Malware Analysis Report

2024-10-16 03:26

Sample ID 240724-vlv2caxdnn
Target BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.7z
SHA256 e2eff267e9a29f6bbd3d8c26f1813aeb6745cf879fad89c8ef46175427d069f0
Tags
avoslocker defense_evasion discovery evasion execution impact ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e2eff267e9a29f6bbd3d8c26f1813aeb6745cf879fad89c8ef46175427d069f0

Threat Level: Known bad

The file BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.7z was found to be: Known bad.

Malicious Activity Summary

avoslocker defense_evasion discovery evasion execution impact ransomware trojan

Avoslocker Ransomware

Modifies boot configuration data using bcdedit

Deletes shadow copies

Renames multiple (8331) files with added filename extension

Downloads MZ/PE file

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Enumerates connected drives

Checks whether UAC is enabled

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Command and Scripting Interpreter: PowerShell

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

NTFS ADS

Suspicious behavior: MapViewOfSection

Opens file in notepad (likely ransom note)

Suspicious use of SetWindowsHookEx

Uses Volume Shadow Copy WMI provider

Modifies Internet Explorer settings

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Checks processor information in registry

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-24 17:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-24 17:05

Reported

2024-07-24 17:08

Platform

win10-20240404-en

Max time kernel

216s

Max time network

217s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (8331) files with added filename extension

ransomware

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.5.1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.5.1.exe N/A
N/A N/A C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.5.1.exe N/A
N/A N/A C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.5.1.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1124436784.png" C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6918_40x40x32.png C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarMediumTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeSmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-36.png C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\es-ES\TabTip32.exe.mui C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-Regular.otf C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\eu-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\gu.txt C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\uk-ua\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\dd_arrow_small2x.png C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\fillandsign.svg C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxLargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\CONCRETE.ELM C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File created C:\Program Files\Common Files\System\ado\uk-UA\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\mip.exe.mui C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\tt\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\FlickLearningWizard.exe.mui C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\cs-cz\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\dd_arrow_small.png C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons.png C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color32.jpg C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\lib\tools.jar C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ca-es\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\rhp\generic-rhp-app-selector.js C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_f33\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\cs-cz\ui-strings.js C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hu-hu\ui-strings.js C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\GR8GALRY.GRA C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\net.properties C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_comment_18.svg C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\reflow.api C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\sd\icecast.luac C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Facet.thmx C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11cryptotoken.md C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\css\main-selector.css C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected] C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInTray.gif C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\RunningLate.scale-64.png C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\security\javaws.policy C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File created C:\Program Files\Common Files\microsoft shared\Triedit\en-US\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\es\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nb-no\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\pt-br\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\root\ui-strings.js C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ko-kr\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pt-br\ui-strings.js C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\af\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ko-kr\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\10146_20x20x32.png C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\as90.xsl C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.dll.sig C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\sl-SI\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\www.bing.com\ = "599" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$MediaWiki C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total\ = "748" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C9 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total\ = "3611" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = 80a22ce2ebddda01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\www.bing.com C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = ec69b4ccebddda01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\bing.com\Total = "132" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.5.1.exe.vhga0ic.partial:Zone.Identifier C:\Windows\system32\browser_broker.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2720 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe C:\Windows\SYSTEM32\cmd.exe
PID 2720 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe C:\Windows\SYSTEM32\cmd.exe
PID 2720 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe C:\Windows\SYSTEM32\cmd.exe
PID 2720 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe C:\Windows\SYSTEM32\cmd.exe
PID 2720 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe C:\Windows\SYSTEM32\cmd.exe
PID 2720 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe C:\Windows\SYSTEM32\cmd.exe
PID 2720 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe C:\Windows\SYSTEM32\cmd.exe
PID 2720 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe C:\Windows\SYSTEM32\cmd.exe
PID 2720 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe C:\Windows\SYSTEM32\cmd.exe
PID 2720 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe C:\Windows\SYSTEM32\cmd.exe
PID 4192 wrote to memory of 4624 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4192 wrote to memory of 4624 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2204 wrote to memory of 4828 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2204 wrote to memory of 4828 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 528 wrote to memory of 3132 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 3132 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4944 wrote to memory of 38300 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4944 wrote to memory of 38300 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4064 wrote to memory of 38312 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4064 wrote to memory of 38312 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2720 wrote to memory of 32736 N/A C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 32736 N/A C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 32736 wrote to memory of 33456 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 32736 wrote to memory of 33456 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 32736 wrote to memory of 33508 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe
PID 32736 wrote to memory of 33508 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe
PID 33836 wrote to memory of 34008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 33836 wrote to memory of 34008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 33836 wrote to memory of 34008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 33836 wrote to memory of 34008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 33836 wrote to memory of 34008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 33836 wrote to memory of 34008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 33836 wrote to memory of 34008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 33836 wrote to memory of 34008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 33836 wrote to memory of 34008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 33836 wrote to memory of 34008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 33836 wrote to memory of 34008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 34044 wrote to memory of 34096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 34044 wrote to memory of 34096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 34388 wrote to memory of 34408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 34388 wrote to memory of 34408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 36628 wrote to memory of 37772 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 36628 wrote to memory of 37772 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 36628 wrote to memory of 37772 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 36628 wrote to memory of 37772 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 36628 wrote to memory of 37772 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 36628 wrote to memory of 37772 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 36628 wrote to memory of 37772 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 36628 wrote to memory of 37772 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 36628 wrote to memory of 37772 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 36628 wrote to memory of 37772 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 36628 wrote to memory of 37772 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 36628 wrote to memory of 37772 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 36628 wrote to memory of 37772 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 36628 wrote to memory of 37772 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 36628 wrote to memory of 37772 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 36628 wrote to memory of 37772 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 35592 wrote to memory of 38204 N/A C:\Windows\system32\browser_broker.exe C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.5.1.exe
PID 35592 wrote to memory of 38204 N/A C:\Windows\system32\browser_broker.exe C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.5.1.exe
PID 38204 wrote to memory of 41284 N/A C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.5.1.exe C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
PID 38204 wrote to memory of 41284 N/A C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.5.1.exe C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
PID 41284 wrote to memory of 41344 N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
PID 41284 wrote to memory of 41344 N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
PID 41284 wrote to memory of 41344 N/A C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe

