dragonforce | 8656c8bc2d098776803ef6648d5b4d9e4cc444647ac09bb97fcccd54956ddc94

Resubmissions

06/04/2025, 17:05

250406-vmarsstybt 10

04/04/2025, 13:35

250404-qvrcasznx3 10

04/04/2025, 01:29

250404-bwktkszmw4 10

Analysis

max time kernel
1040s
max time network
1042s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
06/04/2025, 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Size

147KB
MD5

d54bae930b038950c2947f5397c13f84
SHA1

e164bbaf848fa5d46fa42f62402a1c55330ef562
SHA256

1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b
SHA512

81001ae98c5670aaf6c33d5f2ecae1ed20058fa5b1824f0c48fc12d93c5bf7c9cc1ac502e85c9244bdd13682539ff9f343907f2e965e04f910df8144f60fd63d
SSDEEP

3072:e6glyuxE4GsUPnliByocWep6v6JMdoKkgwfHweVg2sp+:e6gDBGpvEByocWe+oKT+g2a+

Score

10^/10

dragonforce defense_evasion discovery ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\AoVOpni2N.README.txt

Family

dragonforce

Ransom Note

Hello! Your files have been stolen from your network and encrypted with a strong algorithm. We work for money and are not associated with politics. All you need to do is contact us and pay. --- Our communication process: 1. You contact us. 2. We send you a list of files that were stolen. 3. We decrypt 1 file to confirm that our decryptor works. 4. We agree on the amount, which must be paid using BTC. 5. We delete your files, we give you a decryptor. 6. We give you a detailed report on how we compromised your company, and recommendations on how to avoid such situations in the future. --- Client area (use this site to contact us): Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion >>> Use this ID: A758919A7F3B351CF86BF7B3B17CA0DE to begin the recovery process. * In order to access the site, you will need Tor Browser, you can download it from this link: https://www.torproject.org/ --- Additional contacts: Support Tox: 1C054B722BCBF41A918EF3C485712742088F5C3E81B2FDD91ADEA6BA55F4A856D90A65E99D20 --- Recommendations: DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. --- Important: If you refuse to pay or do not get in touch with us, we start publishing your files. 02/05/2024 00:00 UTC the decryptor will be destroyed and the files will be published on our blog. Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion Sincerely, 01000100 01110010 01100001 01100111 01101111 01101110 01000110 01101111 01110010 01100011 01100101

URLs

http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion

http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion

Signatures

DragonForce
Ransomware family based on Lockbit that was first observed in November 2023.
ransomware dragonforce
Dragonforce family
dragonforce

Downloads MZ/PE file 2 IoCs

flow	pid	Process
61	4264	chrome.exe
155	4264	chrome.exe

Deletes itself 1 IoCs

pid	Process
240	EC07.tmp

Executes dropped EXE 22 IoCs

pid	Process
240	EC07.tmp
5916	tor-browser-windows-x86_64-portable-14.0.9.exe
6012	tor-browser-windows-x86_64-portable-14.0.9.exe
6104	firefox.exe
5196	firefox.exe
4504	firefox.exe
5512	firefox.exe
6076	firefox.exe
872	tor.exe
6012	firefox.exe
4944	firefox.exe
6680	firefox.exe
6720	firefox.exe
6760	firefox.exe
6884	firefox.exe
6468	firefox.exe
656	firefox.exe
1436	firefox.exe
3084	setup-qtox-x86_64-release.exe
3372	qtox.exe
5656	firefox.exe
3048	firefox.exe

Loads dropped DLL 64 IoCs

pid	Process
5916	tor-browser-windows-x86_64-portable-14.0.9.exe
6012	tor-browser-windows-x86_64-portable-14.0.9.exe
6012	tor-browser-windows-x86_64-portable-14.0.9.exe
6012	tor-browser-windows-x86_64-portable-14.0.9.exe
6104	firefox.exe
5196	firefox.exe
5196	firefox.exe
5196	firefox.exe
5196	firefox.exe
5196	firefox.exe
5196	firefox.exe
5196	firefox.exe
5196	firefox.exe
5196	firefox.exe
5196	firefox.exe
5196	firefox.exe
5196	firefox.exe
5196	firefox.exe
4504	firefox.exe
4504	firefox.exe
4504	firefox.exe
4504	firefox.exe
4504	firefox.exe
5512	firefox.exe
5512	firefox.exe
5512	firefox.exe
5512	firefox.exe
5512	firefox.exe
6076	firefox.exe
6076	firefox.exe
6076	firefox.exe
6076	firefox.exe
6076	firefox.exe
6012	firefox.exe
6012	firefox.exe
6012	firefox.exe
6012	firefox.exe
6012	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
6076	firefox.exe
6076	firefox.exe
6012	firefox.exe
6012	firefox.exe
6680	firefox.exe
6680	firefox.exe
6680	firefox.exe
6680	firefox.exe
6680	firefox.exe
6720	firefox.exe
6760	firefox.exe
6720	firefox.exe
6720	firefox.exe
6720	firefox.exe
6720	firefox.exe
6760	firefox.exe
6760	firefox.exe
6760	firefox.exe
6760	firefox.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1380	icacls.exe
5176	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	flow	ioc	pid	Process
Destination IP	540	205.185.115.131	3372	qtox.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	firefox.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-994669834-3080981395-1291080877-1000\desktop.ini	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-994669834-3080981395-1291080877-1000\desktop.ini	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
File opened for modification	C:\$RECYCLE.BIN\S-1-5-21-994669834-3080981395-1291080877-1000\desktop.ini	chrome.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
100	camo.githubusercontent.com
123	camo.githubusercontent.com
124	camo.githubusercontent.com
125	camo.githubusercontent.com
126	camo.githubusercontent.com
127	camo.githubusercontent.com
128	camo.githubusercontent.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPvunqjq9vs9_slv15l3vxxuxtd.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPgr37oq3ngc__3sm8ja84p750d.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPv3cuxcwp84znj160gybyw8ae.TMP	printfilterpipelinesvc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
240	EC07.tmp

Drops file in Program Files directory 44 IoCs

description	ioc	Process
File created	C:\Program Files\qTox\uninstall.log	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\libhunspell-1.7-0.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\qtox.exe	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\Qt6Widgets.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\avdevice-61.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\avformat-61.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\libsodium-26.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\imageformats\qgif.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\tls\qcertonlybackend.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\Qt6Network.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\avutil-59.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\libKF6SonnetUi.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\swscale-8.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\imageformats\qsvg.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\imageformats\qwebp.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\tls\qopensslbackend.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\uninstall.exe	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\Qt6Gui.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\libwinpthread-1.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\imageformats\kimg_qoi.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\imageformats\qjpeg.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\iconengines\qsvgicon.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\OpenAL32.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\Qt6Svg.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\libcrypto-3-x64.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\libsqlcipher-0.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\platforms\qminimal.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\platforms\qwindows.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\Qt6Xml.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\libKF6SonnetCore.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\libopus-0.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\libssl-3-x64.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\libstdc++-6.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\Qt6Core.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\avcodec-61.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\libexif-12.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\libqrencode.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\libtoxcore.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\platforms\qdirect2d.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\platforms\qoffscreen.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\tls\qschannelbackend.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\libgcc_s_seh-1.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\libssp-0.dll	setup-qtox-x86_64-release.exe
File created	C:\Program Files\qTox\bin\libzstd.dll	setup-qtox-x86_64-release.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-14.0.9.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\setup-qtox-x86_64-release.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EC07.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup-qtox-x86_64-release.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe

Checks processor information in registry 2 TTPs 23 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133884328990736868"	chrome.exe

