6fdf1211b93691a2dd479a3f422e20839f91f979a457009e8ce20da0050ee4cd2e04a0e9e055dcb22a41ecff747a412d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
739c2e3b7afb246fee9190308f7108f9

SHA1
0f923bdb288042d3eb643b78d32c2e9f597a3d65

SHA256
4332a132a12590f6e815dca0ef29a6029d839b880cafb50e98908e606e3bea76

SHA512
01aebd53ac49d3d3bd0707a8f80422a631edcbe5720f60a4e14c69ab9c7c8cbf4c1ccd934e95478425829e7e5f1dfffdedd7436161d775ca9db785e3fd5c3bc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
15KB

MD5
f6e5cb486061d6dec2ccd125b97dcead

SHA1
6a1f365b60ee96f7b8b962e004da764c61f97611

SHA256
32d92fc45537240886900a8673d7742ad263743d688aa5e7aa53905b84335a4e

SHA512
3ec9642c1a86b214e198e6ae061a4df43fff781ae6de45576cb20e62c5060f9022ac36d66e1e934c286d8e491ac58f8aa16dc3a1ccc3d4048131b5f9dbfc7e52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
d05536fa52fc8b857b4d3809f51ef87d

SHA1
ef25e700f308656a798aca729851836cb57fb91f

SHA256
72df6268f649e4ac1856d6a090f15ac48c86af342bfc81ced2529de13d6d903f

SHA512
41467c6359f97b998b2eb99f3f05d828857447bc98227ae6015f59f9414ec6007eee7d72b77a54b1d59afd30abae25ac8b39d480c28487e4cf697cbb923f9f2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
13KB

MD5
891ffcf87a598a7b9d1ae95c162d66bf

SHA1
568046db4e13e287868557458310f4548cab9516

SHA256
622e007a760797804f536160152dacf114849a1411603cc66d3692842fea0c9e

SHA512
252a91eded3271b2135c59e5c6d99cdf8710f1648650d66c3d582f7e4df369cbb390a4c30e4233ad498ffb445bc66949446c5069f13704780eeb8d3c63a1634f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b188bc7c6c18ced1586562e588218e7f

SHA1
a0b3489dcc043f1c14a3336913d6ca0c82eebe78

SHA256
96c96b493010c8b29bf5542ad6dfaef95f096dc5c99815dc592e0761f8f9f40d

SHA512
2328413d5ec3c2bede2150ab1373f23b4e2fbbbe8585619414867acc10c074c9dba618a34f9dd4f78d2203e622d3482e136bc2779c0cd7aa41d3cfabe852db49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9543a512943bf55e338d918a4ee8df96

SHA1
b1d991b3a04bf63d83b3091b18ebf5bdb4d5602a

SHA256
a2dccea8414713166d2b3d2df8caaaa20260b467b54cfad2742fc90d3385f323

SHA512
933a5983cd14253672b3cf325b3a19ebe6ab05641bec8aab47b5471bee49161c945a3b63d2731725a0d07e1f1f5411045b3c03f40ecff131bff574befed3725e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f15f1f4d678e9bf20c1f686e735ea203

SHA1
c149f38349ea464ea84b35d0fb4374e480f4ab2c

SHA256
d5e4c7d9b2a8a3900d6d81b20a7294444794a79b1a7069126cccdab96ff70e12

SHA512
14d9e9bef5faafde56e4be77da831b1bb2e82879c421ab660d66e210900e2db5fe5adc1e2eef661d9cb35e26a3f1c6ac1c0760215cb65b11492325201de8b033

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
a3a9f7eec2e4110fe188dfaf1b61b5cd

SHA1
f44c5c79e8bd90e465ed2da6255c80ec2f5dbe08

SHA256
d228d0316ac3a9b39a042c19d0e082fd6c55e9b939c7bf51aa4bdc0c907a8155

SHA512
d9fc784b4432b52b9f7b2e70786ab2a151d80832bbcd2d5168106a17443b6780ddb7742ccfbf11a70fe7668eb0738a65a1998fc03297726c8c47689d4eba4cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e2422e1f982d60ed97ba100c2f3d8005

SHA1
3664b00fce1f32aceb4b6fa5c54c38f23affccd9

SHA256
e2dfb858058d2bb9348c9433c11337a11ddb608e7b26ea2fdb16db5af63a012b

SHA512
f33f52fe30b5c010ec8a1a4cb3b1b09e227ef67f16385e9313c61ba67cea5669e216815c2094136b69fb20a6e79f26d815e5352898121a406539e22c8a03f02f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
842c9c3bb1e4932ba8d97a2107da0ac9