"C:\Users\Admin\AppData\Local\Temp\BFF12A83B1FC2E0AD0000AD9B68ABC8EADA559BB1094CAAF5B9F52887DF23705.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd /c wmic shadowcopy delete /nointeractive

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SYSTEM32\cmd.exe

cmd /c bcdedit /set {default} recoveryenabled No

C:\Windows\SYSTEM32\cmd.exe

cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SYSTEM32\cmd.exe

cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete /nointeractive

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled No

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\1124436784.png /f

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fffd6a49758,0x7fffd6a49768,0x7fffd6a49778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fffd6a49758,0x7fffd6a49768,0x7fffd6a49778

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.5.1.exe

"C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.5.1.exe"

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe

"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe

"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe

"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="41344.0.531426306\613123096" -parentBuildID 20240708120000 -prefsHandle 1612 -prefMapHandle 1684 -prefsLen 19245 -prefMapSize 240456 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {dc59656d-a9f5-485c-8977-790586e3aa96} 41344 gpu

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe

"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="41344.1.1331775198\941898307" -childID 1 -isForBrowser -prefsHandle 2596 -prefMapHandle 2592 -prefsLen 20168 -prefMapSize 240456 -jsInitHandle 1100 -jsInitLen 240916 -parentBuildID 20240708120000 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {5f28eb96-618e-4160-b19a-002a0814b918} 41344 tab

C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe

"C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe" -f "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc" DataDirectory "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor" ClientOnionAuthDir "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\onion-auth" --defaults-torrc "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc-defaults" GeoIPFile "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip" GeoIPv6File "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip6" +__ControlPort 127.0.0.1:9151 HashedControlPassword 16:e655213e02133b746061d5c3560db0b921b47adee5663aedb6fae967eb +__SocksPort "127.0.0.1:9150 ExtendedErrors IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth" __OwningControllerProcess 41344 DisableNetwork 1

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe

"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="41344.2.2088270281\778094298" -childID 2 -isForBrowser -prefsHandle 3008 -prefMapHandle 3004 -prefsLen 20940 -prefMapSize 240456 -jsInitHandle 1100 -jsInitLen 240916 -parentBuildID 20240708120000 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {ec9fd502-2f33-4521-964f-d8ee69a51472} 41344 tab

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe

"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="41344.3.541147275\354249672" -childID 3 -isForBrowser -prefsHandle 2948 -prefMapHandle 3100 -prefsLen 21054 -prefMapSize 240456 -jsInitHandle 1100 -jsInitLen 240916 -parentBuildID 20240708120000 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {37b1b495-9f9b-4276-baf6-f7d23419657c} 41344 tab

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe

"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="41344.4.484076355\1196957539" -parentBuildID 20240708120000 -prefsHandle 2576 -prefMapHandle 3076 -prefsLen 22493 -prefMapSize 240456 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {8c3aff49-c056-4996-a698-8cb1ed03fe39} 41344 rdd

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe

"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="41344.5.1184537501\2052910883" -childID 4 -isForBrowser -prefsHandle 3792 -prefMapHandle 3780 -prefsLen 22309 -prefMapSize 240456 -jsInitHandle 1100 -jsInitLen 240916 -parentBuildID 20240708120000 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {077681ba-9a76-4769-9130-fc70656291c1} 41344 tab

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe

"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="41344.6.2059950229\336411858" -childID 5 -isForBrowser -prefsHandle 3988 -prefMapHandle 3992 -prefsLen 22309 -prefMapSize 240456 -jsInitHandle 1100 -jsInitLen 240916 -parentBuildID 20240708120000 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {18daecbb-a213-4808-ad07-b6a206c80af1} 41344 tab

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe

"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="41344.7.1566723235\1294953228" -childID 6 -isForBrowser -prefsHandle 4164 -prefMapHandle 4168 -prefsLen 22309 -prefMapSize 240456 -jsInitHandle 1100 -jsInitLen 240916 -parentBuildID 20240708120000 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {77d20daf-398c-46e6-af29-1b71ab3cfda1} 41344 tab

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe

"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="41344.8.206619029\552789061" -childID 7 -isForBrowser -prefsHandle 1576 -prefMapHandle 1484 -prefsLen 22588 -prefMapSize 240456 -jsInitHandle 1100 -jsInitLen 240916 -parentBuildID 20240708120000 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {8026d01d-4363-46f2-bbb5-fad891039ed1} 41344 tab

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe

"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="41344.9.807606311\2009190042" -childID 8 -isForBrowser -prefsHandle 3100 -prefMapHandle 2408 -prefsLen 24870 -prefMapSize 240456 -jsInitHandle 1100 -jsInitLen 240916 -parentBuildID 20240708120000 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {e0b723be-c0d7-4adb-b6ce-b025a783ddee} 41344 tab

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe

"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="41344.10.1386455322\1540882547" -childID 9 -isForBrowser -prefsHandle 4200 -prefMapHandle 4672 -prefsLen 22910 -prefMapSize 240456 -jsInitHandle 1100 -jsInitLen 240916 -parentBuildID 20240708120000 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {78304eb8-4d88-4215-a057-ab391bc1420c} 41344 tab

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe

"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="41344.11.2092397543\335211911" -childID 10 -isForBrowser -prefsHandle 3864 -prefMapHandle 3852 -prefsLen 22910 -prefMapSize 240456 -jsInitHandle 1100 -jsInitLen 240916 -parentBuildID 20240708120000 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {b92e2c02-6232-496a-92ec-b7df97ffa0e8} 41344 tab

Network

Country Destination Domain Proto
GB 88.221.135.11:443 www.bing.com tcp
GB 88.221.135.11:443 www.bing.com tcp
GB 88.221.135.11:443 www.bing.com tcp
GB 88.221.135.11:443 www.bing.com tcp
US 8.8.8.8:53 www.torproject.org udp
US 204.8.99.144:443 www.torproject.org tcp
US 204.8.99.144:443 www.torproject.org tcp
US 8.8.8.8:53 11.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 204.8.99.144:443 www.torproject.org tcp
US 204.8.99.144:443 www.torproject.org tcp
US 204.8.99.144:443 www.torproject.org tcp
US 204.8.99.144:443 www.torproject.org tcp
US 8.8.8.8:53 144.99.8.204.in-addr.arpa udp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
US 204.8.99.144:443 www.torproject.org tcp
US 204.8.99.144:443 www.torproject.org tcp
US 8.8.8.8:53 dist.torproject.org udp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 8.8.8.8:53 146.99.8.204.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 216.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
GB 88.221.135.0:443 www.bing.com tcp
GB 88.221.135.0:443 www.bing.com tcp
US 8.8.8.8:53 144.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 0.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
N/A 127.0.0.1:56891 tcp
N/A 127.0.0.1:9151 tcp
N/A 127.0.0.1:57025 tcp
N/A 127.0.0.1:57136 tcp
CZ 195.123.247.209:9001 tcp
US 8.8.8.8:53 209.247.123.195.in-addr.arpa udp
HU 146.70.120.58:9001 tcp
NL 188.213.95.146:9001 tcp
US 8.8.8.8:53 58.120.70.146.in-addr.arpa udp
US 8.8.8.8:53 146.95.213.188.in-addr.arpa udp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9150 tcp