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\toxsave\shell	setup-qtox-x86_64-release.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\toxsave\shell\open\command\ = "C:\\Program Files\\qTox\\bin\\qtox.exe %1"	setup-qtox-x86_64-release.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\DisplayName = "Chrome Sandbox"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tox\shell	setup-qtox-x86_64-release.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tox\shell\open\command\ = "C:\\Program Files\\qTox\\bin\\qtox.exe %1"	setup-qtox-x86_64-release.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tox	setup-qtox-x86_64-release.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\toxsave\DefaultIcon	setup-qtox-x86_64-release.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Moniker = "cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Children	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tox\ = "URL:tox Protocol"	setup-qtox-x86_64-release.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tox\shell\open\command	setup-qtox-x86_64-release.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\qtox.exe\SupportedTypes	setup-qtox-x86_64-release.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\toxsave	setup-qtox-x86_64-release.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\toxsave\DefaultIcon\ = "C:\\Program Files\\qTox\\bin\\qtox.exe"	setup-qtox-x86_64-release.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	tor-browser-windows-x86_64-portable-14.0.9.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\qtox.exe	setup-qtox-x86_64-release.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\qtox.exe\SupportedTypes\.tox	setup-qtox-x86_64-release.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tox\ = "toxsave"	setup-qtox-x86_64-release.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\toxsave\ = "Tox save file"	setup-qtox-x86_64-release.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\toxsave\shell\open	setup-qtox-x86_64-release.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tox	setup-qtox-x86_64-release.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tox\URL Protocol	setup-qtox-x86_64-release.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tox\shell\open	setup-qtox-x86_64-release.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications	setup-qtox-x86_64-release.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\toxsave\shell\open\command	setup-qtox-x86_64-release.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-14.0.9.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\setup-qtox-x86_64-release.exe:Zone.Identifier	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4456	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
5008	ONENOTE.EXE
5008	ONENOTE.EXE
3372	qtox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3372	qtox.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

pid	Process
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
240	EC07.tmp
240	EC07.tmp
240	EC07.tmp
240	EC07.tmp
240	EC07.tmp
240	EC07.tmp
240	EC07.tmp
240	EC07.tmp
240	EC07.tmp
240	EC07.tmp
240	EC07.tmp
240	EC07.tmp
240	EC07.tmp
240	EC07.tmp
240	EC07.tmp
240	EC07.tmp
240	EC07.tmp
240	EC07.tmp
240	EC07.tmp
240	EC07.tmp
240	EC07.tmp
240	EC07.tmp
240	EC07.tmp
240	EC07.tmp
240	EC07.tmp
240	EC07.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeBackupPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeDebugPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: 36	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeImpersonatePrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeIncBasePriorityPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeIncreaseQuotaPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: 33	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeManageVolumePrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeProfSingleProcessPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeRestorePrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeSecurityPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeSystemProfilePrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeTakeOwnershipPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeShutdownPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeDebugPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeBackupPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeBackupPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeSecurityPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeSecurityPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeBackupPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeBackupPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeSecurityPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeSecurityPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeBackupPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeBackupPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeSecurityPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeSecurityPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeBackupPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeBackupPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeSecurityPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeSecurityPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeBackupPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeBackupPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeSecurityPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeSecurityPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeBackupPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeBackupPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeSecurityPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeSecurityPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeBackupPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeBackupPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeSecurityPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeSecurityPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeBackupPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeBackupPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeSecurityPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeSecurityPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeBackupPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeBackupPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeSecurityPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeSecurityPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeBackupPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeBackupPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeSecurityPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeSecurityPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeBackupPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeBackupPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeSecurityPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeSecurityPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeBackupPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeBackupPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeSecurityPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
Token: SeSecurityPrivilege	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4144	firefox.exe
4144	firefox.exe
4144	firefox.exe
4144	firefox.exe
4144	firefox.exe
4144	firefox.exe
4144	firefox.exe
4144	firefox.exe
4144	firefox.exe
4144	firefox.exe
4144	firefox.exe
4144	firefox.exe
4144	firefox.exe
4144	firefox.exe
4144	firefox.exe
4144	firefox.exe
4144	firefox.exe
4144	firefox.exe
4144	firefox.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
1728	chrome.exe
3372	qtox.exe
3372	qtox.exe
3372	qtox.exe
3372	qtox.exe
3372	qtox.exe
3372	qtox.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
5008	ONENOTE.EXE
5008	ONENOTE.EXE
5008	ONENOTE.EXE
5008	ONENOTE.EXE
5008	ONENOTE.EXE
5008	ONENOTE.EXE
5008	ONENOTE.EXE
5008	ONENOTE.EXE
5008	ONENOTE.EXE
5008	ONENOTE.EXE
5008	ONENOTE.EXE
5008	ONENOTE.EXE
5008	ONENOTE.EXE
5008	ONENOTE.EXE
1528	OpenWith.exe
4144	firefox.exe
5196	firefox.exe
5196	firefox.exe
5196	firefox.exe
5196	firefox.exe
3084	setup-qtox-x86_64-release.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 1440	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe	84
PID 4772 wrote to memory of 1440	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe	84
PID 1544 wrote to memory of 5008	1544	printfilterpipelinesvc.exe	87
PID 1544 wrote to memory of 5008	1544	printfilterpipelinesvc.exe	87
PID 4772 wrote to memory of 240	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe	88
PID 4772 wrote to memory of 240	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe	88
PID 4772 wrote to memory of 240	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe	88
PID 4772 wrote to memory of 240	4772	1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe	88
PID 240 wrote to memory of 1768	240	EC07.tmp	89
PID 240 wrote to memory of 1768	240	EC07.tmp	89
PID 240 wrote to memory of 1768	240	EC07.tmp	89
PID 1080 wrote to memory of 4144	1080	firefox.exe	97
PID 1080 wrote to memory of 4144	1080	firefox.exe	97
PID 1080 wrote to memory of 4144	1080	firefox.exe	97
PID 1080 wrote to memory of 4144	1080	firefox.exe	97
PID 1080 wrote to memory of 4144	1080	firefox.exe	97
PID 1080 wrote to memory of 4144	1080	firefox.exe	97
PID 1080 wrote to memory of 4144	1080	firefox.exe	97
PID 1080 wrote to memory of 4144	1080	firefox.exe	97
PID 1080 wrote to memory of 4144	1080	firefox.exe	97
PID 1080 wrote to memory of 4144	1080	firefox.exe	97
PID 1080 wrote to memory of 4144	1080	firefox.exe	97
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98
PID 4144 wrote to memory of 4680	4144	firefox.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
"C:\Users\Admin\AppData\Local\Temp\1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:1440
- C:\ProgramData\EC07.tmp
  "C:\ProgramData\EC07.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:240
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\EC07.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4716

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{863194AB-408B-4387-92C3-F29E7F42AF21}.xps" 133884327772230000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:5008

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1528

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\AoVOpni2N.README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4456

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4144
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2536 -prefsLen 24445 -prefMapHandle 2540 -prefMapSize 268500 -ipcHandle 2624 -initialChannelId {9def6237-b666-4719-8a31-f1857b477a77} -parentPid 4144 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4144" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
    3⤵
    PID:4680
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2868 -prefsLen 24445 -prefMapHandle 2872 -prefMapSize 268500 -ipcHandle 2880 -initialChannelId {7f44dbcb-b7ff-48bb-a0c7-eec5165172f2} -parentPid 4144 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4144" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
    3⤵
    PID:336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 1952 -prefsLen 24610 -prefMapHandle 2120 -prefMapSize 268500 -jsInitHandle 2124 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2156 -initialChannelId {c3aed994-92e6-4ce7-8385-a9f5238a3df3} -parentPid 4144 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4144" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
    3⤵
    - Checks processor information in registry
    PID:4824
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2004 -prefsLen 25493 -prefMapHandle 2008 -prefMapSize 268500 -ipcHandle 3808 -initialChannelId {8bf4143e-8343-435d-86ac-c1aa6c508020} -parentPid 4144 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4144" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
    3⤵
    PID:1324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4380 -prefsLen 25604 -prefMapHandle 4384 -prefMapSize 268500 -jsInitHandle 4388 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4396 -initialChannelId {d27b0a4b-34ed-4a03-b838-b9cc989c73a4} -parentPid 4144 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4144" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
    3⤵
    - Checks processor information in registry
    PID:2788
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 1916 -prefsLen 35805 -prefMapHandle 2024 -prefMapSize 268500 -ipcHandle 5104 -initialChannelId {cbdeaf7f-9e85-4cd1-bc83-24c082148b6f} -parentPid 4144 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4144" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
    3⤵
    - Checks processor information in registry
    PID:3364

