Analysis Overview
SHA256
e2eff267e9a29f6bbd3d8c26f1813aeb6745cf879fad89c8ef46175427d069f0
Threat Level: Known bad
The file BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.7z was found to be: Known bad.
Malicious Activity Summary
Avoslocker Ransomware
Modifies boot configuration data using bcdedit
Deletes shadow copies
Renames multiple (8331) files with added filename extension
Downloads MZ/PE file
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Enumerates connected drives
Checks whether UAC is enabled
Drops desktop.ini file(s)
Sets desktop wallpaper using registry
Drops file in Windows directory
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Command and Scripting Interpreter: PowerShell
Suspicious use of AdjustPrivilegeToken
Uses Volume Shadow Copy service COM API
Suspicious use of WriteProcessMemory
NTFS ADS
Suspicious behavior: MapViewOfSection
Opens file in notepad (likely ransom note)
Suspicious use of SetWindowsHookEx
Uses Volume Shadow Copy WMI provider
Modifies Internet Explorer settings
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Checks processor information in registry
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-24 17:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-24 17:05
Reported
2024-07-24 17:08
Platform
win10-20240404-en
Max time kernel
216s
Max time network
217s
Command Line
Signatures
Avoslocker Ransomware
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Renames multiple (8331) files with added filename extension
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.5.1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\Z: | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1124436784.png" | C:\Windows\system32\reg.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6918_40x40x32.png | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarMediumTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeSmallTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-36.png | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\GET_YOUR_FILES_BACK.txt | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\es-ES\TabTip32.exe.mui | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-Regular.otf | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\eu-es\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\GET_YOUR_FILES_BACK.txt | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\gu.txt | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\uk-ua\GET_YOUR_FILES_BACK.txt | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\dd_arrow_small2x.png | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\fillandsign.svg | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\GET_YOUR_FILES_BACK.txt | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxLargeTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\CONCRETE.ELM | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File created | C:\Program Files\Common Files\System\ado\uk-UA\GET_YOUR_FILES_BACK.txt | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ja-JP\mip.exe.mui | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\tt\LC_MESSAGES\vlc.mo | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\it-IT\FlickLearningWizard.exe.mui | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\cs-cz\GET_YOUR_FILES_BACK.txt | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\dd_arrow_small.png | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons.png | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color32.jpg | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\GET_YOUR_FILES_BACK.txt | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\lib\tools.jar | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ca-es\GET_YOUR_FILES_BACK.txt | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\rhp\generic-rhp-app-selector.js | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\FPA_f33\GET_YOUR_FILES_BACK.txt | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-pl.xrm-ms | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\cs-cz\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\GET_YOUR_FILES_BACK.txt | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hu-hu\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\GR8GALRY.GRA | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\lib\net.properties | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_comment_18.svg | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\reflow.api | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\sd\icecast.luac | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Document Themes 16\Facet.thmx | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11cryptotoken.md | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\css\main-selector.css | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected] | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInTray.gif | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\RunningLate.scale-64.png | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\lib\security\javaws.policy | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\Triedit\en-US\GET_YOUR_FILES_BACK.txt | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File created | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\es\GET_YOUR_FILES_BACK.txt | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nb-no\GET_YOUR_FILES_BACK.txt | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\pt-br\GET_YOUR_FILES_BACK.txt | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\root\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ko-kr\GET_YOUR_FILES_BACK.txt | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pt-br\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\af\GET_YOUR_FILES_BACK.txt | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ko-kr\GET_YOUR_FILES_BACK.txt | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\10146_20x20x32.png | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\as90.xsl | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.dll.sig | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ink\sl-SI\GET_YOUR_FILES_BACK.txt | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\ESE.TXT | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| File created | C:\Windows\rescache\_merged\3720402701\1568373884.pri | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| File created | C:\Windows\rescache\_merged\3720402701\1568373884.pri | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| File created | C:\Windows\rescache\_merged\3720402701\1568373884.pri | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\system32\browser_broker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\DynamicCodePolicy = 05000000 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\ACGStatus\DynamicCodePolicy = 05000000 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\www.bing.com\ = "599" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$MediaWiki | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total\ = "748" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C9 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total\ = "3611" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = 80a22ce2ebddda01 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\www.bing.com | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CRLs | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = ec69b4ccebddda01 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\bing.com\Total = "132" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.5.1.exe.vhga0ic.partial:Zone.Identifier | C:\Windows\system32\browser_broker.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe
"C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd /c wmic shadowcopy delete /nointeractive
C:\Windows\SYSTEM32\cmd.exe
cmd /c vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SYSTEM32\cmd.exe
cmd /c bcdedit /set {default} recoveryenabled No
C:\Windows\SYSTEM32\cmd.exe
cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SYSTEM32\cmd.exe
cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete /nointeractive
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled No
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\1124436784.png /f
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fffd6a49758,0x7fffd6a49768,0x7fffd6a49778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fffd6a49758,0x7fffd6a49768,0x7fffd6a49778
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.5.1.exe
"C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.5.1.exe"
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="41344.0.531426306\613123096" -parentBuildID 20240708120000 -prefsHandle 1612 -prefMapHandle 1684 -prefsLen 19245 -prefMapSize 240456 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {dc59656d-a9f5-485c-8977-790586e3aa96} 41344 gpu
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="41344.1.1331775198\941898307" -childID 1 -isForBrowser -prefsHandle 2596 -prefMapHandle 2592 -prefsLen 20168 -prefMapSize 240456 -jsInitHandle 1100 -jsInitLen 240916 -parentBuildID 20240708120000 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {5f28eb96-618e-4160-b19a-002a0814b918} 41344 tab
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe" -f "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc" DataDirectory "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor" ClientOnionAuthDir "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\onion-auth" --defaults-torrc "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc-defaults" GeoIPFile "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip" GeoIPv6File "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip6" +__ControlPort 127.0.0.1:9151 HashedControlPassword 16:e655213e02133b746061d5c3560db0b921b47adee5663aedb6fae967eb +__SocksPort "127.0.0.1:9150 ExtendedErrors IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth" __OwningControllerProcess 41344 DisableNetwork 1
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="41344.2.2088270281\778094298" -childID 2 -isForBrowser -prefsHandle 3008 -prefMapHandle 3004 -prefsLen 20940 -prefMapSize 240456 -jsInitHandle 1100 -jsInitLen 240916 -parentBuildID 20240708120000 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {ec9fd502-2f33-4521-964f-d8ee69a51472} 41344 tab
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="41344.3.541147275\354249672" -childID 3 -isForBrowser -prefsHandle 2948 -prefMapHandle 3100 -prefsLen 21054 -prefMapSize 240456 -jsInitHandle 1100 -jsInitLen 240916 -parentBuildID 20240708120000 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {37b1b495-9f9b-4276-baf6-f7d23419657c} 41344 tab