Files

C:\GET_YOUR_FILES_BACK.txt

MD5 6d81ed40ba0a283e5483bfe6a448e9d7
SHA1 0c847a5f9df743b13e1aa11b4c24a4309e9a7119
SHA256 b4464f61655ca584170694bedd52c6cff2b74c18a761b33cfb1387f017d2d57d
SHA512 8956415f155f24852ac672aa06cc6a8819a2a0e44a9b940f8f3390c34ebb43ff10f4635722f104a5a9a94098d3f286362f507dc49d3f048e540f48c073eaf379

memory/3132-8414-0x000001D76F940000-0x000001D76F962000-memory.dmp

memory/3132-9134-0x00007FFFC2E03000-0x00007FFFC2E04000-memory.dmp

memory/3132-10315-0x000001D770430000-0x000001D7704A6000-memory.dmp

memory/3132-15338-0x00007FFFC2E00000-0x00007FFFC37EC000-memory.dmp

memory/3132-15339-0x00007FFFC2E00000-0x00007FFFC37EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q1yhkjja.1s2.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3132-22597-0x00007FFFC2E00000-0x00007FFFC37EC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7ba103555f0545138cd5ce53da615bbe
SHA1 ee8cd4c15b9c8b93bee69e7849ea202578959d8d
SHA256 168c15e664319b0197e1514dffbc9a0905df866a0fe76514087cac335cc54c6f
SHA512 7fad8a575272f315ec0b9d4cdb27897848e4ec7cc05b47d8afddfb56cbbc9c6263a41fa2b655bede72b88ece93dd7161aadb751aac13f1112b9ff597353bde91

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 5d574dc518025fad52b7886c1bff0e13
SHA1 68217a5f9e9a64ca8fed9eefa4171786a8f9f8f7
SHA256 755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2
SHA512 21de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 c86640aaa33658aa24db5a9e946108b5
SHA1 42a8819c961a6db7e165a84bab0781ef72e71d81
SHA256 bad1ea3662cf7bbc1c20e838088b1b20eb1cdc6060eff54f7513c67a6bfd0717
SHA512 5fea5255ffee9a38d99ff112b0ccadccc5c08458ba90d91655a92bbfdb83d921188bd1952893c934467d211b10e6b9f89ae8b4a5fe1a3db1124641f86897fc83

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\reports\486eb73d-5396-4db0-84bc-f4e2b31f8367.dmp

MD5 1e5f117dc138cd0ea29467a598d33abd
SHA1 bb9482597fc2ab30db859cdea68ffc919c2105f3
SHA256 a2df8852b08e58448e629826554f7179519f87a89fcfe8878b8ece68c419f955
SHA512 1bb8becbfad5b5967d49561fd86c0741680df2ca2187e750d7be6ab43515b476f81443965f7e05d3ed1188cc8fb9377ffa5abe25f73f4b019a16a9389ce784a9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\metadata

MD5 7cdf0b463a911bd9e27c92bd2aa330cf
SHA1 9cff15095b69cffff11228dfbd42433d10f1eff7
SHA256 f0586126b0aa3aa7ea6b6fd1a879c7ceed8d0e3715e8c530b4738e566abdbbd3
SHA512 08ee25f3fbc3c233b6781288d88e8691046328de3b4a3b484404ed5e401ef3f93f5d52fc70b82656ce790ebc648fa5b7a9bcd55f7f67580b573d3ae51213e008

C:\Program Files\Google\Chrome\Application\debug.log

MD5 857268079729f658a403ae73c922e177
SHA1 89e0576cd2b0202b7b3a551d0d53cd0fa10ec27a
SHA256 41e0c4174beb540eedf7b098ea6b640c8d44efaa343011e8b043d348c713a771
SHA512 0858bcbfbc056c2d173f375fb31b90501e78478b77c950941d8b059616b8efd102f91be4e65c29f10093313dd2d4a9b0ed47d165cf7728622ae0427c45f4728c

memory/35184-22663-0x00000173BB520000-0x00000173BB530000-memory.dmp

memory/35184-22679-0x00000173BB620000-0x00000173BB630000-memory.dmp

memory/35184-22698-0x00000173BA6E0000-0x00000173BA6E2000-memory.dmp

memory/36888-22707-0x0000023C36580000-0x0000023C36680000-memory.dmp

memory/37500-22791-0x0000015CA0070000-0x0000015CA0090000-memory.dmp

memory/37772-22821-0x000001B1C4310000-0x000001B1C4410000-memory.dmp

memory/37772-22827-0x000001B1D49E0000-0x000001B1D49E2000-memory.dmp

memory/37772-22825-0x000001B1D49C0000-0x000001B1D49C2000-memory.dmp

memory/37772-22822-0x000001B1D4990000-0x000001B1D4992000-memory.dmp

memory/37772-22839-0x000001B1D6E50000-0x000001B1D6E52000-memory.dmp

memory/37772-22845-0x000001B1D6EB0000-0x000001B1D6EB2000-memory.dmp

memory/37772-22847-0x000001B1D6ED0000-0x000001B1D6ED2000-memory.dmp

memory/37772-22843-0x000001B1D6E90000-0x000001B1D6E92000-memory.dmp

memory/37772-22841-0x000001B1D6E70000-0x000001B1D6E72000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 1bfe591a4fe3d91b03cdf26eaacd8f89
SHA1 719c37c320f518ac168c86723724891950911cea
SHA256 9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8
SHA512 02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

memory/35184-22923-0x00000173C4070000-0x00000173C4071000-memory.dmp

memory/35184-22922-0x00000173C4060000-0x00000173C4061000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\XWGHXGST\favicon[1].ico