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\30ba9d86737c45c3a9cf412e54e16155 /t 2720 /p 4144
1⤵
PID:4228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe8ff6dcf8,0x7ffe8ff6dd04,0x7ffe8ff6dd10
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1924,i,15404421215741267118,3687217721811535057,262144 --variations-seed-version --mojo-platform-channel-handle=1980 /prefetch:11
  2⤵
  - Downloads MZ/PE file
  PID:4264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1896,i,15404421215741267118,3687217721811535057,262144 --variations-seed-version --mojo-platform-channel-handle=1880 /prefetch:2
  2⤵
  PID:4240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2300,i,15404421215741267118,3687217721811535057,262144 --variations-seed-version --mojo-platform-channel-handle=2352 /prefetch:13
  2⤵
  PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3168,i,15404421215741267118,3687217721811535057,262144 --variations-seed-version --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3220,i,15404421215741267118,3687217721811535057,262144 --variations-seed-version --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:3400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4132,i,15404421215741267118,3687217721811535057,262144 --variations-seed-version --mojo-platform-channel-handle=4152 /prefetch:9
  2⤵
  PID:4376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4436,i,15404421215741267118,3687217721811535057,262144 --variations-seed-version --mojo-platform-channel-handle=4584 /prefetch:1
  2⤵
  PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4264,i,15404421215741267118,3687217721811535057,262144 --variations-seed-version --mojo-platform-channel-handle=4720 /prefetch:1
  2⤵
  PID:5364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4924,i,15404421215741267118,3687217721811535057,262144 --variations-seed-version --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:5372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3400,i,15404421215741267118,3687217721811535057,262144 --variations-seed-version --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:5560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5272,i,15404421215741267118,3687217721811535057,262144 --variations-seed-version --mojo-platform-channel-handle=3600 /prefetch:14
  2⤵
  PID:5704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5488,i,15404421215741267118,3687217721811535057,262144 --variations-seed-version --mojo-platform-channel-handle=4908 /prefetch:14
  2⤵
  PID:5712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5276,i,15404421215741267118,3687217721811535057,262144 --variations-seed-version --mojo-platform-channel-handle=4948 /prefetch:14
  2⤵
  PID:5928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5492,i,15404421215741267118,3687217721811535057,262144 --variations-seed-version --mojo-platform-channel-handle=4944 /prefetch:14
  2⤵
  PID:5976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5332,i,15404421215741267118,3687217721811535057,262144 --variations-seed-version --mojo-platform-channel-handle=5468 /prefetch:14
  2⤵
  PID:6016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4964,i,15404421215741267118,3687217721811535057,262144 --variations-seed-version --mojo-platform-channel-handle=5508 /prefetch:14
  2⤵
  PID:3548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5816,i,15404421215741267118,3687217721811535057,262144 --variations-seed-version --mojo-platform-channel-handle=3624 /prefetch:1
  2⤵
  PID:5448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=3504,i,15404421215741267118,3687217721811535057,262144 --variations-seed-version --mojo-platform-channel-handle=3612 /prefetch:1
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=3476,i,15404421215741267118,3687217721811535057,262144 --variations-seed-version --mojo-platform-channel-handle=3496 /prefetch:1
  2⤵
  PID:5528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5900,i,15404421215741267118,3687217721811535057,262144 --variations-seed-version --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:5800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=212,i,15404421215741267118,3687217721811535057,262144 --variations-seed-version --mojo-platform-channel-handle=5768 /prefetch:14
  2⤵
  PID:2632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5644,i,15404421215741267118,3687217721811535057,262144 --variations-seed-version --mojo-platform-channel-handle=6080 /prefetch:14
  2⤵
  PID:1856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5724,i,15404421215741267118,3687217721811535057,262144 --variations-seed-version --mojo-platform-channel-handle=6092 /prefetch:14
  2⤵
  PID:3296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6092,i,15404421215741267118,3687217721811535057,262144 --variations-seed-version --mojo-platform-channel-handle=5744 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1200
- C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-14.0.9.exe
  "C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-14.0.9.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5916
- C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-14.0.9.exe
  "C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-14.0.9.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  PID:6012
- - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
    "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:6104
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Checks processor information in registry
      Suspicious use of SetWindowsHookEx
      PID:5196
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=2592 -parentBuildID 20250331180000 -prefsHandle 2560 -prefMapHandle 2552 -prefsLen 21009 -prefMapSize 252329 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {1fc5142e-43ff-4a1d-b386-2978e235ef18} 5196 gpu
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4504
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=1808 -childID 1 -isForBrowser -prefsHandle 1832 -prefMapHandle 1824 -prefsLen 21821 -prefMapSize 252329 -jsInitHandle 1364 -jsInitLen 234912 -parentBuildID 20250331180000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {bfdb5902-fad0-4457-8412-b65170317834} 5196 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5512
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe" -f "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc" DataDirectory "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor" ClientOnionAuthDir "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\onion-auth" --defaults-torrc "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc-defaults" GeoIPFile "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip" GeoIPv6File "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip6" +__ControlPort 127.0.0.1:9151 HashedControlPassword 16:fb5d35e3c903d18760beaf6b416619aa21b3ab16da841d7cc0ab6744f2 +__SocksPort "127.0.0.1:9150 ExtendedErrors IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth" __OwningControllerProcess 5196 DisableNetwork 1
        5⤵
        Executes dropped EXE
        
        PID:872
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=1888 -childID 2 -isForBrowser -prefsHandle 2052 -prefMapHandle 1936 -prefsLen 22589 -prefMapSize 252329 -jsInitHandle 1364 -jsInitLen 234912 -parentBuildID 20250331180000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {6e26d852-e382-4804-90a8-434e066f0705} 5196 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6076
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=3736 -childID 3 -isForBrowser -prefsHandle 3728 -prefMapHandle 3724 -prefsLen 22702 -prefMapSize 252329 -jsInitHandle 1364 -jsInitLen 234912 -parentBuildID 20250331180000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {e8d726c8-b152-4b7c-a37a-46e53847f411} 5196 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6012
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=2016 -parentBuildID 20250331180000 -sandboxingKind 0 -prefsHandle 1444 -prefMapHandle 2116 -prefsLen 25337 -prefMapSize 252329 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {f2020e85-d227-4605-b848-7d31086dde8c} 5196 utility
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:4944
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=3568 -childID 4 -isForBrowser -prefsHandle 3388 -prefMapHandle 3652 -prefsLen 24122 -prefMapSize 252329 -jsInitHandle 1364 -jsInitLen 234912 -parentBuildID 20250331180000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {c6f0807d-d5f6-48e6-aeb8-d9b8c75def2e} 5196 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6680
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=4480 -childID 5 -isForBrowser -prefsHandle 4484 -prefMapHandle 4488 -prefsLen 24122 -prefMapSize 252329 -jsInitHandle 1364 -jsInitLen 234912 -parentBuildID 20250331180000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {b4b95422-dff2-474f-b08f-9c44a4e4171b} 5196 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6720
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=4644 -childID 6 -isForBrowser -prefsHandle 4652 -prefMapHandle 4656 -prefsLen 24122 -prefMapSize 252329 -jsInitHandle 1364 -jsInitLen 234912 -parentBuildID 20250331180000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {974b400b-e90e-493c-8920-9ecc9ae40f42} 5196 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6760
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=3636 -parentBuildID 20250331180000 -prefsHandle 4048 -prefMapHandle 4044 -prefsLen 25460 -prefMapSize 252329 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {7efca37b-45cf-45bc-b14f-fb339701ca89} 5196 rdd
        5⤵
        Executes dropped EXE
        
        PID:6884
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=3944 -childID 7 -isForBrowser -prefsHandle 3632 -prefMapHandle 4704 -prefsLen 24472 -prefMapSize 252329 -jsInitHandle 1364 -jsInitLen 234912 -parentBuildID 20250331180000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {9ee56d12-f9d0-48f0-bdba-17dfcf0917eb} 5196 tab
        5⤵
        Executes dropped EXE
        
        PID:6468
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=3364 -childID 8 -isForBrowser -prefsHandle 2248 -prefMapHandle 1964 -prefsLen 26060 -prefMapSize 252329 -jsInitHandle 1364 -jsInitLen 234912 -parentBuildID 20250331180000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {dfc47ca6-9d51-4f34-afff-28aa44c9106e} 5196 tab
        5⤵
        Executes dropped EXE
        
        PID:656
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=2168 -childID 9 -isForBrowser -prefsHandle 5280 -prefMapHandle 4004 -prefsLen 26060 -prefMapSize 252329 -jsInitHandle 1364 -jsInitLen 234912 -parentBuildID 20250331180000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {491ca41e-fb5e-4680-87cc-6fa106a27fe8} 5196 tab
        5⤵
        Executes dropped EXE
        
        PID:1436
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=5056 -childID 10 -isForBrowser -prefsHandle 2128 -prefMapHandle 5260 -prefsLen 26292 -prefMapSize 252329 -jsInitHandle 1364 -jsInitLen 234912 -parentBuildID 20250331180000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {5186b987-8912-47b3-8a84-9e980eaa4b73} 5196 tab
        5⤵
        Executes dropped EXE
        
        PID:5656
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=4236 -childID 11 -isForBrowser -prefsHandle 2132 -prefMapHandle 2324 -prefsLen 24889 -prefMapSize 252329 -jsInitHandle 1364 -jsInitLen 234912 -parentBuildID 20250331180000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {c078d535-f5ad-4008-9b6c-37e86e4d2792} 5196 tab
        5⤵
        Executes dropped EXE
        
        PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=6636,i,15404421215741267118,3687217721811535057,262144 --variations-seed-version --mojo-platform-channel-handle=6624 /prefetch:10
  2⤵
  PID:5588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4444,i,15404421215741267118,3687217721811535057,262144 --variations-seed-version --mojo-platform-channel-handle=6628 /prefetch:14
  2⤵
  PID:3700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=6584,i,15404421215741267118,3687217721811535057,262144 --variations-seed-version --mojo-platform-channel-handle=6604 /prefetch:1
  2⤵
  PID:2052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=6712,i,15404421215741267118,3687217721811535057,262144 --variations-seed-version --mojo-platform-channel-handle=4288 /prefetch:1
  2⤵
  PID:3164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=7092,i,15404421215741267118,3687217721811535057,262144 --variations-seed-version --mojo-platform-channel-handle=7072 /prefetch:1
  2⤵
  PID:6112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=4956,i,15404421215741267118,3687217721811535057,262144 --variations-seed-version --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=6860,i,15404421215741267118,3687217721811535057,262144 --variations-seed-version --mojo-platform-channel-handle=6952 /prefetch:1
  2⤵
  PID:6316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=5928,i,15404421215741267118,3687217721811535057,262144 --variations-seed-version --mojo-platform-channel-handle=7128 /prefetch:1
  2⤵
  PID:6812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --field-trial-handle=7212,i,15404421215741267118,3687217721811535057,262144 --variations-seed-version --mojo-platform-channel-handle=7264 /prefetch:1
  2⤵
  PID:6800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --field-trial-handle=7484,i,15404421215741267118,3687217721811535057,262144 --variations-seed-version --mojo-platform-channel-handle=7440 /prefetch:1
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --field-trial-handle=6632,i,15404421215741267118,3687217721811535057,262144 --variations-seed-version --mojo-platform-channel-handle=7156 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --field-trial-handle=7632,i,15404421215741267118,3687217721811535057,262144 --variations-seed-version --mojo-platform-channel-handle=7108 /prefetch:1
  2⤵
  PID:6076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=7196,i,15404421215741267118,3687217721811535057,262144 --variations-seed-version --mojo-platform-channel-handle=5868 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:2948
- C:\Users\Admin\Downloads\setup-qtox-x86_64-release.exe
  "C:\Users\Admin\Downloads\setup-qtox-x86_64-release.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3084
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files" /save "C:\Users\Admin\AppData\Local\Temp\program-files-permissions.txt"
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:1380
- - C:\Windows\SysWOW64\icacls.exe
    icacls "" /restore "C:\Users\Admin\AppData\Local\Temp\qTox-install-file-permissions.txt"
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:5176

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5620

C:\Program Files\qTox\bin\qtox.exe
"C:\Program Files\qTox\bin\qtox.exe"
1⤵
- Executes dropped EXE
- Unexpected DNS network traffic destination
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
PID:3372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Indicator Removal

T1070

File Deletion

T1070.004

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-994669834-3080981395-1291080877-1000\GGGGGGGGGGG

Filesize
129B

MD5
e28ccc0b972439f2c9e78c3d210ee412

SHA1
b0c8a41c66a0ab6750845dd62e673fe9a9cbcc93

SHA256
145f89ba6a4cc8ccfc8d9b80de5f77d3b62fdb458356d05d35e70dad16fe3df4

SHA512
26a47fcc284b314394cc5669b81f3803d9a6e923ff3bb3fb16f13e32259ce2fdd2d02c02f361035438d34fa590e1fe56a219e86f3615f72aac3787e780cb7d5f

Download Submit
C:\AoVOpni2N.README.txt

Filesize
1KB

MD5
7efcef8082ee3cedde5e40c6c8e42817

SHA1
a228dddf025a8bf8d7f1ab663f2800aedd4b5603

SHA256
b0d37026b7747ad8b62a20be9f1c3a64429bcecc52c9f9cc9bcd3268490ecba2

SHA512
af5d631726f01b6edb87db519fd2dd732d94484d07f2d6543d65372e2a7da3a1289762c4642723e7b12cfcb8ef49e0ee4dd59c5432d1b48dbe438f9f0e7ac463

Download Submit
C:\Program Files\qTox\bin\qtox.exe

Filesize
11.4MB

MD5
85ad441c64d7c3576d58c112616d476b

SHA1
c8ebfb14ebc0a4732114d6d232a17611820469a6

SHA256
02335ebe52cabd7f1b800fb726572ee18d120af944b369a98be7c932f20997ad

SHA512
74e40888ae4f977cbd69bd7256ddbd60ecad47e9196624ad1d022d5967da5089064f3ca65ed927f3873b3f8eb967828c77fb794df87216e476926a11f0d3ca77

Download Submit
C:\ProgramData\EC07.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json

Filesize
102B

MD5
7d1d7e1db5d8d862de24415d9ec9aca4

SHA1
f4cdc5511c299005e775dc602e611b9c67a97c78

SHA256
ffad3b0fb11fc38ea243bf3f73e27a6034860709b39bf251ef3eca53d4c3afda

SHA512
1688c6725a3607c7b80dfcd6a8bea787f31c21e3368b31cb84635b727675f426b969899a378bd960bd3f27866023163b5460e7c681ae1fcb62f7829b03456477

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e15a1a76e2e3e35f9f6ad9920cca927e

SHA1
79f9985600c77f720b658888f01bd70db0581aa7

SHA256
6ceb1a1bb55d35c26019689a06685e16785638142140eb9f57d7b51d47bd836d

SHA512
3129264f9fcb995053bffd14e0db5b138989fda37a1d46de795c28ea563aa073c1fdee8552e6254d39523b1b62ef0616b42a0022b672f40d6a46fede506a128d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
63KB

MD5
00a34503c5efdf7f4815c3bb9cc9cd68

SHA1
a85d51a8bfe01bc2c26bf0cbeae56c057788e452

SHA256
95ac4bfd07bbab1602f31faf2b3a3ae4064bf191917b229440a6cc722af24764

SHA512
c52764de41844701a47d0eec201649f20813a51a7b68feae77b47fe32bc90771c809682de3b12a94f37c2d41c8adca5a3707ad50618b402cc49b2f78d23c4259

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
38KB

MD5
f53236bc138719b68ccd1c7efb02a276

SHA1
26b7d3eea5d3b12d0b0e173ebf2af50a7d7e56d6

SHA256
787c14f8cc865430c03c96a345044b7c5b8dc8a032511a500d4a42228533acd8

SHA512
5485bc7ccce8ec75f60bca3be846086a4bd4466009c8e22da9cdd16bb1154529af2fb2667cd3a97485cc4f6635fb79ac0fdda4f3e1f39f25f6196f708a92d740

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
500d44f643ad5603237c0f2548a71852

SHA1
3b4ce562f5dba1ad638a95fa5b25fe1a0e829323

SHA256
06522250d63595a4aceef42beb64224c000bef94ede6404131aa238595655e35

SHA512
ad8253c16d7f98f64653ac9df06258b6156498c0545fc48f0e99459eccd4cb88358a192b86e7564b56801c752e7bf266214623bf8c1a808a74ba3ca4a3317bf2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
a6781dec829d581990b2b5c75b2aa0b4

SHA1
a0b1756c689e8e2fdfbe6cd0036bede97b9d8a4f

SHA256
88770bc04f9c13063248acf1c1e76c8b5860c17d51f2f519a69e0abaf3e8438b

SHA512
e757f988097f9076086892d709a3ca7f50eb305e4f1ac9da04c3dd6d89392afde4c331f611f7d4d894ff201a72ff8e72d003d2967afcf74a412d074964f4d283

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
3abf51b2dc4c8e60ea1678818b4dda49

SHA1
14d4adcc7402ad8ac869e6434c5dc3c911f43c56

SHA256
3ec62e5b4936fdaf12864edd82249a4ac5c3026a0622f89c59945e857260242f

SHA512
cbdd4f747dbc1385a0d2c7503b6270ec05973ec4e200fbb3407ead77bbc3e61252b7a15a73c8015e05bd439cf5298199271c8de84dbf0af814170d5ded21476b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
505a174e740b3c0e7065c45a78b5cf42

SHA1
38911944f14a8b5717245c8e6bd1d48e58c7df12

SHA256
024ae694ba44ccd2e0914c5e8ee140e6cc7d25b3428d6380102ba09254b0857d

SHA512
7891e12c5ec14b16979f94da0c27ac4629bae45e31d9d1f58be300c4b2bbaee6c77585e534be531367f16826ecbaf8ec70fc13a02beaf36473c448248e4eb911

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
7d3a2c927675a671283fc8c8e2af97e6

SHA1
eac8b87495868e810b850fab6914c82812331a97

SHA256
7d8b213a31ab243e60c077fd78d3a8b24110ebb302425f502c36dc16aa67dad0

SHA512
d7176f890444fa6a37e81a022e17434c6cdfa4cbbff767579ba8ab5ef00fd0619b3a3732c4754f706a40be4f66083a4ff1e2160d70543d175e3efea463b67362