SHA1
d31b045c954af5df103544219b358c2cadc95cf6

SHA256
9fa785b39bf290d1e1eb67a7897c187b7e2cd370aba47865852f9fce5c9941bd

SHA512
04a0fe5f33fa27d3d94aaa5810f9019f8a201f37b9b7dfbfce2254bac0234c51d29cba2f69b781cc18bf0e5e209835ac31f3713be1ce77aaf16f634dee256748

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
96bc3224192e27305430414143c852bc

SHA1
f098febebfde64cb253cde8220a277d8cd00c48e

SHA256
f8122e47fadeb6d79def6c3fc4d60b4c899b2179334232d51c5cb58f8c2748fc

SHA512
d9cc97b62ec7b7d085b20c441e7253ca88ed64301a47a9dce3b20be18f2c705d6727ff41cb3b2003b67798e9534d466faf420b46594d8b1cdfe69f078fae4350

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b36344ac8e56f97c55a824668d4f89a4

SHA1
747b35441ccd0b5e3b11edf546ee2e6315061886

SHA256
dc7705b8f3c113edc15a12dae6142c211d9c357fd9e9369646e7049b73d27a86

SHA512
57ffbf06fa4d82a853f9cb3c9f55ed0bcadf70b379628c9eb69fff8b40d9c7eaef9179e9744d2ee2762de7aefc77ed884b88cc2a6817b0da4e242113ef924775

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
384b7e839f8c3565872fdd98a86b99c0

SHA1
8789e7295803a329205e3329c21d48081e6e7325

SHA256
ec4271f8a45db3d66c8787f4b8ef9eab62c1762d651eecd32c4f867c615e74d5

SHA512
b3c38b40738c7db890c713b1557643c091858cc31a5ad5500dd851f5febe33c588527c8179a22db5a9323d993985cae4053e344d2c43af4e8874f63fbc28df4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0f5f791b9f8d77ede3bcac6041a10e34

SHA1
ad01bf71c5692dc9004529afb7b79e6514c245fd

SHA256
54f522c1d29978e8fe36da83d553b214be12548836b2f4775bbe28f6ab32a843

SHA512
d46829d0c28d133e81fdbbf3f48d8c5ae809073b6a10f3db29637387ad6341d3ddd6e42b93d7e5afa3e6c9f8ec3e4b66f2976ca2425c08a84eb75da2af087cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
21KB

MD5
99ee6c413d3dd513929390f10c5fd871

SHA1
0187e4e504e67f4a488cf0cdd34c7da34a1da972

SHA256
16a8502464cc28adc117208b31972a940a72adc15c605b95fbb7ac18a71626ba

SHA512
2357f47b0930c4a83ebf7be2d9c1e4b64fd9654b507bfa97b00c5f8329e1dd396d6703248230e27b701f423acff155f25472d21ca67a0c6aeec9da723d55d5c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
c387bd70dae30704b0080a74ed2687d4

SHA1
a48e85a92cc561e60f9af26ea6ce7da88b36ba01

SHA256
b36467797f34dab01780adb39ae7b38cd583b25244a131b29c5225c83167eeb0

SHA512
cdeb6b7eea7e1b67326d352a22d3f75517fb2112f6af851a624f62e6f5a18bb8264df03b75acd27954943373650efaf0a29a84b246adfb860f3129063a9cb3aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
58602b611054c9125263bc289c7c69e4

SHA1
1653e24e2b3907001a645590c324b55159e005da

SHA256
6f1457c8b82f0feb05a3d134c6feb2a7e5bb351d5a48834ef71c571928b9d3e7

SHA512
6530840ae81d5658c49d3b854c2d9b47e2c864f13222646696df63039164c2d860c9a450d6bf7ceaddbe84661e84d8a26fe37dcc8a30ffe44bca43320dcf293e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
f6e7cb0fdc1d5dad2c060f150e0b705f

SHA1
b43a0ac741295905e7c5ad545abdb0d951bf48fe

SHA256
b161e224c918cdf68ba1f39c2b9643880c361d51bf887d5b33ef8a0e91865d55

SHA512
5063a76de3bb4fc652533fc1bfbf799103c7c14afcf58789922db69aafd88c69d0bae12d2309fc7c5cbe2a22aeda26d6ba40b5dc8330c5b03e76b3743c76f414

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
f03bbceed2af96e671ec5553b39b6d06

SHA1
3d54ff4afea7629c87c7bfc4f5b30c8fb7b15c0b

SHA256
31ec0c193847f96575979960b7ad200d806712d1bd7778826499180cf7d689fd

SHA512
0b8b66441c957b3a3740694212b957b39e687818d215f3025ddd4f96e79f6169d18fbee98987a0bb3aaeb6a9b7e19e5c1c0e638cbd06ea88e0fb9d4950a25cca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9f01d72f3d253841fe96ecf1e22152f9