MD5 d7c21b4951bd432d06f0059c63130f19
SHA1 4e4ad2cec14a4b7c95162c247a7c7ca5621e6569
SHA256 7c2a800bab2c088ba8a7af287d440433bca2bc880be2fd3eecf6ad7aa90a075f
SHA512 09b185aa070f8cbb54ae5a4b49ea3e1208212caf2d8f76c05a651381f470b91345e13ee2e94e73ca35db14493d702f4c1ca5b8732cabd1cd2e689a8cd667fbd3

memory/37772-22932-0x000001B1D88A0000-0x000001B1D89A0000-memory.dmp

memory/37772-22934-0x000001B1D88A0000-0x000001B1D89A0000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\3L9N2KWT\bootstrap[1].css

MD5 cfdae4e5800656dfdf24193b3f80fcc8
SHA1 2122cf07b24310951c4b8ed92290b652f241c538
SHA256 7e50c709b7734d4454f54e4a93e0e8f15f9cc9aceecc59f95148e899e36777b2
SHA512 be3c5a8ee12e79e26adc91ae688b2185f090de5bc2b2116461e2511c98da8baee4f4e0ea0bda1a2f7e9e6c3a336f02d0b3cf14d47fc8d9a9a13a1d6fd54e690b

memory/37772-22973-0x000001B1D7BA0000-0x000001B1D7CA0000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\3L9N2KWT\all.min[1].css

MD5 b8085bf2c839791244bd95f56fb93c01
SHA1 9d272f6a226adc587b4c3e470cc146edd8c92f75
SHA256 453893f7daa3d8fe9716f8c6d0f36f8ade8cacfc0093e164f4f998b46427959e
SHA512 071423c79d846bfb1a9ca8c9e36e8f021c5027804f7da86249bfe886d67622982b739c326934a04f03e1859ff10baeafbe0f8de2aa030f58f455c240a814e385

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\U0578EN3\jquery-3.2.1.min[1].js

MD5 c9f5aeeca3ad37bf2aa006139b935f0a
SHA1 1055018c28ab41087ef9ccefe411606893dabea2
SHA256 87083882cc6015984eb0411a99d3981817f5dc5c90ba24f0940420c5548d82de
SHA512 dcff2b5c2b8625d3593a7531ff4ddcd633939cc9f7acfeb79c18a9e6038fdaa99487960075502f159d44f902d965b0b5aed32b41bfa66a1dc07d85b5d5152b58

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\CJM3DY53\bootstrap.bundle.min[1].js

MD5 85bef1b86b877db4b17ea8bae3eb7cd3
SHA1 46d1f82f1ff4224130c6153a8a6db457477b7097
SHA256 4490f15bcd903912985c78ba0b1d4abbc94f7eec240c8050685676d071b13d74
SHA512 88ae341fa16b5cc6b8558e88eb2d8c1e7cc309c3226cf403de6c13ff7fbb33562b916e2ebd32c31338c5bdad1cd2acae11b586ff5de86c0e9b2289886b249d71

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\3L9N2KWT\fallback[1].js

MD5 973fa23c86e39f3f80f2bcca267bd68a
SHA1 8a716acdcd9bea3152ad58300e8fa4b3def399a0
SHA256 154b6384fd1042f3c7469da149e57c750ffab7ee4b875384b6fd3e97744a7838
SHA512 39ce6151d918d37ee29390eb422d77812444e80fab0c7041a40128710ff590f6fdff36fe85f8c78c039e41e7ef2d7156fe8efa1e7c078053b9ffea0c15b35b79

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\TV9Z38NC\download[1].js

MD5 b70b1ed7c4c41f09b4cf0d194a4c0940
SHA1 caaadf8f271ea9283a28627a86bde3bff2b7db5c
SHA256 b4c2495baebb13c22b9907aa12cd7a0dd75418c530693dd99b5f337efda705ac
SHA512 1e422378ac30ce2a4f76bad432a796ed47e12be00cadd843e7330d0cb42d09994badc4292378aa52851f814f48a21ba538f70cdf28513062bfa50ef7750570ae

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\U0578EN3\modernizr[1].js

MD5 625b8b4c0aaf7e062c742064e3b153a9
SHA1 9a7f06095cca8ec31eea70538e36511709c611f6
SHA256 27ea70b9bbf44277d19309f8361399fcfbba338e798c4d809c3b7f3595676667
SHA512 c759ecbc60d0241bde7fd08c9c5fb93e5956503066caff384a14cb9081d503cbb341bcb15c68dc32d3e979050f4c71d7bb1bfe9faf8415feb1e3b0518da34eb8

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\3L9N2KWT\scrollspy.min[1].js

MD5 dbd2b17a490f739d502e017507d1fdd1
SHA1 0267413204b930bc48034612eecacf89864ddd93
SHA256 1357558a930a31b2e6586c19889f937768c8812090f0f93bfc79e169fbf20f80
SHA512 8d45a2c4cfbbd6d1bd0c2a6770364458a9e2abeb0ace38453947dbf17665812d1767c6ec5bab5f5cc9fa584364dec4be4df4aa2af5692bf7982a36e6fe7cad10

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\U0578EN3\popper.min[1].js

MD5 6cd956453e307bfd2ce4bfb0648b9f7d
SHA1 a43367193adc1258902e5b68ad0cda6cf0f9ff8f
SHA256 625b022a42ed5d9c39911e42050f4fd9834ea039af978b7716f7800ade95eb55
SHA512 424b469ed5023a9a7ddbb28cd6b6ed10310da52c7089e656a5dba723be520aca5f43ad5b6749147fc8dd712c77a17f907ec58a52900515c02352b423f1abee4d

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\U0578EN3\tor-browser-windows-x86_64-portable-13.5.1[1].exe

MD5 6fcaba7f23863449194e87d13122cf02
SHA1 c55b245a5531d66333194270859fec7b51ef231e
SHA256 88cbfdc09d2898cc30bd52d5b9b2cf174b6a2f80e21fd0c3b6a88ab3ef2f7495
SHA512 285cb490946bdd9872aca1a4993c6034b4b21c2232b7e546d658b99b136285850a542ff1ca081d284acc63d401dc3ab4d0b2669f29329c5fd0df8b8c933795c4

memory/37772-23041-0x000001B1D89A0000-0x000001B1D89A2000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DFA99612142EAB69B5.TMP