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
e11169e6274c7882540b12f5ed943138

SHA1
6fba19135771a42716479dd8e5a30ad53edc282c

SHA256
aa9330f78507421565cd249314da95e772f62bf1c57b6f5adb915c6117df15a1

SHA512
192fa83292683647d2d320c032c7499e68f07eb6313ee1c076c02f45a77105b460116e8716c27667b836efc232a92b04f2acf96f4c345b349c6e735f56712d0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
27e5a618de1ef53b70c8c159590c7b89

SHA1
20088867937f9a16f91cf5bccd2dc6daf8159265

SHA256
8867f13214ae856f385ddfb5fb0572f0fb4da360703f5edcec48fbbbe30b2ddb

SHA512
8ce07f4181f70fb58c56be3a981ec37746e961989312922dc6e295db9c6a108d9576b6d9e3aade2832d7f4170c9d83aff6f8529fb512f5178be1be5d3a9d1dac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
3030157e710bd2aa125ca8a6c4cb5db8

SHA1
844722d8ffe95b39f10f158ecbc8cd018cc7bbbb

SHA256
74fc089076f61c883496de23f5abbdb8ef927d329f353be92a183b84fba99c91

SHA512
35cd319b3d8149379c0b270b6e843dbf6658f01d3a86fee811035ac465a7dd549e68e82284a30a367e82cdcf31168f6fa7e9a2725d6aadda468d1d24c4b85874

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
7c129961416a05fd32d3d538b6e282d2

SHA1
57aa1b95695f11985992d8324331109fcdecc8a1

SHA256
3861082a83943117da2c72a1244077b3efd8062912ffcb605327d7b22c82a8b8

SHA512
b15d3283c4a43e2348d0853183a7bcb027f5869d203465a48f7a45fbc8f800a12b47201433754280bd03cb2c1dee59526220ec0aac07a8056f6a6b59ea2d843f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0d712e9bb2bf035409a6995a265e2ead

SHA1
1a4f8bd2d30fdb6c1f1d094286570f310ffa5248

SHA256
5e386f6a1947f53ca1210315e697c1b16be780d10fe0feb6e0b3745486162eca

SHA512
e3fb16e2870aa8ea000476a0384589fc83769ea8340c9d5ea01c9196f6ddad907e3753ab5849a1a1a9336f8c6440f9a6b184b1818c3e61c9f6e844caddab5312

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
13KB

MD5
4ca371801e63ef16c34c123238d3965d

SHA1
d2846a8310512e0baa3c63242de8f8bd13501560

SHA256
d92f184a4195885e6710dcd374b52bfff965d922e3a3840fe2a084ef1189e6ae

SHA512
7950b45e48ea8010d942de0db6f8406f1dfa63cca1520b05c25748094c467aa7dab2a5d5588249fdd80f0890fa23d3ae00d7d2b4b94f0e9005c00f7758f05602

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
13KB

MD5
cd9ffadfb458a9802bcf965121887666

SHA1
f63beb59992b79222f316e9a21663c984e284eee

SHA256
ac77fd04a03403b781ac3e41b636d38166bc179c1181043307e9dc529b01dd7c

SHA512
024d98387fcefa48354b2f43fe4791b81437fab88bb01a59114746f85b81f49db15ec32af0d366ae5bd24efdb90cc620f0c1ea5052e6b30aefa2bed8761d1060

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
13KB

MD5
45605ac85c8e7c541fd6ac6b3d85c960

SHA1
090c3d7499bde0f21c7a2dd7204d7a6ea289aff8

SHA256
770fbbf74264de6dbaac02d4d12dfe366e1bdf710cf915c7e1fef3e5fb958823

SHA512
f3821345f6ce5eea1edf2077e1ad29d2a2e3a3da0aa3f6eaef4e4f203756000ac60119bd165b95ec9bb24dff0ba9ec27b06bda2b1d9fc5672ae365f55c055663

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
44ab79a2fc4b5824e09898e43f5293b5

SHA1
0d8488b084f92c06a3c9cbf2e2ab58169bdbbdb2

SHA256
c024ee2f12ebda79e191ce476f8971fd502492067889ca9e9bb8b6a3d341dfcd

SHA512
1652f188e0663756d8526d1736a1f1f0d37df5cea760140d0391071636331942f42456bcffd82a7a70576f4668896ad3194d2ea268549957daf7877fdc3b3eab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
13KB

MD5
6aec0aac130fbda31cc7d8337c51faaf

SHA1
5fe68f8777a19eb98c830e3ec7f904b6c8ddbec3

SHA256
054e47819f5f23c70fad6255a63ee02f129e91493ea46a9e44382c57c80575f8

SHA512
09358fee8f7b41ee846ffce1110d88d00bcf700b571568a0c7d3eb62e25a37cb9011545bfec548af3da9ccce5ee2a809f5a435977b6204f2c1800a342291ee36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
faee98048cc42ab4b720f9957290527f

SHA1
1b0886ba2a5a2818f78b63fb19822640228f4ef2

SHA256
360f33f5b5b5b8c4b82e4f65bb094d5160bd9d5a1b275b5e65592a637537d228

SHA512
6a572684723fdfc5bfdb7ef2059ba5bd8f35020ebc051f826f71d6b23d4272c6f03cee002308172f6b3e753c2c37f934c656e384b504190131bd13d545fd3cb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
fd4306cd5f98fc5d4f77887a2e838556

SHA1
b13b1a3824629b7087e08fa07df14b7584b34078

SHA256
fafa2d05a69a730b738535c2fa36302d1bae2a5da7e326917c768cbe2af2940f

SHA512
8accde1518271f7c63d46d5b6f200c8e76e911441d5b9236db1a120d6375ddfd5d155805877ec70abab50a9fe6da2f93d987fe3c86095ff72609d3b36a74b146

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
2d285b5094e56b2ba4ae2f5c6958f778

SHA1
b83bfe26eeeb0fe2650f96d42e513391595a5f86

SHA256
b9abc8760397ca732591c4b025c9ac871bdca412e84f3a9db5592ecad90dca79

SHA512
1626d81de09ff0a016937308b49f546421cd13e3debf48079d59e43aca3c641a732be5b155d15736850b6aa25c1fafdda482a82617470f07be621abb97452ef5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
198fe566f9db46d5aa5b3011369ac19b

SHA1
57cdbe2cb75904b831d38c02ab8d41747c30be0e

SHA256
ac506ddf7bf1874f4ffa7873ca22c581f136760b461244ee1201942e5e5694b8

SHA512
452b92bd6a4fbec8beabd96b9b5e65cdcb4f9aa3b7e9f9b458ed90acd07bd71db5a9ee14f136d843225cf5053b0c1aeebe04e44b3dec800ce33f738574a3fd84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
cf237e80f539de9f1090a818ae2e1a9e

SHA1
12cb407d95b6a70865afba3dad8aadf4ce0fa401

SHA256
d1e75f72b8ad0fb3dfb1c7bc4c57fc96af71faa82e523b929ad66beb9cb5d158

SHA512
f68caac0fd33edd1d468e5b57551d6897c5ed9fc65bf2ea45376f913d4a68546f437fd2e8cb18598635e47486c9efd0c5e037b48c6fbf1a7730132b9fde1d1a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe59f3ad.TMP

Filesize
48B

MD5
c4ed08d38175379eb5e2ee91e77f3eeb

SHA1
59c6836ec646723b18f7662ca45969e3d85bcadb

SHA256
0b80eb54213df7d0d131d933a6666d317186a35437e46883116e0dc3001b8d73

SHA512
794489bdf5220ac79fe6a0bcf926ba47ed7bd8fc52293ddaa3caf26b0a6793fa35c8424e28db14e2ef9d001782235e428beda32a73dc88c8cb7f81238a6c8c86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
79KB

MD5
685ab3286b81169d6048d98e8b94ef7f

SHA1
f23933e95aa397cd356132d24913ab6d41196ab2

SHA256
159dafea9ab67db5de57239874dde0598f69f98eb0be3c0478bda1902184f495

SHA512
c8336c821c8ad711bd5d2acb7cd9f6a88e2d278a69ca72f3943b952b7a9447e732f89536fb669e890ba39c3b02cdfd09e923f684304369902b845204284e9ba2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
38198f693ccb8dcb7ce715c640872eba