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="41344.4.484076355\1196957539" -parentBuildID 20240708120000 -prefsHandle 2576 -prefMapHandle 3076 -prefsLen 22493 -prefMapSize 240456 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {8c3aff49-c056-4996-a698-8cb1ed03fe39} 41344 rdd
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="41344.5.1184537501\2052910883" -childID 4 -isForBrowser -prefsHandle 3792 -prefMapHandle 3780 -prefsLen 22309 -prefMapSize 240456 -jsInitHandle 1100 -jsInitLen 240916 -parentBuildID 20240708120000 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {077681ba-9a76-4769-9130-fc70656291c1} 41344 tab
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="41344.6.2059950229\336411858" -childID 5 -isForBrowser -prefsHandle 3988 -prefMapHandle 3992 -prefsLen 22309 -prefMapSize 240456 -jsInitHandle 1100 -jsInitLen 240916 -parentBuildID 20240708120000 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {18daecbb-a213-4808-ad07-b6a206c80af1} 41344 tab
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="41344.7.1566723235\1294953228" -childID 6 -isForBrowser -prefsHandle 4164 -prefMapHandle 4168 -prefsLen 22309 -prefMapSize 240456 -jsInitHandle 1100 -jsInitLen 240916 -parentBuildID 20240708120000 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {77d20daf-398c-46e6-af29-1b71ab3cfda1} 41344 tab
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="41344.8.206619029\552789061" -childID 7 -isForBrowser -prefsHandle 1576 -prefMapHandle 1484 -prefsLen 22588 -prefMapSize 240456 -jsInitHandle 1100 -jsInitLen 240916 -parentBuildID 20240708120000 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {8026d01d-4363-46f2-bbb5-fad891039ed1} 41344 tab
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="41344.9.807606311\2009190042" -childID 8 -isForBrowser -prefsHandle 3100 -prefMapHandle 2408 -prefsLen 24870 -prefMapSize 240456 -jsInitHandle 1100 -jsInitLen 240916 -parentBuildID 20240708120000 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {e0b723be-c0d7-4adb-b6ce-b025a783ddee} 41344 tab
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="41344.10.1386455322\1540882547" -childID 9 -isForBrowser -prefsHandle 4200 -prefMapHandle 4672 -prefsLen 22910 -prefMapSize 240456 -jsInitHandle 1100 -jsInitLen 240916 -parentBuildID 20240708120000 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {78304eb8-4d88-4215-a057-ab391bc1420c} 41344 tab
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="41344.11.2092397543\335211911" -childID 10 -isForBrowser -prefsHandle 3864 -prefMapHandle 3852 -prefsLen 22910 -prefMapSize 240456 -jsInitHandle 1100 -jsInitLen 240916 -parentBuildID 20240708120000 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {b92e2c02-6232-496a-92ec-b7df97ffa0e8} 41344 tab
Network
| Country | Destination | Domain | Proto |
| GB | 88.221.135.11:443 | www.bing.com | tcp |
| GB | 88.221.135.11:443 | www.bing.com | tcp |
| GB | 88.221.135.11:443 | www.bing.com | tcp |
| GB | 88.221.135.11:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | www.torproject.org | udp |
| US | 204.8.99.144:443 | www.torproject.org | tcp |
| US | 204.8.99.144:443 | www.torproject.org | tcp |
| US | 8.8.8.8:53 | 11.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 204.8.99.144:443 | www.torproject.org | tcp |
| US | 204.8.99.144:443 | www.torproject.org | tcp |
| US | 204.8.99.144:443 | www.torproject.org | tcp |
| US | 204.8.99.144:443 | www.torproject.org | tcp |
| US | 8.8.8.8:53 | 144.99.8.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.245.100.95.in-addr.arpa | udp |
| US | 204.8.99.144:443 | www.torproject.org | tcp |
| US | 204.8.99.144:443 | www.torproject.org | tcp |
| US | 8.8.8.8:53 | dist.torproject.org | udp |
| US | 204.8.99.146:443 | dist.torproject.org | tcp |
| US | 204.8.99.146:443 | dist.torproject.org | tcp |
| US | 204.8.99.146:443 | dist.torproject.org | tcp |
| US | 204.8.99.146:443 | dist.torproject.org | tcp |
| US | 8.8.8.8:53 | 146.99.8.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 216.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
| GB | 88.221.135.0:443 | www.bing.com | tcp |
| GB | 88.221.135.0:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 144.245.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| N/A | 127.0.0.1:56891 | tcp | |
| N/A | 127.0.0.1:9151 | tcp | |
| N/A | 127.0.0.1:57025 | tcp | |
| N/A | 127.0.0.1:57136 | tcp | |
| CZ | 195.123.247.209:9001 | tcp | |
| US | 8.8.8.8:53 | 209.247.123.195.in-addr.arpa | udp |
| HU | 146.70.120.58:9001 | tcp | |
| NL | 188.213.95.146:9001 | tcp | |
| US | 8.8.8.8:53 | 58.120.70.146.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.95.213.188.in-addr.arpa | udp |
| N/A | 127.0.0.1:9150 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| N/A | 127.0.0.1:9150 | tcp |
Files
C:\GET_YOUR_FILES_BACK.txt
| MD5 | 6d81ed40ba0a283e5483bfe6a448e9d7 |
| SHA1 | 0c847a5f9df743b13e1aa11b4c24a4309e9a7119 |
| SHA256 | b4464f61655ca584170694bedd52c6cff2b74c18a761b33cfb1387f017d2d57d |
| SHA512 | 8956415f155f24852ac672aa06cc6a8819a2a0e44a9b940f8f3390c34ebb43ff10f4635722f104a5a9a94098d3f286362f507dc49d3f048e540f48c073eaf379 |
memory/3132-8414-0x000001D76F940000-0x000001D76F962000-memory.dmp
memory/3132-9134-0x00007FFFC2E03000-0x00007FFFC2E04000-memory.dmp
memory/3132-10315-0x000001D770430000-0x000001D7704A6000-memory.dmp