SHA1
cdd55d605f74da5d9001f0aca1c5bfb42be04ee1

SHA256
04cff38a7f612e1dfa4b612cdd04bfd9c0c412b407b3c2c818167808c5228862

SHA512
e01c0a791eab243f2e806d55416410ef2809d4679aacde2548345fb278e775b0abe2af6e6eb8ec8f616c1d8398be46e4523eda2c34882d3f52cc3c91c534f800

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
d2ff478f6a6436f6b89418e4f749fbc6

SHA1
271979060ab20a8a655d170f111c8b13403ff42e

SHA256
8e69202b3d310a2b49d2a369675eceb16da5811cd1194ab545ce350a2bd076ee

SHA512
e9886c2fe9c756a6ee097ccce4fa6719c0f6b54fa92bd5c4d10303b309bc792e4ada36f30181d1d5d3ad78d128a56e480c8e4602867247b1fd60c46b42dffe8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d8b379fd56b19afbf58196e6f08afb54

SHA1
ec2920abd9eb41835f8d41afa726a778ae9c6fae

SHA256
c32a77a2b5f349043da358fa90259c9801ac1009dd7bd36d7103efacbf9ebf9e

SHA512
670b98d0b2e2f8c2e8dfc24830ce83b2e3c578beb0c5052407b042747e9ec0e86f3afc13ecb24e84979ae36d7e284547b29a7fa57751f76e5689ae18aaced5d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4cf7760947355ee6fdcc6391eb057b4d

SHA1
b83020bd63e0e53f7ac3d48d4bbac1654d7396c2

SHA256
7b2ac49ebc9b33daf9c0c59ee59e0b0676df7707897df4f25cecb0257778631f

SHA512
9ea922a3fac9d1d3aa82155d6e9ae31a14255b033e6d0315b76407e0a5456088a255a6225d3e1b252c3497633608f1a0cb3a752d8b0a5575ba41b25839fe26e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584ab0.TMP

Filesize
873B

MD5
04b1f8e3121329420f1f9a49d8f86275

SHA1
02ace77822ff12a42a9c37336ce20c3833a9b002

SHA256
d84d4d92a3f079d28d8d9b84bf1fab89e4fd0e858db18bbc340d55c17cfc3e22

SHA512
43fdb28363dfc32b0448b99e15eb9ae20763431b3c77163a1679b41b1bdd381de4afc14be7c13703600f24e9dbde8e56e1d66b665102694e0d3cc6ba4fe07d31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
59a68ba9e9b93927a7a865414aebf6f0

SHA1
3de20a32a231aaa901b6e8c94fabf82784c2c3fd

SHA256
ee6fe84859c06eaa6fac47decfc0c5319c6b0d84a5cf8e32127d32663b2d2af1

SHA512
bd60d99ab14d667109f4ed1cae08769090a35085f64059929962fb310feb8be7bde6e4106c4353152f54e5416f6f1ed385391a1d11a5182a3c62aceb49f6dfd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
136e77d31c945903287beb48245a1fd2

SHA1
409655cb23c2e263255f6dff333e995119b710a6

SHA256
c501fb0b2aecb9b9c65f38c8b913d35e0e93ad04c7a8210aab1538349f4e406a

SHA512
06f11a2f1100dbc33309c9be0ec2ce80c400f86c7255a4be34efc9abdad54c9bf9ea1a02b1f71e59d7432e471819bf373a6395dcff8f1aed9651ab92ca98be3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b7813bb70ba92d5327afbc4006071387

SHA1
9a7554e88e0a14d9d61226bd1ce3326ac0af5f77

SHA256
6231de4d8f3b46b4d93b9176f59d578615627034eea925ac877c98607cd61efc

SHA512
6f65eecd9cbc7ff78f4b77b750c3c82e6e29874a6a99e1048aad14dca70683272da2cc03c981c527e5da766c3a006db9f40f90778db5db296f7d4c1d3273ff85

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz8F8B.tmp\LangDLL.dll

Filesize
8KB

MD5
59888d7d17f0100e5cffe2aca0b3dfaf

SHA1
8563187a53d22f33b90260819624943204924fdc

SHA256
f9075791123be825d521525377f340b0f811e55dcec00d0e8d0347f14733f8a3

SHA512
d4ca43a00c689fa3204ce859fdd56cf47f92c10ba5cfa93bb987908a072364685b757c85febc11f8b3f869f413b07c6fcc8c3a3c81c9b5de3fba30d35495ff23