SHA1
c278122fbbc4526cb1109fdb8fcb8bb12c58ba84

SHA256
047f27097f08888e58260b8d73b73bba196c9e1bebe4577b530f40edf5d425cc

SHA512
cc205c6e782cee5fa37d0d7cd2f9cfe7a33e10e84552b647701a2473a52fc0d39b259dcf097eb1a137cc725142f6a9f796a760ba4fb2759a433862d8600ca3b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
81107429747627bb660479813686cf84

SHA1
3a87bdfc57212a5ad4fa888edba5c510c3f6b521

SHA256
7bc6b2af896ebe3e07e7ad6d30688b7b8de14a0ce2314347978a675b71a78f1a

SHA512
cb51c49bd277cb94d94a76a0b6e92b7f7be3816fae9637d5c6a01e5a3aa405425763cd38e7eb5f2b05c126f78eb1587be15cd9c0ecb59405e5b5377182f59142

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
dc25d4aba06bfd70c741ee69d87b4bc2

SHA1
d6e03a72563d19430b2877ac171189c7d017e569

SHA256
ebf9e9213cbdcdeeb35118430bf27fe69973a589eddb3165e05514ab495565a1

SHA512
65f177a9c85b4119ac1a0b22395848193aa9791587f59d0da330b02d63d5bba45a21d9562f3b9fec6f02f6026eece6fce3f1d7ad9608e9f95176a0508c84af75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State~RFe59c77c.TMP

Filesize
1KB

MD5
cf0c037bbc3343bf663e11e9515e1364

SHA1
1ec54c4cc5474ad7b7bb2ab657588cb43b44bdbc

SHA256
1657c07bf7937bc92a6e9ed8a5df9248217fb0e921a389dc5e93312087633e31

SHA512
3bc4fad77e0f1203451bc3aed3f19caebadba3e1bf16886caed29023290d9a0b1fff982eaf300db95f609dec74bb2b6604de5cf394372f930ddec59b9cb124bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{863194AB-408B-4387-92C3-F29E7F42AF21}.xps

Filesize
13.1MB

MD5
12137aaf6dc9b27673ca75fa529a7910

SHA1
964e98bacbe582c4e53502b2088fac646afc7566

SHA256
d4f3de5c2974b33160087a853fb40300d82e5ec9be51df668ed112c3268ab5a2

SHA512
632ba3212437264ade539e3ec738c16154ef00e9eaef8e83187dfe06e554831da3e46e094fe68a379e07bf5d0b372b34cdb40003850f6c5af696f404b4a6d721

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE

Filesize
147KB

MD5
e14041e6025d1090ac4ef89ba6daf592

SHA1
00a9401ba25057f988584ff0aa3721cc3a091234

SHA256
c4bfa80e420bdeac7df9794f2252da1d5085e41662dd63eb4e2f0cbfcba8e348

SHA512
dc340c33ea18ba149ea56f51efbb82561d704f8ecadc267b4340c53b83e0b314048f54e703045dc8840f084bae3d6d58eea0dbaf093e36a152352e8ef37cb655

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb1335.tmp\InstallOptions.dll

Filesize
32KB

MD5
1f24c9859dd6639d0c752d7b96a2442d

SHA1
7014f711d1d06cdc3d5bae678aad29e8b9ebcfd2

SHA256
657672be6ea8a72fb4765074cfda019fb8fa4eacb3238a416c186f53919d7cf4

SHA512
7a488b27031e76873623142e66355d45a2bcd13d0fe235b93db1f92bb5c6658c4b689131672cacdad7b5a3204fca3fdbe020066f442b3a0db17fcf85f3eabf96

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb1335.tmp\ShellExecAsUser.dll

Filesize
43KB

MD5
552cba3c6c9987e01be178e1ee22d36b

SHA1
4c0ab0127453b0b53aeb27e407859bccb229ea1b

SHA256
1f17e4d5ffe7b2c9a396ee9932ac5198f0c050241e5f9ccd3a56e576613d8a29

SHA512
9bcf47b62ca8ffa578751008cae523d279cdb1699fd916754491899c31ace99f18007ed0e2cbe9902abf132d516259b5fb283379d2fead37c76b19e2e835e95a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb1335.tmp\StartMenu.dll

Filesize
12KB

MD5
80db9f53cb4176c30ab415985c876a86

SHA1
29a032cf9858b309982bc96910f66c72cc2056fe

SHA256
a75c0c6ffcfe8cf8894d2c644f74cff8da2af0dffab23782fbbb6597c1c7738b

SHA512
8b78a31d507e1641b3cc08007a6bee9db99923178b19047b65448f7143c55074f8219a924ea4690de8625beda1b53c6b8f216734f76c669856f7d256961f77c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb1335.tmp\System.dll

Filesize
28KB

MD5
81e34f1c4b04a15dbce200c52f598f67

SHA1
f40a922ad7a5494e2aeeaa2b961d96738e888af7

SHA256
b89448b9fd7be5ef215cac6d973a57c0e75e1fffa25552afe174855c9b71fdf9

SHA512
577f52a292075269f0e8ec4c6d243b2ed411872e009839553020929a8263174ad97943f150543e4ea6cb327d95e227f4065441a9d2106b7cabf1cb872dbcc181

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb1335.tmp\ioSpecial.ini

Filesize
1KB

MD5
8b867f46659d58b61e6188a899b4e00d

SHA1
191814cd44b3a6e304b59c6e88e47a3b12639b7b

SHA256
a489b371dbfcc2fc5a11420ce314fdca27c3fb615e704fc589b18ac53e3bc92c

SHA512
faad68fb5872e20839a4392b304be7175893169477a13d874c1bf0ca9b52d73491b7964159818976c1a27476c13cd24f7523de44abc8ebc2dd37997d49f735d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb1335.tmp\ioSpecial.ini

Filesize
1KB

MD5
a7e470cfcd530b75f05be4d8919ea5a3

SHA1
21a485743011cf6998a89dd289caa5fc73e89ba7

SHA256
43fb45af797b5343313a749065f7d5cfa9f527fd975b3f40a7c2f129b5335735

SHA512
2ff6483bb71928fa187253f3bb320a00de385f1b84ea335aca1dd0e36d3dce6e66fccfb5f419d4fcab08160f1411bf9ca8bb8bdf4cde0030e0b5cfc6038683d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb1335.tmp\ioSpecial.ini

Filesize
1KB

MD5
a1c652044a452b6ab7086e3955e7f209

SHA1
35f3b634b955527e6b194aaed2930aaa7f52caf1

SHA256
427e8b4af724703621974f15c7e198bc2ac2e14e3552ee8fb61cfdecba70e122

SHA512
01ae887415f84d8c87f16177f3497f31c9ed110c9900ff41e03608b1f13a89715077e78338489d422a6d40e6de444c98cae4f417a1e8b2e097083d91c6cca80d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb1335.tmp\modern-wizard.bmp

Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb1335.tmp\nsExec.dll

Filesize
10KB

MD5
e78bcd3208bff839e612041895bb8d42

SHA1
4b21b475b21d8f8bb2655d8e8e7d47548825831f

SHA256
0d7f702c518286a2d87db689af169c3857142324de4c9d76d51ebf639dced3df

SHA512
eb38959a877d1af4ae53f25407ede3172f990f8c824624f5a2f385cddbd71a437b9033d45042a0e40f7fb611ff48836be166d97d42f3c169babb063ef48e8e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg3694.tmp\LangDLL.dll

Filesize
7KB

MD5
9888fb6b91a680305b2a3e7b71d6561d

SHA1
4a7935da38f88e9f74f425078ee39eb6269c4e63

SHA256
81726604d47b192620bcf90d6e42ba8ee8b4c54935b0081655e08247d6b6c675

SHA512
f50755e5624bfc3a60a23a7dda012509c1e31d9772d6a0ccaca88e32ae8d4602e10e38003d78b1626464502db7ea7c47d772efb7b3ea7c3e2238bf3b9809f833

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw3878.tmp\System.dll

Filesize
24KB

MD5
d997606c77e880be2744c44128843d60

SHA1
92bb9003dc14ae03963f503e82a668877ca4295f

SHA256
abb2613ff851b2cbfb61bf97e4eef9d4912abcb46e04774ad84812ab75d4dde9

SHA512
714d7ce786e9fbb6f0d0e537a146a3a24aa79089669dd168b7c110dfba667fa7afb794b3dd2b93fa76e1d1771af3347a0f568cbb0fbcc8d9755de9e6e54382b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw3878.tmp\nsDialogs.dll

Filesize
13KB

MD5
bd0d7a73d0fc619e280372587e9e3115

SHA1
0cde473dda5d4fda8190e6460f3229cae2571af5

SHA256
c7f2afe3a2424e71563e69d862dc027d299d84fba4ac1ba11e593361daec0a80

SHA512
914983bfa336f9ea019bf5dc9ee403af56a6c7c1d88b8092609e4026a3377daa6ef9a8e51a93537f6769ae165c264763645a363fb6a89f8689f59caf985c18b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\remote-settings-startup-bundle-