memory/3132-15338-0x00007FFFC2E00000-0x00007FFFC37EC000-memory.dmp
memory/3132-15339-0x00007FFFC2E00000-0x00007FFFC37EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q1yhkjja.1s2.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3132-22597-0x00007FFFC2E00000-0x00007FFFC37EC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7ba103555f0545138cd5ce53da615bbe |
| SHA1 | ee8cd4c15b9c8b93bee69e7849ea202578959d8d |
| SHA256 | 168c15e664319b0197e1514dffbc9a0905df866a0fe76514087cac335cc54c6f |
| SHA512 | 7fad8a575272f315ec0b9d4cdb27897848e4ec7cc05b47d8afddfb56cbbc9c6263a41fa2b655bede72b88ece93dd7161aadb751aac13f1112b9ff597353bde91 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 5d574dc518025fad52b7886c1bff0e13 |
| SHA1 | 68217a5f9e9a64ca8fed9eefa4171786a8f9f8f7 |
| SHA256 | 755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2 |
| SHA512 | 21de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
| MD5 | c86640aaa33658aa24db5a9e946108b5 |
| SHA1 | 42a8819c961a6db7e165a84bab0781ef72e71d81 |
| SHA256 | bad1ea3662cf7bbc1c20e838088b1b20eb1cdc6060eff54f7513c67a6bfd0717 |
| SHA512 | 5fea5255ffee9a38d99ff112b0ccadccc5c08458ba90d91655a92bbfdb83d921188bd1952893c934467d211b10e6b9f89ae8b4a5fe1a3db1124641f86897fc83 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\reports\486eb73d-5396-4db0-84bc-f4e2b31f8367.dmp
| MD5 | 1e5f117dc138cd0ea29467a598d33abd |
| SHA1 | bb9482597fc2ab30db859cdea68ffc919c2105f3 |
| SHA256 | a2df8852b08e58448e629826554f7179519f87a89fcfe8878b8ece68c419f955 |
| SHA512 | 1bb8becbfad5b5967d49561fd86c0741680df2ca2187e750d7be6ab43515b476f81443965f7e05d3ed1188cc8fb9377ffa5abe25f73f4b019a16a9389ce784a9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
| MD5 | 7cdf0b463a911bd9e27c92bd2aa330cf |
| SHA1 | 9cff15095b69cffff11228dfbd42433d10f1eff7 |
| SHA256 | f0586126b0aa3aa7ea6b6fd1a879c7ceed8d0e3715e8c530b4738e566abdbbd3 |
| SHA512 | 08ee25f3fbc3c233b6781288d88e8691046328de3b4a3b484404ed5e401ef3f93f5d52fc70b82656ce790ebc648fa5b7a9bcd55f7f67580b573d3ae51213e008 |
C:\Program Files\Google\Chrome\Application\debug.log
| MD5 | 857268079729f658a403ae73c922e177 |
| SHA1 | 89e0576cd2b0202b7b3a551d0d53cd0fa10ec27a |
| SHA256 | 41e0c4174beb540eedf7b098ea6b640c8d44efaa343011e8b043d348c713a771 |
| SHA512 | 0858bcbfbc056c2d173f375fb31b90501e78478b77c950941d8b059616b8efd102f91be4e65c29f10093313dd2d4a9b0ed47d165cf7728622ae0427c45f4728c |
memory/35184-22663-0x00000173BB520000-0x00000173BB530000-memory.dmp
memory/35184-22679-0x00000173BB620000-0x00000173BB630000-memory.dmp
memory/35184-22698-0x00000173BA6E0000-0x00000173BA6E2000-memory.dmp
memory/36888-22707-0x0000023C36580000-0x0000023C36680000-memory.dmp
memory/37500-22791-0x0000015CA0070000-0x0000015CA0090000-memory.dmp
memory/37772-22821-0x000001B1C4310000-0x000001B1C4410000-memory.dmp
memory/37772-22827-0x000001B1D49E0000-0x000001B1D49E2000-memory.dmp
memory/37772-22825-0x000001B1D49C0000-0x000001B1D49C2000-memory.dmp
memory/37772-22822-0x000001B1D4990000-0x000001B1D4992000-memory.dmp
memory/37772-22839-0x000001B1D6E50000-0x000001B1D6E52000-memory.dmp
memory/37772-22845-0x000001B1D6EB0000-0x000001B1D6EB2000-memory.dmp
memory/37772-22847-0x000001B1D6ED0000-0x000001B1D6ED2000-memory.dmp
memory/37772-22843-0x000001B1D6E90000-0x000001B1D6E92000-memory.dmp
memory/37772-22841-0x000001B1D6E70000-0x000001B1D6E72000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
| MD5 | 1bfe591a4fe3d91b03cdf26eaacd8f89 |
| SHA1 | 719c37c320f518ac168c86723724891950911cea |
| SHA256 | 9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8 |
| SHA512 | 02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db |
memory/35184-22923-0x00000173C4070000-0x00000173C4071000-memory.dmp
memory/35184-22922-0x00000173C4060000-0x00000173C4061000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\XWGHXGST\favicon[1].ico
| MD5 | d7c21b4951bd432d06f0059c63130f19 |
| SHA1 | 4e4ad2cec14a4b7c95162c247a7c7ca5621e6569 |
| SHA256 | 7c2a800bab2c088ba8a7af287d440433bca2bc880be2fd3eecf6ad7aa90a075f |
| SHA512 | 09b185aa070f8cbb54ae5a4b49ea3e1208212caf2d8f76c05a651381f470b91345e13ee2e94e73ca35db14493d702f4c1ca5b8732cabd1cd2e689a8cd667fbd3 |
memory/37772-22932-0x000001B1D88A0000-0x000001B1D89A0000-memory.dmp
memory/37772-22934-0x000001B1D88A0000-0x000001B1D89A0000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\3L9N2KWT\bootstrap[1].css
| MD5 | cfdae4e5800656dfdf24193b3f80fcc8 |
| SHA1 | 2122cf07b24310951c4b8ed92290b652f241c538 |
| SHA256 | 7e50c709b7734d4454f54e4a93e0e8f15f9cc9aceecc59f95148e899e36777b2 |
| SHA512 | be3c5a8ee12e79e26adc91ae688b2185f090de5bc2b2116461e2511c98da8baee4f4e0ea0bda1a2f7e9e6c3a336f02d0b3cf14d47fc8d9a9a13a1d6fd54e690b |
memory/37772-22973-0x000001B1D7BA0000-0x000001B1D7CA0000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\3L9N2KWT\all.min[1].css
| MD5 | b8085bf2c839791244bd95f56fb93c01 |
| SHA1 | 9d272f6a226adc587b4c3e470cc146edd8c92f75 |
| SHA256 | 453893f7daa3d8fe9716f8c6d0f36f8ade8cacfc0093e164f4f998b46427959e |
| SHA512 | 071423c79d846bfb1a9ca8c9e36e8f021c5027804f7da86249bfe886d67622982b739c326934a04f03e1859ff10baeafbe0f8de2aa030f58f455c240a814e385 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\U0578EN3\jquery-3.2.1.min[1].js
| MD5 | c9f5aeeca3ad37bf2aa006139b935f0a |
| SHA1 | 1055018c28ab41087ef9ccefe411606893dabea2 |
| SHA256 | 87083882cc6015984eb0411a99d3981817f5dc5c90ba24f0940420c5548d82de |