MD5 691fadf863f1b398d80e980dbecb3257
SHA1 8f361172ae8cac5bf676f8de1529890c05d18e0e
SHA256 cc2a1159923c2d9ed37804b721eb6fa50332b3f067dd6fff59a7e7f17f406c51
SHA512 300c4d47deeed59931c38f54134bd10bc81633f628a21bd788d85ec509df17b80da3a0855fa18d5f56ddacbe1b266e4127e31d308dc16f58f98c654182ee3b9d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OHP8MVFQ\edgecompatviewlist[1].xml

MD5 d4fc49dc14f63895d997fa4940f24378
SHA1 3efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256 853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512 cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\GA25HA0A\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

\Users\Admin\AppData\Local\Temp\nsl9023.tmp\LangDLL.dll

MD5 d02e216c527f97b5cd320770cbe03a0d
SHA1 76a0bea3650c393341e240231cf999d11a3d8eb8
SHA256 cda679d62e2852d900f412239e7c01a64a928db6c0cc03b8fa0c1eabdfe815c4
SHA512 39d99ea0045e332f197f0d6430a71adaeaccd1c8e1028ad997ffa5527e5a0fe5dbdda62e02329ae1824abad43eedd64dbfb05a1e8e19010745bfe8d53e83d990

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\CJM3DY53\fa-regular-400[1].woff2

MD5 569693c9f5d42d769c7f87b90856219a
SHA1 34c6434ec4b8b05956b90d245ca9c79e7d5ad90c
SHA256 e5c1d9e7bdeaf3372dee724d175d25aca879ed52ae9afd018f503e9d74e09b50
SHA512 b026cfa61fe58cb3e9f29283ee5bc654411f9e00f9d29d10da325c3961ce378dcbed9877b262521fc2f8342a970a2566c90fe5bded4f94a54bb47818331f26d5

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\3L9N2KWT\fa-solid-900[1].woff2

MD5 59ea9019c9b9bc4d83ab9783e830735c
SHA1 fa1fcc52e59615a6f131b9b2eff1638f0138c617
SHA256 08aa3a5ee68a21d5771a70b20495b6da1c0f996c46982cd1b0447ad2db730d11
SHA512 249751e78e98a0821fa44e9ee3da335f6f48b02c50caba94ffb99ca6fde2d730d10f1ecf17e37feec359bf18b82419c1c8a27c47f66314539e2180527cba162c

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\3L9N2KWT\SourceSansPro-Bold[1].ttf

MD5 0d9b62a03206f739cd34b2936a5929f1
SHA1 f5cad74e9791d2ef725f9ff5d53216cfff4f3678
SHA256 da4f442e66843990825ed4757e27ad3442cad83f9844cc503e8ece85e00f77f2
SHA512 d3738085d8f4891bf1a475a52108a4298b07c8959100e32d1c79038af8b39c182e45fb9d531dd75f7bd2a514d70cf808649dce83d3558be236c74160923ff794

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\TV9Z38NC\SourceSansPro-Light[1].ttf

MD5 ee2a11b8055d665afd2ac1d818683ffe
SHA1 005ef2958f43952ec1e46ae010427cde7914ce2c
SHA256 5705ecafdaa64d8af74d0c03f89272a65cfee9f7e62b55016a8dcbe4a69b6f86
SHA512 2e9fd0558717b954ee73848c95c7f5495f4c907192ba33c2f2a615621dc9174a3f544e44cbdb086716b48b993b724e81484305eebf0c69666ea48919e3476e3f

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\TV9Z38NC\SourceSansPro-Regular[1].ttf

MD5 5182da425f811908bed9f5b8c72fa44f
SHA1 17c25475c0369f7f8c8462af9cf127a4cf6f1332
SHA256 71d10a86b4c54a5a9c0c8b467e53ac67d79edb96c956e4e9f65a7074dfb9992a
SHA512 cf37ee1e2c3574de5819e5c5328ee010832987750a3cdc0bc43f102c3bdafd3993a9984c8d51f66b18198e80049c0323fa2f8f692025d8947f9580eda6a7a5b2

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\CJM3DY53\fa-brands-400[1].woff2

MD5 f80b8a05dd76fdb40e630f1e90b1303d
SHA1 f0c73d76528b9b7b431f3e03be99438d713e6e0c
SHA256 c885e9f2017a2ed7075db9e876d40a04aa3208114443803bdb120a34afd3b1d6
SHA512 36b9d728f33f845337e9f8369527dff7f29bf70aef5e4440b0fe9647f45cf10a2a11af57d191ebf1c8b17817315393032cb5738f9262275a0d87ca58e3b12a62

memory/35184-23166-0x00000173B8AF0000-0x00000173B8AF1000-memory.dmp

memory/35184-23162-0x00000173BF7F0000-0x00000173BF7F1000-memory.dmp

memory/35184-23159-0x00000173BF970000-0x00000173BF972000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsl9023.tmp\nsDialogs.dll

MD5 6cac9c4cbadc065beeebe16e57279a9a
SHA1 26bcac80ab11c56d8d9de74a85ef2314044f96ca
SHA256 f33b3bfbb97fedfe2d77ebb894c7db5c32b8905bedab6c58248108021cf96bdb
SHA512 854b505ca4d17127fafabc8e4d903e097b6e77d4adcb2873185333a7fac68d6e903b2e8f3ce0df639ec3c44feb3666489405ee74d49f512700ab86cec4bc9e44

\Users\Admin\AppData\Local\Temp\nsl9023.tmp\System.dll

MD5 62a6f7756aabaeafe2eaa8a1b19eeb99
SHA1 24b7ec2cf0712f03911fad6b7ccf933e0879fe5b
SHA256 4c4d8324fc74a61ed5477b6602fecd1f404f524e6c17c6d7a0b682f8521a29d7
SHA512 7d30a35811f4dc5e3c4714224ac2b143d17f6a1de744db230b3a74409c6705233831e340b13d468c612b9e924cf69a62a15164e601e62609c98a46cf4ec0562f

C:\Users\Admin\Desktop\Tor Browser\Tor Browser.lnk

MD5 d01d6db1c1a3da61089267641aa2337e
SHA1 6001c02b81f128c6cae2db90eb0f91bce3545031
SHA256 f68fbecabed556805a2370988079216df02d2d05e9877c9df2a7d9daee60c857
SHA512 d1311d7c5cb4d7975919711f6e94e9e862f9305dfcf7c4ff6f9facddc2044c184c8409f39e96939e7f1f7dc3df4148bf66cc659ea27a914dd593419b813af702