Filesize
195KB

MD5
231d6ec9da65f87ba10ebc9c34a1f5c6

SHA1
96c337dde3e63318a4ae37d78ed28deb1723b0d4

SHA256
485ef8a4a05f08dfaead870bfd31011852aca9d2a47416995a0fd95e2a60e2ec

SHA512
2a5741292c795989543a8d056024711b2123b542313c94b1c54ea1736cd3fba83066f8aef16638a5abc45f38c68554e51d0bb65b0f30a97449e4be4bc2c8fa83

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1728_1039130137\873a7150-465b-4a0a-9968-5a3eb3217921.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kczpaspo.default-release\prefs.js

Filesize
2KB

MD5
640e5b7260a0ea9d9504d519d582a5a4

SHA1
3bc56bb119e723326e6073f88d351ddb04951179

SHA256
b04ac79865e1ff165cc89c3b04c7cb93d37e6e0a0b5c07e7ac7aec2472a24cdc

SHA512
6594900b1dcccdb761a04b6c38a5afa2a4991a87923853cce9b773cda074ce9d1d87067275c900e3bff772d21b4f8b519a8c0973678447101ca34b4250f609bd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kczpaspo.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
48KB

MD5
6126b893b18d7b964c9be6b7d4356b37

SHA1
64f6a09def284c7cc9e9f1c21456792952a70587

SHA256
5670590904f2d841aed68a2016ec19a5690af22c4d3771b919eae316dddc6a8f

SHA512
397f09651dae9e161e6a25e6caedf10eba20628cca3fcb990511c97aca6bff6e8990c053feb7e6948fe374eded1d3e222101d8d7a75fc531ea9d20b69da44200

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kczpaspo.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
80KB

MD5
cda914af888df2cb785302f47fc2eb50

SHA1
859107231470d6f32dc507c3c53035e6c9f17cbd

SHA256
fe0add6ce6e5a57f4f16dda4225a544ded83b613352607db00539390ddc2a1c2

SHA512
bc6330fc89b8b9ef3399dd39090f004fa1a5004edaf6f4fe9ca84f7313b966f48e093431041d77751eab74a54b3753d1766484dcacc5e8b9eb207893fcd75a69

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kczpaspo.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
376KB

MD5
5df4d1e6602da9921db6b8619a627506

SHA1
ec1fdd5ec9cbf9ca40e84d92f8e7230df5224f92

SHA256
57f3b46dd11275c797a008989c860c688db6fba67fc57451849875d4389f7b5c

SHA512
4922fe1ea678510182d7fa01dc1256cf8122c4eea41160a49f72ea0daae98f8baa2cad152ea49fc26497c14f66522b7b3bdc6e3206cf1a5c1eb3d86afc177d70

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\datareporting\glean\db\data.safe.tmp

Filesize
182B

MD5
63b1bb87284efe954e1c3ae390e7ee44

SHA1
75b297779e1e2a8009276dd8df4507eb57e4e179

SHA256
b017ee25a7f5c09eb4bf359ca721d67e6e9d9f95f8ce6f741d47f33bde6ef73a

SHA512
f7768cbd7dd80408bd270e5a0dc47df588850203546bbc405adb0b096d00d45010d0fb64d8a6c050c83d81bd313094036f3d3af2916f1328f3899d76fad04895

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\datareporting\glean\db\data.safe.tmp

Filesize
182B

MD5
c58234a092f9d899f0a623e28a4ab9db

SHA1
7398261b70453661c8b84df12e2bde7cbc07474b

SHA256
eaec709a98b57cd9c054a205f9bfa76c7424db2845c077822804f31e16ac134c

SHA512
ae2724fc45a8d9d26e43d86bcc7e20f398d8ab4e251e89550087ace1311c4d2571392f2f0bed78da211fcb28766779c1853b80742faa69f722b2c44c283569fd

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\datareporting\glean\db\data.safe.tmp

Filesize
182B

MD5
b1c8aa9861b461806c9e738511edd6ae

SHA1
fe13c1bbc7e323845cbe6a1bb89259cbd05595f8

SHA256
7cea48e7add3340b36f47ba4ea2ded8d6cb0423ffc2a64b44d7e86e0507d6b70

SHA512
841a0f8c98dd04dc9a4be2f05c34ecd511388c76d08ca0f415bfb6056166d9a521b8bc2c46b74697f3ecdac5141d1fe6af76dd0689350caca14e9f849ee75a8b

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\datareporting\glean\db\data.safe.tmp

Filesize
182B

MD5
7fba44cb533472c1e260d1f28892d86b

SHA1
727dce051fc511e000053952d568f77b538107bb

SHA256
14fb5cda1708000576f35c39c15f80a0c653afaf42ed137a3d31678f94b6e8bf

SHA512
1330b0f39614a3af2a6f5e1ea558b3f5451a7af20b6f7a704784b139a0ec17a20c8d7b903424cb8020a003319a3d75794e9fe8bc0aeb39e81721b9b2fdb9e031

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\extension-store-menus\data.safe.tmp

Filesize
245B

MD5
e41a948534f6e10c71ad031683c27930

SHA1
3869650897d89fc67cb56bc0707bd3edea1b673b

SHA256
69add43c45c18dc4e408430c5730ae23138d014d197ba53001a7c5bdeaf3f539

SHA512
b10e7ea994cc96246a857d8f277650c73b50aadbf6bbcc84cdc39e2742aca845f9abdf77bc722ac4351dd669fbf902a76d97c5824be898728466798a4a006c35

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\extensions.json

Filesize
16KB

MD5
a5fc4f14da11a9f1ecce467d5c67444d

SHA1
a6fb995c5b928728fd3845fc5b7d36c7a6f6ea4c

SHA256
92f41dbb13aa593c00f27c09b41c24cbc2db4277d93e066b97030f9897ee6432

SHA512
1aa82b43e98197eac13f7c88d3c91e32607ce59ac735c39b0c203aadbaf7af88ea5cad61039e95a394c1d3141412b11920f959a5a7448af40f015a4681af41eb

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

Filesize
4KB

MD5
cd9dd45c69dad8e64287e52fb9ee41db

SHA1
fb1d026270463194c76f79df9cfbcd1d6c00edb5

SHA256
f96fbbb4a2d318272134e4e9d9f2ec84e02cf0a5b3b8cc5bb5b1a1ad1d50a2c8

SHA512
b949f4f201c3c3d2ba3891bdd30fe7c431ba7126bd91ec054089f975c0f31f089afb63e858ad6cfbefc34610c3169ef1f13dbc0ffcd6f1e2ab15f94dcef0f866

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

Filesize
4KB

MD5
7d881e9bfb2dd63990197557f3df0828

SHA1
b98ab2fd48a024e1b2e7e58747c6d5e6751c9328

SHA256
e8799ccf1e7ac4c71ce138b7d010b16175ddbc84304b93428b44c4af8b9cdff8

SHA512
7d66ba2fb30d3eeb478682e2feb4ffa55c2407dcfa885f14b6f63ff1d57feffccb4b436377b22376c00c8654f1780532b6c013e0261531692416cdc2b99f6e71

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

Filesize
5KB

MD5
c23ed028d486af78014c61096b19e6b7

SHA1
93bfa421473158e865152110cecc5c40bcc0b8ef

SHA256
fd81f06d06d3fcbbf358fb7f57e797744307bc3d6d6cc07b0a61c7b4f2ce5707

SHA512
dfc5c2d807a7c65cd305324da95adcfa549fe6b8caf61bbd3116fbb67e966f8da2ad025e51c82a1b1de55d0ef41d20906316ccb2eda3dc8434d41254077b1734

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

Filesize
5KB

MD5
580197cebf1e927d88cd70bbe1a3ed52

SHA1
4f93bcebe496342f63010d1c58a403ad29cef413

SHA256
f76632a8c3246c80fe1e008dd9e4f18d34d27c2596bd06f77f1713185c74da8f

SHA512
3fe18bf08b0ff60d8060c6f5c1ec7422fdec0818becb9416a85bf8c00efced8a95f6f0240b4e55f8d9317da62f25332e3cff97e5c049d5546dead0a992a7b691

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js

Filesize
1KB

MD5
4106723e994c9c217c72aaa0bd898148

SHA1
6b7f53471ea5b1f462bd4b6f86e3b59c0c1b9d36

SHA256
19981e446bba0481d026c854ea66866c0bf0d82dd7f10dc4389781edf29476fa

SHA512
0fd92373e6d099ec31a89d461a44341e73ec071a543d6e2f205ac5d55acbe24159ae3fc751e29a51c1979a76433277b0df6fbb8a49b892f1cc26fdb667cdf2a6