| SHA512 | dcff2b5c2b8625d3593a7531ff4ddcd633939cc9f7acfeb79c18a9e6038fdaa99487960075502f159d44f902d965b0b5aed32b41bfa66a1dc07d85b5d5152b58 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\CJM3DY53\bootstrap.bundle.min[1].js
| MD5 | 85bef1b86b877db4b17ea8bae3eb7cd3 |
| SHA1 | 46d1f82f1ff4224130c6153a8a6db457477b7097 |
| SHA256 | 4490f15bcd903912985c78ba0b1d4abbc94f7eec240c8050685676d071b13d74 |
| SHA512 | 88ae341fa16b5cc6b8558e88eb2d8c1e7cc309c3226cf403de6c13ff7fbb33562b916e2ebd32c31338c5bdad1cd2acae11b586ff5de86c0e9b2289886b249d71 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\3L9N2KWT\fallback[1].js
| MD5 | 973fa23c86e39f3f80f2bcca267bd68a |
| SHA1 | 8a716acdcd9bea3152ad58300e8fa4b3def399a0 |
| SHA256 | 154b6384fd1042f3c7469da149e57c750ffab7ee4b875384b6fd3e97744a7838 |
| SHA512 | 39ce6151d918d37ee29390eb422d77812444e80fab0c7041a40128710ff590f6fdff36fe85f8c78c039e41e7ef2d7156fe8efa1e7c078053b9ffea0c15b35b79 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\TV9Z38NC\download[1].js
| MD5 | b70b1ed7c4c41f09b4cf0d194a4c0940 |
| SHA1 | caaadf8f271ea9283a28627a86bde3bff2b7db5c |
| SHA256 | b4c2495baebb13c22b9907aa12cd7a0dd75418c530693dd99b5f337efda705ac |
| SHA512 | 1e422378ac30ce2a4f76bad432a796ed47e12be00cadd843e7330d0cb42d09994badc4292378aa52851f814f48a21ba538f70cdf28513062bfa50ef7750570ae |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\U0578EN3\modernizr[1].js
| MD5 | 625b8b4c0aaf7e062c742064e3b153a9 |
| SHA1 | 9a7f06095cca8ec31eea70538e36511709c611f6 |
| SHA256 | 27ea70b9bbf44277d19309f8361399fcfbba338e798c4d809c3b7f3595676667 |
| SHA512 | c759ecbc60d0241bde7fd08c9c5fb93e5956503066caff384a14cb9081d503cbb341bcb15c68dc32d3e979050f4c71d7bb1bfe9faf8415feb1e3b0518da34eb8 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\3L9N2KWT\scrollspy.min[1].js
| MD5 | dbd2b17a490f739d502e017507d1fdd1 |
| SHA1 | 0267413204b930bc48034612eecacf89864ddd93 |
| SHA256 | 1357558a930a31b2e6586c19889f937768c8812090f0f93bfc79e169fbf20f80 |
| SHA512 | 8d45a2c4cfbbd6d1bd0c2a6770364458a9e2abeb0ace38453947dbf17665812d1767c6ec5bab5f5cc9fa584364dec4be4df4aa2af5692bf7982a36e6fe7cad10 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\U0578EN3\popper.min[1].js
| MD5 | 6cd956453e307bfd2ce4bfb0648b9f7d |
| SHA1 | a43367193adc1258902e5b68ad0cda6cf0f9ff8f |
| SHA256 | 625b022a42ed5d9c39911e42050f4fd9834ea039af978b7716f7800ade95eb55 |
| SHA512 | 424b469ed5023a9a7ddbb28cd6b6ed10310da52c7089e656a5dba723be520aca5f43ad5b6749147fc8dd712c77a17f907ec58a52900515c02352b423f1abee4d |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\U0578EN3\tor-browser-windows-x86_64-portable-13.5.1[1].exe
| MD5 | 6fcaba7f23863449194e87d13122cf02 |
| SHA1 | c55b245a5531d66333194270859fec7b51ef231e |
| SHA256 | 88cbfdc09d2898cc30bd52d5b9b2cf174b6a2f80e21fd0c3b6a88ab3ef2f7495 |
| SHA512 | 285cb490946bdd9872aca1a4993c6034b4b21c2232b7e546d658b99b136285850a542ff1ca081d284acc63d401dc3ab4d0b2669f29329c5fd0df8b8c933795c4 |
memory/37772-23041-0x000001B1D89A0000-0x000001B1D89A2000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DFA99612142EAB69B5.TMP
| MD5 | 691fadf863f1b398d80e980dbecb3257 |
| SHA1 | 8f361172ae8cac5bf676f8de1529890c05d18e0e |
| SHA256 | cc2a1159923c2d9ed37804b721eb6fa50332b3f067dd6fff59a7e7f17f406c51 |
| SHA512 | 300c4d47deeed59931c38f54134bd10bc81633f628a21bd788d85ec509df17b80da3a0855fa18d5f56ddacbe1b266e4127e31d308dc16f58f98c654182ee3b9d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OHP8MVFQ\edgecompatviewlist[1].xml
| MD5 | d4fc49dc14f63895d997fa4940f24378 |
| SHA1 | 3efb1437a7c5e46034147cbbc8db017c69d02c31 |
| SHA256 | 853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1 |
| SHA512 | cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\GA25HA0A\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
\Users\Admin\AppData\Local\Temp\nsl9023.tmp\LangDLL.dll
| MD5 | d02e216c527f97b5cd320770cbe03a0d |
| SHA1 | 76a0bea3650c393341e240231cf999d11a3d8eb8 |
| SHA256 | cda679d62e2852d900f412239e7c01a64a928db6c0cc03b8fa0c1eabdfe815c4 |
| SHA512 | 39d99ea0045e332f197f0d6430a71adaeaccd1c8e1028ad997ffa5527e5a0fe5dbdda62e02329ae1824abad43eedd64dbfb05a1e8e19010745bfe8d53e83d990 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\CJM3DY53\fa-regular-400[1].woff2
| MD5 | 569693c9f5d42d769c7f87b90856219a |
| SHA1 | 34c6434ec4b8b05956b90d245ca9c79e7d5ad90c |
| SHA256 | e5c1d9e7bdeaf3372dee724d175d25aca879ed52ae9afd018f503e9d74e09b50 |
| SHA512 | b026cfa61fe58cb3e9f29283ee5bc654411f9e00f9d29d10da325c3961ce378dcbed9877b262521fc2f8342a970a2566c90fe5bded4f94a54bb47818331f26d5 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\3L9N2KWT\fa-solid-900[1].woff2
| MD5 | 59ea9019c9b9bc4d83ab9783e830735c |
| SHA1 | fa1fcc52e59615a6f131b9b2eff1638f0138c617 |
| SHA256 | 08aa3a5ee68a21d5771a70b20495b6da1c0f996c46982cd1b0447ad2db730d11 |
| SHA512 | 249751e78e98a0821fa44e9ee3da335f6f48b02c50caba94ffb99ca6fde2d730d10f1ecf17e37feec359bf18b82419c1c8a27c47f66314539e2180527cba162c |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\3L9N2KWT\SourceSansPro-Bold[1].ttf
| MD5 | 0d9b62a03206f739cd34b2936a5929f1 |
| SHA1 | f5cad74e9791d2ef725f9ff5d53216cfff4f3678 |
| SHA256 | da4f442e66843990825ed4757e27ad3442cad83f9844cc503e8ece85e00f77f2 |
| SHA512 | d3738085d8f4891bf1a475a52108a4298b07c8959100e32d1c79038af8b39c182e45fb9d531dd75f7bd2a514d70cf808649dce83d3558be236c74160923ff794 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\TV9Z38NC\SourceSansPro-Light[1].ttf