C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe

MD5 67f708f227c0338550952313e5e382f7
SHA1 43511dfa2d91f6cc4c429336678cbcf08ddb6489
SHA256 a2ebed521db5d43af62eff32b7ee77a7a342ae6661a0fda60be785329b3956ba
SHA512 4a0fdece1ed1a290731ef21e976f3074b70660c957cdc2067d506e4f08f3af7673f578afb108263e7a61ac6e773c0f747ff325b7fa4a3eaa1f77872743813614

\Users\Admin\Desktop\Tor Browser\Browser\mozglue.dll

MD5 eb388726725c57ccd28cad1dccee33b6
SHA1 35429d8a907b07286a884c0e9cb2fcf78e93f8a1
SHA256 a6bbd19e33a9d2b539c798261ed400c74b239527ad17109ad549a972bd6cebd6
SHA512 dc9aa4f26a86fbfa6caf7d476e59975fc79da314eab8cdf5e2899d681e8b9d3767e531a656471e3ea2129f4e688ad1e0c472eb5d20ea8a8ed94c00d9fc66a48f

\Users\Admin\Desktop\Tor Browser\Browser\lgpllibs.dll

MD5 f6392fe326919b1db4aeeb8aeb6820de
SHA1 0ff0f4c214344eabad089ae87d26a94cafc722dc
SHA256 9c9d86ba3a50de00dc85ea5c04b7e1e65176405732b5c95e9f099411b051fa34
SHA512 4bf9a7d0f89f5f5cad63e18fdb798c247b9504157f9ab771ac6240fd8cbde8e948aaa0764ec312807bebe0139afd20a964d4bdc77b96420236ce68240f53d0fd

\Users\Admin\Desktop\Tor Browser\Browser\nss3.dll

MD5 43cd2b07fa362a2f229968c0e834093f
SHA1 2f637aec344e6bca1df4a51cb05c0cd10d3d6dc7
SHA256 4625cfe435db2f7d9d2bc722a2e8e7b46c6f74a6f5954cca2daa2c94c3265f7c
SHA512 c32c982ac99fead6b8d7f0f3bad200c4d54f5d5b7187ea44ec79c9361603ac5438ace94bd5fd614f41f49684195b7777de195848dc004d7c7a1d02a29c6ae5cb

C:\Users\Admin\Desktop\Tor Browser\Browser\dependentlibs.list

MD5 70b1d09d91bc834e84a48a259f7c1ee9
SHA1 592ddaec59f760c0afe677ad3001f4b1a85bb3c0
SHA256 2b157d7ff7505d10cb5c3a7de9ba14a6832d1f5bfdbfe4fff981b5db394db6ce
SHA512 b37be03d875aa75df5a525f068ed6cf43970d38088d7d28ae100a51e2baa55c2ad5180be0beda2300406db0bdea231dde1d3394ee1c466c0230253edfe6aa6e4

C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profiles.ini

MD5 5b0cb2afa381416690d2b48a5534fe41
SHA1 5c7d290a828ca789ea3cf496e563324133d95e06
SHA256 11dedeb495c4c00ad4ef2ecacbd58918d1c7910f572bbbc87397788bafca265c
SHA512 0e8aafd992d53b2318765052bf3fbd5f21355ae0cbda0d82558ecbb6304136f379bb869c2f9a863496c5d0c11703dbd24041af86131d32af71f276df7c5a740e

C:\Users\Admin\Desktop\Tor Browser\Browser\omni.ja

MD5 8fd3941992025a21c4822049d0e06e63
SHA1 4c9f80b5e14ada595e59257bd833c716d73042a8
SHA256 f13a14ef31a833630c85557906706e6af92f3c4f0a42bba8103de4b21a12b22f
SHA512 a9ea6315b782e28d8af2db746867c786b6fd4a16c1393db98309d705437eefda0fdb1be6fc8ac745ea6a743d3672f6c47dced7de2836846383b78ff962240f8d

C:\Users\Admin\Desktop\Tor Browser\Browser\browser\omni.ja

MD5 66dddf1dae49706c992cfceec3f3ba23
SHA1 074cea24e40f3b6ce7bbc68ff542b462be1c7fe0
SHA256 f13063c411765c6ee1190fb2870c1bb794cfc367aef9a53b7ca44019347c2eef
SHA512 1e4f60e286e87a9720e1c41fa584e69036c20e77fa139f4e2af2bc2e2037441b7522e2fac3224116de011fcd2d2419a35f1e3c296f20157fdf91827e5c4d5630

C:\Users\Admin\Desktop\Tor Browser\Browser\defaults\pref\channel-prefs.js

MD5 3d84d108d421f30fb3c5ef2536d2a3eb
SHA1 0f3b02737462227a9b9e471f075357c9112f0a68
SHA256 7d9d37eff1dc4e59a6437026602f1953ef58ee46ff3d81dbb8e13b0fd0bec86b
SHA512 76cb3d59b08b0e546034cbb4fb11d8cfbb80703430dfe6c9147612182ba01910901330db7f0f304a90474724f32fd7b9d102c351218f7a291d28b3a80b7ac1e5

C:\Users\Admin\Desktop\Tor Browser\Browser\distribution\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi

MD5 a3fb2788945937b22e92eeeb30fb4f15
SHA1 8cade36d4d5067cd9a094ab2e4b3c786e3c160aa
SHA256 05b98840b05ef2acbac333543e4b7c3d40fee2ce5fb4e29260b05e2ff6fe24cd
SHA512 4897aefe3a0efffaa3d92842b42fe223f0b9882031a65bea683f4554d1fec92b8a66ea15c67e9b95c7fc12991cde3245010ccfb91768ba233711ced3412c13bc

C:\Users\Admin\Desktop\Tor Browser\Browser\softokn3.dll

MD5 cbcdffcdcd140b9ea3dc081ecfcbbd46
SHA1 ab44ac9317b82edb780a2167da6d459b9a423a74
SHA256 16ef79086baa56c10589ec945fa3760ddbbbcf4061612ad4a6992bfc24cd26ba
SHA512 5e46812981012f29011161740736c35d356d49b23062cf8d73a5f1ea1b08f107e8db29086881d9c556f7783cfab9d580bc67b0ee813192ddea28ec2f46415129