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz8F8B.tmp\System.dll

Filesize
25KB

MD5
480304643eee06e32bfc0ff7e922c5b2

SHA1
383c23b3aba0450416b9fe60e77663ee96bb8359

SHA256
f2bb03ddaeb75b17a006bc7fc652730d09a88d62861c2681a14ab2a21ef597ce

SHA512
125c8d2ccbfd5e123ce680b689ac7a2452f2d14c5bfbb48385d64e24b28b6de97b53916c383945f2ff8d4528fef115fbb0b45a43ffa4579199e16d1004cf1642

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz8F8B.tmp\nsDialogs.dll

Filesize
14KB

MD5
990eb444cf524aa6e436295d5fc1d671

SHA1
ae599a54c0d3d57a2f8443ad7fc14a28fe26cac3

SHA256
46b59010064c703fbaf22b0dbafadb5bd82ab5399f8b4badcc9eeda9329dbab8

SHA512
d1e4eb477c90803ddf07d75f5d94c2dacfdcd3e786a74ea7c521401e116abf036d9399e467d2d12bd1a7c1abda2f1d6d15b40c8039fd6ec79ba5fe4119674c27

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\datareporting\glean\db\data.safe.tmp

Filesize
182B

MD5
c58234a092f9d899f0a623e28a4ab9db

SHA1
7398261b70453661c8b84df12e2bde7cbc07474b

SHA256
eaec709a98b57cd9c054a205f9bfa76c7424db2845c077822804f31e16ac134c

SHA512
ae2724fc45a8d9d26e43d86bcc7e20f398d8ab4e251e89550087ace1311c4d2571392f2f0bed78da211fcb28766779c1853b80742faa69f722b2c44c283569fd

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\datareporting\glean\db\data.safe.tmp

Filesize
182B

MD5
7fba44cb533472c1e260d1f28892d86b

SHA1
727dce051fc511e000053952d568f77b538107bb

SHA256
14fb5cda1708000576f35c39c15f80a0c653afaf42ed137a3d31678f94b6e8bf

SHA512
1330b0f39614a3af2a6f5e1ea558b3f5451a7af20b6f7a704784b139a0ec17a20c8d7b903424cb8020a003319a3d75794e9fe8bc0aeb39e81721b9b2fdb9e031

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\datareporting\glean\db\data.safe.tmp

Filesize
182B

MD5
b1c8aa9861b461806c9e738511edd6ae

SHA1
fe13c1bbc7e323845cbe6a1bb89259cbd05595f8

SHA256
7cea48e7add3340b36f47ba4ea2ded8d6cb0423ffc2a64b44d7e86e0507d6b70

SHA512
841a0f8c98dd04dc9a4be2f05c34ecd511388c76d08ca0f415bfb6056166d9a521b8bc2c46b74697f3ecdac5141d1fe6af76dd0689350caca14e9f849ee75a8b

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\extensions.json.tmp

Filesize
27KB

MD5
bfeaac6b7d74eb3d0b16e842d5a25a6a

SHA1
37494929823b8be9852113a00e8bd1adb9b42351

SHA256
5d56873154b74298ba4c98838de974f371a012f81683d985bc3af3800e0f60de

SHA512
3bffb8ce60d8d6b5019d627369099a67b46a66dec0689aa4709500f2021692d7c7bef5df7444e0ef684cfc640c1be0dcb090550f67e136328eabbb15d79945fa

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

Filesize
5KB

MD5
b24a82e1ffe484bb6bbecaaa5226090c

SHA1
89ad6b4e016aa8e33a1714a2e962aaec52f2bacc

SHA256
3f2044f1c761a39f5c89fd6a9f1f3a7044f534f09a700ea8843157415dece997

SHA512
19e753dd48b19418db0def777a8c21efa34c53dc587063503530926396b2ae8d3d1c5e62ad241cf14299dab572d40234edd279c7d68944efa394f02ae6808e20

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

Filesize
5KB

MD5
79a303b338f23a40b7e8ea72b3994539

SHA1
38a13c2930355466efe7076370f6902319476ff8

SHA256
247e9566ebda2b0c6b4a697040d2e2a08a05bdfe6ffbf59a369174d1094ba192

SHA512
4e307120eebe07d5ddcc81727e4513f85ec890229f2244c680554b76f432b5cf49c019d954aaf163204086c640559964d91baf1924855a7e07b3b8826a9c5b08

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

Filesize
6KB

MD5
fe9d4fa790d3fe08a72279aee710bef0

SHA1
a7323ca060275b54cc9221efd72611f807d10e9c

SHA256
8815d71bd6261ecd85635466d25f41317434f7118f487ef28896e0d4058d7ef7

SHA512
5c747dbeb83dc3081fbd1d55184b8d0e84026bfe9fc01623fef9c3ecd21240b3cae727da7b85d4553be6aa53aa6bc04ad34e196b17be1a15e3abfde6b0baefa6