| MD5 | ee2a11b8055d665afd2ac1d818683ffe |
| SHA1 | 005ef2958f43952ec1e46ae010427cde7914ce2c |
| SHA256 | 5705ecafdaa64d8af74d0c03f89272a65cfee9f7e62b55016a8dcbe4a69b6f86 |
| SHA512 | 2e9fd0558717b954ee73848c95c7f5495f4c907192ba33c2f2a615621dc9174a3f544e44cbdb086716b48b993b724e81484305eebf0c69666ea48919e3476e3f |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\TV9Z38NC\SourceSansPro-Regular[1].ttf
| MD5 | 5182da425f811908bed9f5b8c72fa44f |
| SHA1 | 17c25475c0369f7f8c8462af9cf127a4cf6f1332 |
| SHA256 | 71d10a86b4c54a5a9c0c8b467e53ac67d79edb96c956e4e9f65a7074dfb9992a |
| SHA512 | cf37ee1e2c3574de5819e5c5328ee010832987750a3cdc0bc43f102c3bdafd3993a9984c8d51f66b18198e80049c0323fa2f8f692025d8947f9580eda6a7a5b2 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\CJM3DY53\fa-brands-400[1].woff2
| MD5 | f80b8a05dd76fdb40e630f1e90b1303d |
| SHA1 | f0c73d76528b9b7b431f3e03be99438d713e6e0c |
| SHA256 | c885e9f2017a2ed7075db9e876d40a04aa3208114443803bdb120a34afd3b1d6 |
| SHA512 | 36b9d728f33f845337e9f8369527dff7f29bf70aef5e4440b0fe9647f45cf10a2a11af57d191ebf1c8b17817315393032cb5738f9262275a0d87ca58e3b12a62 |
memory/35184-23166-0x00000173B8AF0000-0x00000173B8AF1000-memory.dmp
memory/35184-23162-0x00000173BF7F0000-0x00000173BF7F1000-memory.dmp
memory/35184-23159-0x00000173BF970000-0x00000173BF972000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsl9023.tmp\nsDialogs.dll
| MD5 | 6cac9c4cbadc065beeebe16e57279a9a |
| SHA1 | 26bcac80ab11c56d8d9de74a85ef2314044f96ca |
| SHA256 | f33b3bfbb97fedfe2d77ebb894c7db5c32b8905bedab6c58248108021cf96bdb |
| SHA512 | 854b505ca4d17127fafabc8e4d903e097b6e77d4adcb2873185333a7fac68d6e903b2e8f3ce0df639ec3c44feb3666489405ee74d49f512700ab86cec4bc9e44 |
\Users\Admin\AppData\Local\Temp\nsl9023.tmp\System.dll
| MD5 | 62a6f7756aabaeafe2eaa8a1b19eeb99 |
| SHA1 | 24b7ec2cf0712f03911fad6b7ccf933e0879fe5b |
| SHA256 | 4c4d8324fc74a61ed5477b6602fecd1f404f524e6c17c6d7a0b682f8521a29d7 |
| SHA512 | 7d30a35811f4dc5e3c4714224ac2b143d17f6a1de744db230b3a74409c6705233831e340b13d468c612b9e924cf69a62a15164e601e62609c98a46cf4ec0562f |
C:\Users\Admin\Desktop\Tor Browser\Tor Browser.lnk
| MD5 | d01d6db1c1a3da61089267641aa2337e |
| SHA1 | 6001c02b81f128c6cae2db90eb0f91bce3545031 |
| SHA256 | f68fbecabed556805a2370988079216df02d2d05e9877c9df2a7d9daee60c857 |
| SHA512 | d1311d7c5cb4d7975919711f6e94e9e862f9305dfcf7c4ff6f9facddc2044c184c8409f39e96939e7f1f7dc3df4148bf66cc659ea27a914dd593419b813af702 |
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
| MD5 | 67f708f227c0338550952313e5e382f7 |
| SHA1 | 43511dfa2d91f6cc4c429336678cbcf08ddb6489 |
| SHA256 | a2ebed521db5d43af62eff32b7ee77a7a342ae6661a0fda60be785329b3956ba |
| SHA512 | 4a0fdece1ed1a290731ef21e976f3074b70660c957cdc2067d506e4f08f3af7673f578afb108263e7a61ac6e773c0f747ff325b7fa4a3eaa1f77872743813614 |
\Users\Admin\Desktop\Tor Browser\Browser\mozglue.dll
| MD5 | eb388726725c57ccd28cad1dccee33b6 |
| SHA1 | 35429d8a907b07286a884c0e9cb2fcf78e93f8a1 |
| SHA256 | a6bbd19e33a9d2b539c798261ed400c74b239527ad17109ad549a972bd6cebd6 |
| SHA512 | dc9aa4f26a86fbfa6caf7d476e59975fc79da314eab8cdf5e2899d681e8b9d3767e531a656471e3ea2129f4e688ad1e0c472eb5d20ea8a8ed94c00d9fc66a48f |
\Users\Admin\Desktop\Tor Browser\Browser\lgpllibs.dll
| MD5 | f6392fe326919b1db4aeeb8aeb6820de |
| SHA1 | 0ff0f4c214344eabad089ae87d26a94cafc722dc |
| SHA256 | 9c9d86ba3a50de00dc85ea5c04b7e1e65176405732b5c95e9f099411b051fa34 |
| SHA512 | 4bf9a7d0f89f5f5cad63e18fdb798c247b9504157f9ab771ac6240fd8cbde8e948aaa0764ec312807bebe0139afd20a964d4bdc77b96420236ce68240f53d0fd |
\Users\Admin\Desktop\Tor Browser\Browser\nss3.dll
| MD5 | 43cd2b07fa362a2f229968c0e834093f |
| SHA1 | 2f637aec344e6bca1df4a51cb05c0cd10d3d6dc7 |
| SHA256 | 4625cfe435db2f7d9d2bc722a2e8e7b46c6f74a6f5954cca2daa2c94c3265f7c |
| SHA512 | c32c982ac99fead6b8d7f0f3bad200c4d54f5d5b7187ea44ec79c9361603ac5438ace94bd5fd614f41f49684195b7777de195848dc004d7c7a1d02a29c6ae5cb |
C:\Users\Admin\Desktop\Tor Browser\Browser\dependentlibs.list
| MD5 | 70b1d09d91bc834e84a48a259f7c1ee9 |
| SHA1 | 592ddaec59f760c0afe677ad3001f4b1a85bb3c0 |
| SHA256 | 2b157d7ff7505d10cb5c3a7de9ba14a6832d1f5bfdbfe4fff981b5db394db6ce |
| SHA512 | b37be03d875aa75df5a525f068ed6cf43970d38088d7d28ae100a51e2baa55c2ad5180be0beda2300406db0bdea231dde1d3394ee1c466c0230253edfe6aa6e4 |
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profiles.ini
| MD5 | 5b0cb2afa381416690d2b48a5534fe41 |
| SHA1 | 5c7d290a828ca789ea3cf496e563324133d95e06 |
| SHA256 | 11dedeb495c4c00ad4ef2ecacbd58918d1c7910f572bbbc87397788bafca265c |
| SHA512 | 0e8aafd992d53b2318765052bf3fbd5f21355ae0cbda0d82558ecbb6304136f379bb869c2f9a863496c5d0c11703dbd24041af86131d32af71f276df7c5a740e |
C:\Users\Admin\Desktop\Tor Browser\Browser\omni.ja
| MD5 | 8fd3941992025a21c4822049d0e06e63 |
| SHA1 | 4c9f80b5e14ada595e59257bd833c716d73042a8 |
| SHA256 | f13a14ef31a833630c85557906706e6af92f3c4f0a42bba8103de4b21a12b22f |
| SHA512 | a9ea6315b782e28d8af2db746867c786b6fd4a16c1393db98309d705437eefda0fdb1be6fc8ac745ea6a743d3672f6c47dced7de2836846383b78ff962240f8d |
C:\Users\Admin\Desktop\Tor Browser\Browser\browser\omni.ja
| MD5 | 66dddf1dae49706c992cfceec3f3ba23 |
| SHA1 | 074cea24e40f3b6ce7bbc68ff542b462be1c7fe0 |