\Users\Admin\Desktop\Tor Browser\Browser\nssckbi.dll

MD5 aa0cb6c47b9c739dc8a4647b79787cfc
SHA1 908278d0aa0b43c2d9fe18c1a1596056e715df11
SHA256 4b8e24aa607e0b5982d2854a7609e72cab0bc5415c1bf8162de541f279de2e11
SHA512 b92e377c4e7f39087625704c174514d1e87c5ff462181938ba979ad753e381771b8838febee99c276b66bd73b3e6d6f1473d59d2062ce3766b1a431ed3c5a6c3

\Users\Admin\Desktop\Tor Browser\Browser\freebl3.dll

MD5 dd3e5d568d6ec781aedf5e1705f283b8
SHA1 b21fda9c83707f5baf2eceffd4496339f6d145c5
SHA256 ed1d55d6f52963ca4918c15c1f69f26ad14519a1e7e08f8a3669b0ce13b4a30d
SHA512 4076331b5a25587006a97b41c181d5561e5c717a8d9b55f54152e4a014ee39bf809af560dd81aa8fd0df05ff5e3280e1891cfb0aadb944faf3ac9c4beac87e01

C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js

MD5 96fee50f9f9c744fd49fb2e1924dfc56
SHA1 fe9e5395f6cf4af6c8305b3f46ed93d89aa63890
SHA256 4f6e8d18974faea14322d6717476eb6cad4ef9c3f4bd7d66b0cf96d9056f09b0
SHA512 c8e496fed463e2b8a14c6f9ee21c3f9cafe895c1383be389ace68395df5c7a174b6d192ed53732a94a1ecfc4b8dcfcd9019c7fd901960cc915aeeb62d80547b3

C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansChakma-Regular.ttf

MD5 82f2c632a76dc9922cd85630d0c97db9
SHA1 4558e69543903a058b3d5a7b8f50a6dea8ea50f9
SHA256 60ce1d029e35b432dd68cc9f6c94f69bd84d8c97f28f06130186606dd2c3325d
SHA512 cbfe37179fa4bd8618eade5e5168dcfab9d784586319014692bcfc7f767187e4beee24b3afb471abdd9adde747eaf51648926ed1a790e9f8458152c283fb34e0

C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansCanadianAboriginal-Regular.ttf

MD5 fc6ec655d6a00c567119522854e24172
SHA1 b72baef2dc0aca98cf7d3458cc027f4b0622db08
SHA256 0d188756c9c282bf31738af5373f2363cc8007bbbc8d5560fae5821ed4937611
SHA512 0a0eb23751b5df39becbbb308b6b36e324ea6ec469d2167a795cc10fb3bc38cb7b3187a3a63566e280470b09a080c000280e3b9a01681a68f8a3f35c7a2f139a

C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBuhid-Regular.ttf

MD5 34699ac8824cdb6593b4dbef605dd6b2
SHA1 22ff82e35cbb1ac9053f767f404ee351786fe0c2
SHA256 328d80e11e7f65f9b6e4bac12de32b7ce42154301c2a14ba92155e32e05939d6
SHA512 fe714d5d44c6c2f4f96b4349bff301a67749bcb084ade3a0270723f1fa6bd6061193c4d782cb663d63e2c32cc809f33a8114e2e0bc6915de2b04efc82b5de673

C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBuginese-Regular.ttf

MD5 bd4c30081a164037311e8712423c5bf2
SHA1 2a13bc7987ca34644b075c1fe197ba293b4ca527
SHA256 bc19f17d7f6e8f280c2cc95ef6d1b67fac25becfe98722f482039a4d84f3c9ba
SHA512 2a20d113b73cbca311d08dba40dcb7f8ab9d5383f7590b61b785070f77204db9ab163557a420c6c96ede815643f82ffdf75bc59b5802284779ff237616734c66

C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBengali-Regular.ttf

MD5 7b5138efef2c02dda9cfae9917cd913f
SHA1 b44b58f354c4a68e119df226f01ad763b2d1025c
SHA256 9f8b4dd091f19b111d24ea18daae81bea8684cc67de17ea1acd797e144bf20ba
SHA512 47e4cfd2218c91080fc4ccc3ac13dabe9efb7c96b981d53577177fb062973b9fad0052edcf2b0c663ff3b7a1d9e38e96586c93cb72618d64344b96e3df13204c

C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBatak-Regular.ttf

MD5 9390ee64243e5335b79e33e5e8311341
SHA1 c8d4b3ab79f6b12311eb4e4da29e709e583b5870
SHA256 cff9f0e51e7f1d95934cac31d9ad43ba453ee308c7b46a27803dc7e2e6c3adef
SHA512 ad7b23dab247c5c71298c5023bc58bd1d00160145558d86ab75dd37de1f1017540bac544cd9bf1cb2802d19d2973c0cf189d05a980777de886ffb552ae923bc0

C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBassaVah-Regular.ttf

MD5 778376d22591a4a98bf83ac555ddf413
SHA1 608172ca18450b4cc61ff6cc155f66cff55c5bf9
SHA256 8218239377452e05634a91ee8a4338daf0aa96a15673a437533a098eb9c06f53
SHA512 e895a03374a3d3da04554cd048191722652ed4f1f7cc91639354843138ce26aea6c7f2da0ecda47eb76bcdd61a0315cc2e35e080a5953c24d82f4e94ce4aa260

C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBamum-Regular.ttf

MD5 f0b22427c3ddce97435c84ce50239878
SHA1 a4a61de819c79dc743df4c5b152382f7e2e7168d
SHA256 0282610e6923d06a4d120cff3824e829b4535a8c4c57c07e11dbe73475541084
SHA512 ff2b22e58597d0ba19562c36f03cf83b5f327eee27f979c9ff84fe35a21b1fc9234f21fdb35fb95f933c79b9cf7760328d29b31480153da59a6576cf5f7f544e

C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBalinese-Regular.ttf

MD5 12764d72c2cee67144991a62e8e0d1c5
SHA1 f61be58fea99ad23ef720fbc189673a6e3fd6a64
SHA256 194e110cb1e3f1938def209e152a8007fe5a8b0db5b7ce46a2de6e346667e43d
SHA512 fb670a7dbb57465d6384cd5c3a35356e94bf54ac4cb7578e67c8729ff982943b99c95b57f6059443e3e8b56d8c8d2cfc6e81ae3a1cf07306f91c3a96e4883906