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

Filesize
5KB

MD5
de612c94604ad6f017e4550e1b628874

SHA1
1e9511fc5aa4b3556d4247746a4bf081a6994ff2

SHA256
3e368842bc1cb6d8a81d59b21f451cd0228ebc579bea5041c33b8ee4132aeec2

SHA512
ee706e1d8c21441fc26e4d59a4f7110b108333cf8e9871cfa9cb75ae8fcde808bcf80a553ba19acb60dcfa797f344616ad2deceacc29599ba55d9bf24bc62ea7

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

Filesize
6KB

MD5
a61909525e8e803035e0b3aca94fa07f

SHA1
aaca2231d6f28f8dbc7ebbf26edae56bf09d2c68

SHA256
5bf3a866490251da2b92f83cef2f162c3ea250f3202629f38b02193bd4e72128

SHA512
a31d5460b4fd55b0372c81ca8888953c157f1a22b6e7e63dae25cdaa82c71af46ff619a2df9e895edb7c420d68a8f95eca17389888a151348aa0a4c8e46e5c81

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

Filesize
6KB

MD5
756d2fb301fc33ab5abcbe2c714771d3

SHA1
f7d9577c8bca7931a58376461d221ded783eda92

SHA256
abfca6693cad9c86da8031d6085faf53463a93d0b5e48886e376f6a191a6566d

SHA512
797796a69f6849778852443350edf5adfb7a060963cda13928818a7b1817550c8e84f8da1d306346cf768aef4daa23f7d9e09e76102a30184e9202da9df6f22a

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

Filesize
5KB

MD5
f3620f9ec1d4407447c5fdf194890d17

SHA1
1fde067f3921d75311dfa8c7ae387f09c3e7dc2b

SHA256
1aedb12db9a50a2e9601b215ecf0c07e11691146cf12f20ba2693cd303a8d1d0

SHA512
33d856fb42bae9779f912d1116ec608b84b7d32f834886ca33e58447dbe5e06dc9f49c61b62b92446e97949b4a5986eb30647d2154d22e9c345e4c1939d66856

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js

Filesize
866B

MD5
aa3ba7cf85ba80cf4b8ee579eba1c2e1

SHA1
338e2d0034d761729ce52bfdd61bbbe2c803363d

SHA256
44d37e2d6d5567a384bcbb392d25fd0205a372b15ed80ada72ef612de321a47b

SHA512
4dca0d8000d75bbb1c115bd80f86b39ff16833c57f45b742b4b5fbbb767e38b4343532290a61469428b57c4d554a139e07274b0aa3cfe1221e54f2ef53e4cd30

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\sessionCheckpoints.json

Filesize
146B

MD5
65690c43c42921410ec8043e34f09079

SHA1
362add4dbd0c978ae222a354a4e8d35563da14b4

SHA256
7343d5a46e2fca762305a4f85c45484a49c1607ede8e8c4bd12bedd2327edb8d

SHA512
c0208d51cf1586e75f22764b82c48ecbb42c1ff54aa412a85af13d686e0119b4e49e98450d25c70e3792d3b9c2cda0c5ab0c6931ebaf548693bb970a35ae62b9

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\sessionCheckpoints.json

Filesize
122B

MD5
99601438ae1349b653fcd00278943f90

SHA1
8958d05e9362f6f0f3b616f7bfd0aeb5d37967c9

SHA256
72d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a

SHA512
ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\sessionCheckpoints.json.tmp

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\sessionCheckpoints.json.tmp

Filesize
241B

MD5
48fcad918c62db97e9af1dba1d131473

SHA1
d89381594d3241b0e645033f67572a5d8c166764

SHA256
dd8349e2789db1125b477971c5d445b6afb2f6ea3b57de65080631040900fe8c

SHA512
2278d074aab519859188b047c77fe7b4db718e0af237b63e06a1b095d7a1eb4e07d6ea59cab5d7b1325aae0047fadea36eae12a80bfefe112aab85fc18aa1ca3

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
128KB

MD5
95c0717211db43a49e58d65c0b01eac4

SHA1
664aa876893b5963c796d4dfe82832df4b54c9ff

SHA256
4e2f7c81c990c55da52f7c50b3c5defb4cbb965eaad64b909c84abf1dce40dff

SHA512
213c2dcff9bdcbb94c4da1793a3c0030d90cb40e09d11d2c543bc2f6ef906eb48ff312785dbc8eb91d3d76221ba5bf97ee34b4fee9b4bab0858008f0159beb5e