| SHA256 | f13063c411765c6ee1190fb2870c1bb794cfc367aef9a53b7ca44019347c2eef |
| SHA512 | 1e4f60e286e87a9720e1c41fa584e69036c20e77fa139f4e2af2bc2e2037441b7522e2fac3224116de011fcd2d2419a35f1e3c296f20157fdf91827e5c4d5630 |
C:\Users\Admin\Desktop\Tor Browser\Browser\defaults\pref\channel-prefs.js
| MD5 | 3d84d108d421f30fb3c5ef2536d2a3eb |
| SHA1 | 0f3b02737462227a9b9e471f075357c9112f0a68 |
| SHA256 | 7d9d37eff1dc4e59a6437026602f1953ef58ee46ff3d81dbb8e13b0fd0bec86b |
| SHA512 | 76cb3d59b08b0e546034cbb4fb11d8cfbb80703430dfe6c9147612182ba01910901330db7f0f304a90474724f32fd7b9d102c351218f7a291d28b3a80b7ac1e5 |
C:\Users\Admin\Desktop\Tor Browser\Browser\distribution\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
| MD5 | a3fb2788945937b22e92eeeb30fb4f15 |
| SHA1 | 8cade36d4d5067cd9a094ab2e4b3c786e3c160aa |
| SHA256 | 05b98840b05ef2acbac333543e4b7c3d40fee2ce5fb4e29260b05e2ff6fe24cd |
| SHA512 | 4897aefe3a0efffaa3d92842b42fe223f0b9882031a65bea683f4554d1fec92b8a66ea15c67e9b95c7fc12991cde3245010ccfb91768ba233711ced3412c13bc |
C:\Users\Admin\Desktop\Tor Browser\Browser\softokn3.dll
| MD5 | cbcdffcdcd140b9ea3dc081ecfcbbd46 |
| SHA1 | ab44ac9317b82edb780a2167da6d459b9a423a74 |
| SHA256 | 16ef79086baa56c10589ec945fa3760ddbbbcf4061612ad4a6992bfc24cd26ba |
| SHA512 | 5e46812981012f29011161740736c35d356d49b23062cf8d73a5f1ea1b08f107e8db29086881d9c556f7783cfab9d580bc67b0ee813192ddea28ec2f46415129 |
\Users\Admin\Desktop\Tor Browser\Browser\nssckbi.dll
| MD5 | aa0cb6c47b9c739dc8a4647b79787cfc |
| SHA1 | 908278d0aa0b43c2d9fe18c1a1596056e715df11 |
| SHA256 | 4b8e24aa607e0b5982d2854a7609e72cab0bc5415c1bf8162de541f279de2e11 |
| SHA512 | b92e377c4e7f39087625704c174514d1e87c5ff462181938ba979ad753e381771b8838febee99c276b66bd73b3e6d6f1473d59d2062ce3766b1a431ed3c5a6c3 |
\Users\Admin\Desktop\Tor Browser\Browser\freebl3.dll
| MD5 | dd3e5d568d6ec781aedf5e1705f283b8 |
| SHA1 | b21fda9c83707f5baf2eceffd4496339f6d145c5 |
| SHA256 | ed1d55d6f52963ca4918c15c1f69f26ad14519a1e7e08f8a3669b0ce13b4a30d |
| SHA512 | 4076331b5a25587006a97b41c181d5561e5c717a8d9b55f54152e4a014ee39bf809af560dd81aa8fd0df05ff5e3280e1891cfb0aadb944faf3ac9c4beac87e01 |
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js
| MD5 | 96fee50f9f9c744fd49fb2e1924dfc56 |
| SHA1 | fe9e5395f6cf4af6c8305b3f46ed93d89aa63890 |
| SHA256 | 4f6e8d18974faea14322d6717476eb6cad4ef9c3f4bd7d66b0cf96d9056f09b0 |
| SHA512 | c8e496fed463e2b8a14c6f9ee21c3f9cafe895c1383be389ace68395df5c7a174b6d192ed53732a94a1ecfc4b8dcfcd9019c7fd901960cc915aeeb62d80547b3 |
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansChakma-Regular.ttf
| MD5 | 82f2c632a76dc9922cd85630d0c97db9 |
| SHA1 | 4558e69543903a058b3d5a7b8f50a6dea8ea50f9 |
| SHA256 | 60ce1d029e35b432dd68cc9f6c94f69bd84d8c97f28f06130186606dd2c3325d |
| SHA512 | cbfe37179fa4bd8618eade5e5168dcfab9d784586319014692bcfc7f767187e4beee24b3afb471abdd9adde747eaf51648926ed1a790e9f8458152c283fb34e0 |
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansCanadianAboriginal-Regular.ttf
| MD5 | fc6ec655d6a00c567119522854e24172 |
| SHA1 | b72baef2dc0aca98cf7d3458cc027f4b0622db08 |
| SHA256 | 0d188756c9c282bf31738af5373f2363cc8007bbbc8d5560fae5821ed4937611 |
| SHA512 | 0a0eb23751b5df39becbbb308b6b36e324ea6ec469d2167a795cc10fb3bc38cb7b3187a3a63566e280470b09a080c000280e3b9a01681a68f8a3f35c7a2f139a |
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBuhid-Regular.ttf
| MD5 | 34699ac8824cdb6593b4dbef605dd6b2 |
| SHA1 | 22ff82e35cbb1ac9053f767f404ee351786fe0c2 |
| SHA256 | 328d80e11e7f65f9b6e4bac12de32b7ce42154301c2a14ba92155e32e05939d6 |
| SHA512 | fe714d5d44c6c2f4f96b4349bff301a67749bcb084ade3a0270723f1fa6bd6061193c4d782cb663d63e2c32cc809f33a8114e2e0bc6915de2b04efc82b5de673 |
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBuginese-Regular.ttf
| MD5 | bd4c30081a164037311e8712423c5bf2 |
| SHA1 | 2a13bc7987ca34644b075c1fe197ba293b4ca527 |
| SHA256 | bc19f17d7f6e8f280c2cc95ef6d1b67fac25becfe98722f482039a4d84f3c9ba |
| SHA512 | 2a20d113b73cbca311d08dba40dcb7f8ab9d5383f7590b61b785070f77204db9ab163557a420c6c96ede815643f82ffdf75bc59b5802284779ff237616734c66 |
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBengali-Regular.ttf
| MD5 | 7b5138efef2c02dda9cfae9917cd913f |
| SHA1 | b44b58f354c4a68e119df226f01ad763b2d1025c |
| SHA256 | 9f8b4dd091f19b111d24ea18daae81bea8684cc67de17ea1acd797e144bf20ba |
| SHA512 | 47e4cfd2218c91080fc4ccc3ac13dabe9efb7c96b981d53577177fb062973b9fad0052edcf2b0c663ff3b7a1d9e38e96586c93cb72618d64344b96e3df13204c |
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBatak-Regular.ttf
| MD5 | 9390ee64243e5335b79e33e5e8311341 |
| SHA1 | c8d4b3ab79f6b12311eb4e4da29e709e583b5870 |
| SHA256 | cff9f0e51e7f1d95934cac31d9ad43ba453ee308c7b46a27803dc7e2e6c3adef |
| SHA512 | ad7b23dab247c5c71298c5023bc58bd1d00160145558d86ab75dd37de1f1017540bac544cd9bf1cb2802d19d2973c0cf189d05a980777de886ffb552ae923bc0 |
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBassaVah-Regular.ttf
| MD5 | 778376d22591a4a98bf83ac555ddf413 |
| SHA1 | 608172ca18450b4cc61ff6cc155f66cff55c5bf9 |
| SHA256 | 8218239377452e05634a91ee8a4338daf0aa96a15673a437533a098eb9c06f53 |
| SHA512 | e895a03374a3d3da04554cd048191722652ed4f1f7cc91639354843138ce26aea6c7f2da0ecda47eb76bcdd61a0315cc2e35e080a5953c24d82f4e94ce4aa260 |
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBamum-Regular.ttf
| MD5 | f0b22427c3ddce97435c84ce50239878 |