C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansAdlam-Regular.ttf

MD5 ac01114123630edca1bd86dc859c65e7
SHA1 f7e68b5f5e52814121077d40a845a90214b29d41
SHA256 1b7b86711479fbfd060ed38abe1258246b4be2826760e6827287958218bb3f5c
SHA512 1c9ac878ba12f3de207aa9a7eb8c0239f769f9ae7475fec998e998192aa6900fe146039ac982612c6c0b7e5363355f2803d8f62e4787c0908c883ac3796e2a9b

C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSans-Regular.ttf

MD5 e782457ebb0389715abdf5a9e20b3234
SHA1 e0d9ad78d1972d056d015452ed8dee529e8bb24b
SHA256 0e90d375cdb64f088a6a676eb560b755afa184e523fefbb9c33fdda4d7dd8461
SHA512 3ec030fdaa18f90bd8060466276c9ec49fd9233746e603d61a4f65a9a53e97e7b3382f8f913da17c48ffefc8adcf2be25f7e1c51f16555068b8f344a4e6dd961

C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoNaskhArabic-Regular.ttf

MD5 27dfbbe8ee4015763e3c51d73474e94a
SHA1 4328cdc9a3f9c6b7df0624c81afbd3459f213e40
SHA256 b4fe7b745c5b40e5d6294a883afcb8b4264b88d331fd0b4620050441479f391e
SHA512 42cc921fee7bad58ee1fac12eb8153b580b5d9d6ed510d5df4bd4be754ef1b017c987051385d828b70de050340f9629be7b385d0338c9db6e0f9f51543387375

C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\000_README.txt

MD5 793eae5fb25086c0e169081b6034a053
SHA1 3c7cc102c8fcaf3dcbe48c3f8b17ec0f45dcc475
SHA256 14e396a360e5f9c5833dc71131d0b909f7b24c902b74f31a7a3d78d5aa0fa980
SHA512 5e949be232df14bf7bfb679986a16f4a613439f5b5e71271abbfbf74296b43c977510fd6403702139ffd77dd3369e054dbe086e0188fff4f436f3505654e1f70

memory/41344-23651-0x000002214C290000-0x000002214C2A0000-memory.dmp

C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\extensions.json

MD5 b1febe9e32cd0d51172e31b79e802d6e
SHA1 045f605cd01b1c03adf13b382c3853e6240b5c48
SHA256 671eb94e080aae7a511751ea40e615fc45b6163e0e261dadd34b9f4063ef9035
SHA512 d8c9ec172c48f825f5228da2874b43fdc8bd7803cb072d3fe5d0a12f1dbb90eba6931fd6e8ceaacad1c23223183bd396507d8a140491209d990648d6066435fc

C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\datareporting\glean\db\data.safe.tmp

MD5 7d3d11283370585b060d50a12715851a
SHA1 3a05d9b7daa2d377d95e7a5f3e8e7a8f705938e3
SHA256 86bff840e1bec67b7c91f97f4d37e3a638c5fdc7b56aae210b01745f292347b9
SHA512 a185a956e7105ad5a903d5d0e780df9421cf7b84ef1f83f7e9f3ab81bf683b440f23e55df4bbd52d60e89af467b5fc949bf1faa7810c523b98c7c2361fde010e

C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

MD5 8227db9178500b863fa95a00969b938c
SHA1 548d09b42aee7681c3537907174f113c9187e1d6
SHA256 1b4f5cddc1ff0905a5e9b5613bb99d85f4bf51d06f9388b3ee1b6eda494d21a6
SHA512 db4804a538a5a3b627d025d96f4660397d1c27a51cc7044d83062c8ab809bdb09ba0d96608872a428d3ab43099fa188fe95ab372cf70f9d68e28a4ad782e71e7

C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\cached-microdesc-consensus.tmp

MD5 fc701222b7cab765de83bb820eaf64ad
SHA1 b5740ece69d643c9c4edcbc67ff6be01a9d89e00
SHA256 cb81760996188d485250ba7003daa16bffffed06d7b2a7c383402a0a94b96962
SHA512 00d663d54eb92552d0755478a866846197bd90a600840a03e0aa71495294d0e4cac745ecff79efecdf4d983cb1ee0d9d5a7642d34db0a1e6d325dd16533cfbcb

C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\cached-microdescs.new

MD5 3c9a65dee9a29523831da8a826013e76
SHA1 dba5dc92c41994e29b388acac55ca827d62cf59b
SHA256 eb3eb99bf85668e68eb01a5d23a331785d85848975df22562062aac46526a750
SHA512 6a518a7660c5f0a24d01229dccea91547be56fb758cdd7099440f719998a3cc2991e79f436912f8fc99604e755218d13d01907d0648a0e266f820c6710dff34f

C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js

MD5 98c4373f0fd5a168541a60f928c707e0
SHA1 cb462df8d83908763ce24854676d8b63f1c8166a
SHA256 bcfa11c3db9ae69df003ad8b870bfb4d2bdda8e87cb5fcbfa50c72359aa3d75e
SHA512 200450bed36f243afc443ccb6ccf415a7db267089363b080484284ded17f04f09a89adb9004c9d3b9f4b0fb595262b6eb4f25ae6ab5ae62853bc69ab2763b65f

C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

MD5 0519ce510cec37f984c929c5085ec06c
SHA1 e7fe3f3132cfdf55562ced8fc8a89b3f402affdb
SHA256 9a4f236b2e37bb6e61fcbdfbf17a3f472f483127c2dd4ea7eb6c9b6eed83444b
SHA512 9a8a877513c93b94841e02c01e7c787631b0075dc9e87544a3ede7f55e600528c54a754359b066d16f58fbd973a9c1080fd0f0908ddebab2bb9eb189fe5c3227

C:\Users\Admin\AppData\Local\Temp\tmp-14r.xpi

MD5 251150b67c4a694555ecd4a6bdcf5993
SHA1 92b571569aa6c265a6dcf715c04de50bacf712a4
SHA256 b22c007534471a8fb74378e970ba79a536a44f88d81ad3852273b82a466d10c7
SHA512 c525dde844ac84a92ee4098369a8e8c958e475cc785fe1a6c514618a59dd48a1d75ed30523ae20b044909527d0d29102fd644e5e7853568b584663c0a0221d09