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profiles.ini

Filesize
103B

MD5
5b0cb2afa381416690d2b48a5534fe41

SHA1
5c7d290a828ca789ea3cf496e563324133d95e06

SHA256
11dedeb495c4c00ad4ef2ecacbd58918d1c7910f572bbbc87397788bafca265c

SHA512
0e8aafd992d53b2318765052bf3fbd5f21355ae0cbda0d82558ecbb6304136f379bb869c2f9a863496c5d0c11703dbd24041af86131d32af71f276df7c5a740e

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\cached-microdesc-consensus.tmp

Filesize
2.7MB

MD5
9b2986911dd53fdda3a049f80e2fe4c8

SHA1
2e9e3f7bd2ed141fcedfd8c9caa787b04a96db67

SHA256
1baf86a01a45e998d4e94c0c85c8bd5a7058693fe4587e2ada13eebec809ff2d

SHA512
45e8cb3eeff3b2b2d3f0dd5f124fdf660698ccba9a346bcc502b7672bc65ca30f0fa507a4b69eb1dda7fe9b033b9abb1ea4a6d914c8b7b395a6220cf21af9187

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\cached-microdescs.new

Filesize
7.0MB

MD5
62fa8e9e629d2801a0e2b33dad7ca4be

SHA1
4e633190808d780a497354722db6c09815fa01f1

SHA256
4e7a3107937e033b7edbf81e523fd53e50e48c63f3ed0ea996e431c262420bdb

SHA512
08735ec0cf196cc8651f3d451beb9a3f364ed9eb6ab5b919264f5bd17ba9a701884b801ac9430614a32970593047837b3d4155b700e2bd67e3f6576e3541543a

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\browser\omni.ja

Filesize
24.6MB

MD5
16d170e64de5b3be86b27e71d0ef29b1

SHA1
ae8dab7b6cf1a1a9d220a0a5a0632ef9609656ee

SHA256
8007da1e8cbcfe9cb268091e492b803d84ab886979d7ca6621184844236ef4d7

SHA512
cf2db696f3213376e3686d9cfa9756436debb84580fc25f811a6c56b55ccf7bfdb5444352b4cea7912dcb759b97536df3961b8e8e279546ee20b5c8b7d0da422

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\defaults\pref\channel-prefs.js

Filesize
429B

MD5
3d84d108d421f30fb3c5ef2536d2a3eb

SHA1
0f3b02737462227a9b9e471f075357c9112f0a68

SHA256
7d9d37eff1dc4e59a6437026602f1953ef58ee46ff3d81dbb8e13b0fd0bec86b

SHA512
76cb3d59b08b0e546034cbb4fb11d8cfbb80703430dfe6c9147612182ba01910901330db7f0f304a90474724f32fd7b9d102c351218f7a291d28b3a80b7ac1e5

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\dependentlibs.list

Filesize
42B

MD5
70b1d09d91bc834e84a48a259f7c1ee9

SHA1
592ddaec59f760c0afe677ad3001f4b1a85bb3c0

SHA256
2b157d7ff7505d10cb5c3a7de9ba14a6832d1f5bfdbfe4fff981b5db394db6ce

SHA512
b37be03d875aa75df5a525f068ed6cf43970d38088d7d28ae100a51e2baa55c2ad5180be0beda2300406db0bdea231dde1d3394ee1c466c0230253edfe6aa6e4

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\distribution\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi

Filesize
930KB

MD5
a3fb2788945937b22e92eeeb30fb4f15

SHA1
8cade36d4d5067cd9a094ab2e4b3c786e3c160aa

SHA256
05b98840b05ef2acbac333543e4b7c3d40fee2ce5fb4e29260b05e2ff6fe24cd

SHA512
4897aefe3a0efffaa3d92842b42fe223f0b9882031a65bea683f4554d1fec92b8a66ea15c67e9b95c7fc12991cde3245010ccfb91768ba233711ced3412c13bc

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe

Filesize
1.7MB

MD5
1902d5bf4e343cc5ef8a4ed19e62d05b

SHA1
05155bf02f09e0006bfc68500aa1b153cf97d445

SHA256
914299dd77f4322c99f62c37df1317ea3424d9a747d4635d10c1d3f003f6abd4

SHA512
402a252a79272c41a8a1a09cee236d184c83fa56e8d41fdb3c25d967440c4feb5f29adefce407434a4f203dc51c127f97c4f7a3825f2cbfa726b26be0b0bb094