| SHA1 | a4a61de819c79dc743df4c5b152382f7e2e7168d |
| SHA256 | 0282610e6923d06a4d120cff3824e829b4535a8c4c57c07e11dbe73475541084 |
| SHA512 | ff2b22e58597d0ba19562c36f03cf83b5f327eee27f979c9ff84fe35a21b1fc9234f21fdb35fb95f933c79b9cf7760328d29b31480153da59a6576cf5f7f544e |
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBalinese-Regular.ttf
| MD5 | 12764d72c2cee67144991a62e8e0d1c5 |
| SHA1 | f61be58fea99ad23ef720fbc189673a6e3fd6a64 |
| SHA256 | 194e110cb1e3f1938def209e152a8007fe5a8b0db5b7ce46a2de6e346667e43d |
| SHA512 | fb670a7dbb57465d6384cd5c3a35356e94bf54ac4cb7578e67c8729ff982943b99c95b57f6059443e3e8b56d8c8d2cfc6e81ae3a1cf07306f91c3a96e4883906 |
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansAdlam-Regular.ttf
| MD5 | ac01114123630edca1bd86dc859c65e7 |
| SHA1 | f7e68b5f5e52814121077d40a845a90214b29d41 |
| SHA256 | 1b7b86711479fbfd060ed38abe1258246b4be2826760e6827287958218bb3f5c |
| SHA512 | 1c9ac878ba12f3de207aa9a7eb8c0239f769f9ae7475fec998e998192aa6900fe146039ac982612c6c0b7e5363355f2803d8f62e4787c0908c883ac3796e2a9b |
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSans-Regular.ttf
| MD5 | e782457ebb0389715abdf5a9e20b3234 |
| SHA1 | e0d9ad78d1972d056d015452ed8dee529e8bb24b |
| SHA256 | 0e90d375cdb64f088a6a676eb560b755afa184e523fefbb9c33fdda4d7dd8461 |
| SHA512 | 3ec030fdaa18f90bd8060466276c9ec49fd9233746e603d61a4f65a9a53e97e7b3382f8f913da17c48ffefc8adcf2be25f7e1c51f16555068b8f344a4e6dd961 |
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoNaskhArabic-Regular.ttf
| MD5 | 27dfbbe8ee4015763e3c51d73474e94a |
| SHA1 | 4328cdc9a3f9c6b7df0624c81afbd3459f213e40 |
| SHA256 | b4fe7b745c5b40e5d6294a883afcb8b4264b88d331fd0b4620050441479f391e |
| SHA512 | 42cc921fee7bad58ee1fac12eb8153b580b5d9d6ed510d5df4bd4be754ef1b017c987051385d828b70de050340f9629be7b385d0338c9db6e0f9f51543387375 |
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\000_README.txt
| MD5 | 793eae5fb25086c0e169081b6034a053 |
| SHA1 | 3c7cc102c8fcaf3dcbe48c3f8b17ec0f45dcc475 |
| SHA256 | 14e396a360e5f9c5833dc71131d0b909f7b24c902b74f31a7a3d78d5aa0fa980 |
| SHA512 | 5e949be232df14bf7bfb679986a16f4a613439f5b5e71271abbfbf74296b43c977510fd6403702139ffd77dd3369e054dbe086e0188fff4f436f3505654e1f70 |
memory/41344-23651-0x000002214C290000-0x000002214C2A0000-memory.dmp
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\extensions.json
| MD5 | b1febe9e32cd0d51172e31b79e802d6e |
| SHA1 | 045f605cd01b1c03adf13b382c3853e6240b5c48 |
| SHA256 | 671eb94e080aae7a511751ea40e615fc45b6163e0e261dadd34b9f4063ef9035 |
| SHA512 | d8c9ec172c48f825f5228da2874b43fdc8bd7803cb072d3fe5d0a12f1dbb90eba6931fd6e8ceaacad1c23223183bd396507d8a140491209d990648d6066435fc |
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\datareporting\glean\db\data.safe.tmp
| MD5 | 7d3d11283370585b060d50a12715851a |
| SHA1 | 3a05d9b7daa2d377d95e7a5f3e8e7a8f705938e3 |
| SHA256 | 86bff840e1bec67b7c91f97f4d37e3a638c5fdc7b56aae210b01745f292347b9 |
| SHA512 | a185a956e7105ad5a903d5d0e780df9421cf7b84ef1f83f7e9f3ab81bf683b440f23e55df4bbd52d60e89af467b5fc949bf1faa7810c523b98c7c2361fde010e |
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js
| MD5 | 8227db9178500b863fa95a00969b938c |
| SHA1 | 548d09b42aee7681c3537907174f113c9187e1d6 |
| SHA256 | 1b4f5cddc1ff0905a5e9b5613bb99d85f4bf51d06f9388b3ee1b6eda494d21a6 |
| SHA512 | db4804a538a5a3b627d025d96f4660397d1c27a51cc7044d83062c8ab809bdb09ba0d96608872a428d3ab43099fa188fe95ab372cf70f9d68e28a4ad782e71e7 |
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\cached-microdesc-consensus.tmp
| MD5 | fc701222b7cab765de83bb820eaf64ad |
| SHA1 | b5740ece69d643c9c4edcbc67ff6be01a9d89e00 |
| SHA256 | cb81760996188d485250ba7003daa16bffffed06d7b2a7c383402a0a94b96962 |
| SHA512 | 00d663d54eb92552d0755478a866846197bd90a600840a03e0aa71495294d0e4cac745ecff79efecdf4d983cb1ee0d9d5a7642d34db0a1e6d325dd16533cfbcb |
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\cached-microdescs.new
| MD5 | 3c9a65dee9a29523831da8a826013e76 |
| SHA1 | dba5dc92c41994e29b388acac55ca827d62cf59b |
| SHA256 | eb3eb99bf85668e68eb01a5d23a331785d85848975df22562062aac46526a750 |
| SHA512 | 6a518a7660c5f0a24d01229dccea91547be56fb758cdd7099440f719998a3cc2991e79f436912f8fc99604e755218d13d01907d0648a0e266f820c6710dff34f |
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js
| MD5 | 98c4373f0fd5a168541a60f928c707e0 |
| SHA1 | cb462df8d83908763ce24854676d8b63f1c8166a |
| SHA256 | bcfa11c3db9ae69df003ad8b870bfb4d2bdda8e87cb5fcbfa50c72359aa3d75e |
| SHA512 | 200450bed36f243afc443ccb6ccf415a7db267089363b080484284ded17f04f09a89adb9004c9d3b9f4b0fb595262b6eb4f25ae6ab5ae62853bc69ab2763b65f |
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js
| MD5 | 0519ce510cec37f984c929c5085ec06c |
| SHA1 | e7fe3f3132cfdf55562ced8fc8a89b3f402affdb |
| SHA256 | 9a4f236b2e37bb6e61fcbdfbf17a3f472f483127c2dd4ea7eb6c9b6eed83444b |
| SHA512 | 9a8a877513c93b94841e02c01e7c787631b0075dc9e87544a3ede7f55e600528c54a754359b066d16f58fbd973a9c1080fd0f0908ddebab2bb9eb189fe5c3227 |
C:\Users\Admin\AppData\Local\Temp\tmp-14r.xpi
| MD5 | 251150b67c4a694555ecd4a6bdcf5993 |
| SHA1 | 92b571569aa6c265a6dcf715c04de50bacf712a4 |
| SHA256 | b22c007534471a8fb74378e970ba79a536a44f88d81ad3852273b82a466d10c7 |
| SHA512 | c525dde844ac84a92ee4098369a8e8c958e475cc785fe1a6c514618a59dd48a1d75ed30523ae20b044909527d0d29102fd644e5e7853568b584663c0a0221d09 |