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js

Filesize
4KB

MD5
36892d22fe57e5f6e364ab09626ba3fb

SHA1
b0e8db33cdd58892126324646561345a1044b87d

SHA256
258f29cd1ea83d9321db5a5ea50bef7e76b11c6d54148ecf1b84715e0044bc2b

SHA512
5f2c461f39f24a2442a5d1da4ee3d2bc042287ae81a170ef12f99f568c25bd58caa33011d7d6d168498886372b876006cf98483da0eb523bfa4b0920c5f62779

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\sessionCheckpoints.json

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\storage\default\moz-extension+++ae07c1ce-4ca9-496b-867c-8b636e3bcdfb^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.sqlite

Filesize
48KB

MD5
c469b275a655f5cffc2002e3f70aa264

SHA1
8af9456d989bba8494ce0b41d7633ae949ca38e6

SHA256
9b4973a73a1eb0f063fafe622def46f4831f589aae05f2947e6daa2b1d6c63c2

SHA512
a035fde8dcb1e1e35f62887117aeb7826efbe2ee418a9a4af515b2559730b002e308f44be38134b08e8bcffafbf52555019dd341ee5030b7368929cd5d0aef9e

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
144KB

MD5
901f89c68107339d66351b68c6971f69

SHA1
8dcf2d2b0e84e067525fb4be1d4de6bf455f968e

SHA256
0a8a847567419aefccb56efc444af82a4e0269ff30be69bc0d194981fb8a9742

SHA512
1821e9198e695722dba4a0d525816ac4507206199524e4b265616e6f9623496167d5a3662e48dc63f2ee0042ad94da16d1dcc9582b1a8f1ff7649d69e72fbcba

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\cached-microdesc-consensus

Filesize
3.0MB

MD5
a65fd97c56b0d41292c7fbedf60a1a7c

SHA1
9d160243578b6988476f7f7779cdd48398c73242

SHA256
cd0ac65fd30679bfafd7ad439342036d8009b13f0253ef517d6c22720ba04ae7

SHA512
e4c4fe26bc623c4c45a3b194e47e2e34d8bb7a54bb03bf5fac1d8205d45b1220f04f506721288c7e31d58e1af9e788d4778b5ac4223cc6e31294c091910aef9f

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\cached-microdescs.new

Filesize
12.9MB

MD5
e055e760cc8e2d28924e59e94539829a

SHA1
aad3bec5ea992eeb34cf0c3ec076ef92496802ce

SHA256
e19c73cc008840292c971ba039320c4cebff04264786639545f9f5796fc67b38

SHA512
e9e3c2bf5b30686a8779f690701ac8216c84f524eb20b52b5532c734903481aa711faa8e18b2ef4a636556f5586a95ec7a362140fcb4dc8e52e881315bfe1fef

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe

Filesize
1.7MB

MD5
4be3ccf24719e007e5a5627ba60af454

SHA1
d8a39d80f12aad9465124d6f358ffa2bdae31e3d

SHA256
9b3f487c3114a9c44dc4e4957cde1dc8c2225ab37f980550a5cc965a16f493de

SHA512
a6683cf916fa6e16390b672357773a2b175ddef755613f3118836f72927ce7e2bbef2ce26d0807da04495e2379ac2f2db8ab4f10619983665757dbfb04e56b01

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\mozglue.dll

Filesize
1.4MB

MD5
86ba564fcbf7fe0ed10b1470d002548f

SHA1
a527c13a0d9c0a337bf8e55a2713089354ddd8f8

SHA256
583507b510b73b6034822b2ec537ca09a77cd8303d8cd25af8038a1f6e9dcf96

SHA512
4c03fb794920a06340f7ebf2290f4e718164de5b4e9d1ec27f7b20124325d56a39f016829bb00b795232a4c805b5a17700c28da5b823038c1ed7f87ce669f5ae

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Tor Browser.lnk

Filesize
829B

MD5
2e7a737f9c1eb9813da2bb673fbb34b5

SHA1
a51a6bd125c96b65041dd88eee216752997f0f3e

SHA256
a15ba5b240c769c63764a8f7c73c2489adb6a1c19000e7d653eec05ef8e653c9

SHA512
5dcc66c5895c5623f3d82f14d2a0e1ddbcc75feb572a6c305b932a07a160865daf2577d68ece365545c9f2085ee3f22c9d090586e114c487f4be90168766fedb

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
9ea448fc7863fc86b101cf3733b6c323

SHA1
cc22258496ba77212e4b07ad0129d682fffb25d4

SHA256
2871f7d360a6cb065bd9eaf70126a3af58758d821106f52402f3b06f1e095df3

SHA512
7e44da2ec296bec58c7ef9d09f4c1a128bb0f493412a04113b2289e03991accb4d31ca4542961d5e00d924a8b16a869b0899aaa6499676c47d71a1e08c7ba807

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 32232.crdownload

Filesize
20.3MB

MD5
d22923edbfb23805930bde5b02df3545

SHA1
7ada79a1d6298ac406e64236e33ab6433c591f1a

SHA256
6e37a262340a360b3e19c535b5a85098ac7ec7c7d2c49598ff28988983f84cd5

SHA512
fd03d731c39e262c83514f893cb5e9e34c124477488184f7a05c55319ee868ed14f9628c86bfe04e4f50533768cee8de3be2dd4198303f8c28e5dd91922b68d2

Download Submit
C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-14.0.9.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-994669834-3080981395-1291080877-1000\DDDDDDDDDDD

Filesize
129B

MD5
7062389fa6ffe679d314b94cc392615c

SHA1
1e19792c139feead1ebd4531dfc6d67aea6d0f91

SHA256
477736c11d3bca76cb905d829386b5d996c28be5abde1351de47e29b47acc535

SHA512
97c460cb4f3e3d83ad0ceab75b1c00797d7a4becb379dbc4e9cf27ea078ae2c5f1934d5a77410cbf0de65c2a5ced29244d440bfb11bda67e00b0c824b5474f49

Download Submit
memory/4772-1-0x00000000030E0000-0x00000000030F0000-memory.dmp

Filesize
64KB

Download
memory/4772-2-0x00000000030E0000-0x00000000030F0000-memory.dmp

Filesize
64KB

Download
memory/4772-0-0x00000000030E0000-0x00000000030F0000-memory.dmp

Filesize
64KB

Download
memory/4772-3720-0x00000000030E0000-0x00000000030F0000-memory.dmp

Filesize
64KB

Download
memory/4772-3721-0x00000000030E0000-0x00000000030F0000-memory.dmp

Filesize
64KB

Download
memory/5008-3843-0x00007FFE74090000-0x00007FFE740A0000-memory.dmp

Filesize
64KB

Download
memory/5008-3738-0x00007FFE74090000-0x00007FFE740A0000-memory.dmp

Filesize
64KB

Download
memory/5008-3769-0x00007FFE71A70000-0x00007FFE71A80000-memory.dmp

Filesize
64KB

Download
memory/5008-3739-0x00007FFE74090000-0x00007FFE740A0000-memory.dmp

Filesize
64KB

Download
memory/5008-3740-0x00007FFE74090000-0x00007FFE740A0000-memory.dmp

Filesize
64KB

Download
memory/5008-3737-0x00007FFE74090000-0x00007FFE740A0000-memory.dmp

Filesize
64KB

Download
memory/5008-3736-0x00007FFE74090000-0x00007FFE740A0000-memory.dmp

Filesize
64KB

Download
memory/5008-3770-0x00007FFE71A70000-0x00007FFE71A80000-memory.dmp

Filesize
64KB

Download
memory/5008-3846-0x00007FFE74090000-0x00007FFE740A0000-memory.dmp

Filesize
64KB

Download
memory/5008-3844-0x00007FFE74090000-0x00007FFE740A0000-memory.dmp

Filesize
64KB

Download
memory/5008-3845-0x00007FFE74090000-0x00007FFE740A0000-memory.dmp

Filesize
64KB

Download
memory/5196-4954-0x0000017C76D90000-0x0000017C76DA0000-memory.dmp

Filesize
64KB

Download
memory/5196-5113-0x0000017C7EB50000-0x0000017C7EB60000-memory.dmp

Filesize
64KB

Download
memory/5196-5214-0x0000017C728C0000-0x0000017C72A26000-memory.dmp

Filesize
1.4MB

Download
memory/5512-4976-0x00007FFEB3770000-0x00007FFEB3771000-memory.dmp

Filesize
4KB

Download
memory/5512-4977-0x00007FFEB3DE0000-0x00007FFEB3DE1000-memory.dmp

Filesize
4KB

Download