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\freebl3.dll

Filesize
690KB

MD5
55c08727f73be5114d5c1bee71d00313

SHA1
f3d6b0f4a210b33a2f47bb29d244e0dea4a73265

SHA256
fee95fd29d95781079568ccc5b8533aae48ad9cb7197d45597bf6fe44551d489

SHA512
29385935fbe28b67115942c768dd71f36b165fcb71030e1c953b3c60e206ec35346519e9d9eb860e9058f26bb2dde1e1efe47c6deebb5b8e8775b2791a664cf1

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\lgpllibs.dll

Filesize
43KB

MD5
256030be9ef4d8e57fc8755ba8ae3fb3

SHA1
9e4f0dc7e9f327dc4d5e513b8f3badd000153971

SHA256
2a559be2d40d83ddd642198e11ba301fa47bcc934270f1f8228e212ba340b84b

SHA512
06913d9424e23d02ce4b75c6378e6b9ba5a405f30aaff8c3a3b51290ca0c3fefc1c498c22b0052faf98e61d94b66cfec7965952e2e0b5e085a5a2b9ce32c8e66

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\mozglue.dll

Filesize
1.4MB

MD5
38e68e87a12a0d73a8e10822028a9840

SHA1
1f68836daa7e8c68c7908c0b49ce42f71f961201

SHA256
9bdfbeaa202debc1dbd835eae2c7c78f7c765de8acfa72bc13d73b0600b5c88e

SHA512
d5b1bd3fd8921fd0b9c3baa924e482b5c199e81f7ccbfcf3d9da19e9f249e4c42e3c6e052b24a9eab8ac296fabaf1bb7d69febb26f01be8b7f6ee68e32108f81

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\nss3.dll

Filesize
2.5MB

MD5
0419c3346cd76c4f5dd4c292d72c84b2

SHA1
0fee9363f7d180a6a9da292d6df4c4be32bea681

SHA256
2b4bf28acf3e0c54cc4f4d34dcde154fac1b88067c47b91ce0198ecd91963cba

SHA512
baa38dbba19cc4dd77a35a2152d2c88dda0aae90ada1cfa2f933d751ac970b27dc03e5b803d585476a3e9f8c6570f3ec4febc769d5c900797e9e9a749be0d72b

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\nssckbi.dll

Filesize
472KB

MD5
6cb8ab5c1991b638227b585948b0f9a9

SHA1
53cec0f986e465cc151eb36f3cae2bb6d64f00f0

SHA256
ee9e4b8e9b3d774d3b3cdd827ac4fb2d3e53a436fc49e8400d93dde60ed27696

SHA512
e167f3d5e23efd834886ba324394b6f2f87808bf8190c230ce6ecd133d92a0f93776ba7d1ed2b91d5e7a40911811c048c63f81b7148267c95794f4a063957a0b

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\omni.ja

Filesize
17.5MB

MD5
fe21313200ed07129cc3f8be690c5a99

SHA1
7516c1fc9385bb8f29a0631282863766087fbdac

SHA256
ffd925c8a9d2eed5e520c0e0070d617f3c54f363f8a1cb01271e41475a270455

SHA512
b64e9192ab355f229d388496da0456523742a5954a30ba19d5464e4358ebc184434d57636b2d0878af55615aaa042da813700045f29cd47eb88c84a24ef0fcc9

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\softokn3.dll

Filesize
288KB

MD5
bd06298b530ddf011047ac815be503b6

SHA1
e8de0241bd1db7f5e6d21612d264814efcfd84be

SHA256
0f52bdf017e9a578da73031cad6524bb0fbb19be3f312dcc56882b9093ebcc3d

SHA512
43bc1bcde6f34e8faf7417092c5d5a528448baffd76845ab45e777ffe298c996995278509ab32dde1775734b28ee205f9780320c216b3d938ce1868c6e9c476d

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\xul.dll

Filesize
143.5MB

MD5
97aaf0b3b05140163629e17f6a64b93b

SHA1
1a860206b99d1b13178cdfeb5a4f3aa0528e9d90

SHA256
5d15aaa6f7e4f40074262c4515cddd25c4f208634fbf8902880f91ac70390d83

SHA512
04834b5d68c1cfde22076d3721e560ceff1108eb4d0f65bdcd84967737786faff096dcefd30dedcd108f3586345dd2b45372fc2e828e3aab1fe754f392a0db00

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Start Tor Browser.lnk

Filesize
829B

MD5
cd08ae272c36b05f97339bf23f008c55

SHA1
8a00cd392d7d414dcd0e07986ed5bf8dfd1c20d8

SHA256
4a69e1c95dd198e2b161709186327709016ea15c7b2ad65b7e562efdb6818649

SHA512
b1af93d2f779b66ca2678a3ae27b1dc6b34d73f879fdec17a1c5b5a81f0e7dcc7f79ecd9b81fd69afff39c2e5ba5745a41305abab0ebfe0331ff5bf1bbc41afe

Download Submit
C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.0.13.exe

Filesize
98.9MB

MD5
1d189b171fc5c7924c9f4992131bbdff

SHA1
014ce1c0ce11e114a28280c9f1c74d990ea6dc86

SHA256
d485685e2c57dcc67d578ae658e49b9161a0163e9b4b05f887eb009f7493ba11

SHA512
876a5fd1406b023f8626fe2172840bbe9f11d372adf1db66734f4c8e5f5215c2eabd64f3b3473a8dedd6f550f3a271b7d131938392298c71c9441c3f13be64b1

Download Submit
memory/516-1347-0x000001CE30A30000-0x000001CE30ADD000-memory.dmp

Filesize
692KB

Download
memory/1060-1367-0x000001C231DF0000-0x000001C231E9D000-memory.dmp

Filesize
692KB

Download
memory/1764-1-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/1764-213-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/1764-214-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/1764-0-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/2052-1369-0x000001F348700000-0x000001F3487AD000-memory.dmp

Filesize
692KB

Download
memory/4464-1381-0x000001CBD08F0000-0x000001CBD099D000-memory.dmp

Filesize
692KB

Download
memory/4900-1340-0x000002BA52660000-0x000002BA5270D000-memory.dmp

Filesize
692KB

Download
memory/4900-1045-0x00007FFA4FBA0000-0x00007FFA4FBA1000-memory.dmp

Filesize
4KB

Download
memory/4900-1043-0x00007FFA4FFD0000-0x00007FFA4FFD1000-memory.dmp

Filesize
4KB

Download
memory/5256-988-0x000001F276BB0000-0x000001F276D20000-memory.dmp

Filesize
1.4MB

Download
memory/5280-1346-0x0000014978A50000-0x0000014978AFD000-memory.dmp

Filesize
692KB

Download
memory/5448-1368-0x00000282BC350000-0x00000282BC3FD000-memory.dmp

Filesize
692KB

Download
memory/5812-706-0x0000000140000000-0x0000000140070000-memory.dmp

Filesize
448KB

Download
memory/5812-920-0x00007FFA402C0000-0x00007FFA40406000-memory.dmp

Filesize
1.3MB

Download
memory/5812-659-0x0000000140000000-0x0000000140070000-memory.dmp

Filesize
448KB

Download
memory/5812-914-0x0000000140000000-0x0000000140070000-memory.dmp

Filesize
448KB

Download
memory/5812-901-0x0000000140000000-0x0000000140070000-memory.dmp

Filesize
448KB

Download
memory/5812-733-0x0000000140000000-0x0000000140070000-memory.dmp

Filesize
448KB

Download
memory/5812-604-0x0000000140000000-0x0000000140070000-memory.dmp

Filesize
448KB

Download
memory/5812-606-0x00007FFA468C0000-0x00007FFA468CB000-memory.dmp

Filesize
44KB

Download
memory/5812-605-0x00007FFA468D0000-0x00007FFA468DF000-memory.dmp

Filesize
60KB

Download
memory/5900-608-0x00007FFA43080000-0x00007FFA4308F000-memory.dmp

Filesize
60KB

Download
memory/5900-607-0x0000000140000000-0x0000000140070000-memory.dmp

Filesize
448KB

Download
memory/5900-699-0x0000000140000000-0x0000000140070000-memory.dmp

Filesize
448KB

Download
memory/5900-609-0x00007FFA42E70000-0x00007FFA42E7B000-memory.dmp

Filesize
44KB

Download
memory/5968-610-0x0000000140000000-0x0000000140070000-memory.dmp

Filesize
448KB

Download
memory/5968-628-0x0000000140000000-0x0000000140070000-memory.dmp

Filesize
448KB

Download
memory/5968-629-0x00007FFA48ED0000-0x00007FFA48EDF000-memory.dmp

Filesize
60KB

Download
memory/5968-630-0x00007FFA48EC0000-0x00007FFA48ECB000-memory.dmp

Filesize
44KB

Download
memory/5968-690-0x0000000140000000-0x0000000140070000-memory.dmp

Filesize
448KB

Download
memory/6128-705-0x0000000140000000-0x0000000140070000-memory.dmp

Filesize
448KB

Download
memory/6128-640-0x0000000140000000-0x0000000140070000-memory.dmp

Filesize
448KB

Download
memory/6128-642-0x00007FFA46B80000-0x00007FFA46B8B000-memory.dmp

Filesize
44KB

Download
memory/6128-641-0x00007FFA48EB0000-0x00007FFA48EBF000-memory.dmp

Filesize
60KB

Download