hxxps://ryosx[.]cc/

Analysis

max time kernel
100s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://ryosx.cc/

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Executor V3.exeExecutor V3.exeExecutor V3.exeExecutor V3.exeExecutor V3.exeExecutor V3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Executor V3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Executor V3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Executor V3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Executor V3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Executor V3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Executor V3.exe

Executes dropped EXE 11 IoCs

Processes:

Executor V3.exePaperback.pifExecutor V3.exeExecutor V3.exeExecutor V3.exeExecutor V3.exeExecutor V3.exePaperback.pifPaperback.pifPaperback.pifPaperback.pif

pid	process
2612	Executor V3.exe
2732	Paperback.pif
4524	Executor V3.exe
3648	Executor V3.exe
2568	Executor V3.exe
540	Executor V3.exe
1372	Executor V3.exe
644	Paperback.pif
4388	Paperback.pif
5064	Paperback.pif
1448	Paperback.pif

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 10 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
3540	tasklist.exe
4280	tasklist.exe
3592	tasklist.exe
4824	tasklist.exe
2744	tasklist.exe
4996	tasklist.exe
944	tasklist.exe
4876	tasklist.exe
3180	tasklist.exe
4516	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133607830138929365"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings chrome.exe
Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

2332 PING.EXE
856 PING.EXE
932 PING.EXE
4168 PING.EXE
1788 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	chrome.exe

pid	process
2332	PING.EXE
856	PING.EXE
932	PING.EXE
4168	PING.EXE
1788	PING.EXE

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

chrome.exePaperback.pifPaperback.pifPaperback.pifPaperback.pifPaperback.pif

pid	process
228	chrome.exe
228	chrome.exe
2732	Paperback.pif
2732	Paperback.pif
2732	Paperback.pif
2732	Paperback.pif
2732	Paperback.pif
2732	Paperback.pif
644	Paperback.pif
644	Paperback.pif
644	Paperback.pif
644	Paperback.pif
644	Paperback.pif
644	Paperback.pif
4388	Paperback.pif
4388	Paperback.pif
4388	Paperback.pif
4388	Paperback.pif
4388	Paperback.pif
4388	Paperback.pif
5064	Paperback.pif
5064	Paperback.pif
5064	Paperback.pif
5064	Paperback.pif
5064	Paperback.pif
5064	Paperback.pif
1448	Paperback.pif
1448	Paperback.pif
1448	Paperback.pif
1448	Paperback.pif
1448	Paperback.pif
1448	Paperback.pif

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

228 chrome.exe
228 chrome.exe
228 chrome.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

Processes:

chrome.exe7zG.exe7zG.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

description	pid	process
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeRestorePrivilege	4684	7zG.exe
Token: 35	4684	7zG.exe
Token: SeSecurityPrivilege	4684	7zG.exe
Token: SeSecurityPrivilege	4684	7zG.exe
Token: SeRestorePrivilege	1048	7zG.exe
Token: 35	1048	7zG.exe
Token: SeSecurityPrivilege	1048	7zG.exe
Token: SeSecurityPrivilege	1048	7zG.exe
Token: SeDebugPrivilege	4996	tasklist.exe
Token: SeDebugPrivilege	944	tasklist.exe
Token: SeDebugPrivilege	4876	tasklist.exe
Token: SeDebugPrivilege	3180	tasklist.exe
Token: SeDebugPrivilege	3540	tasklist.exe
Token: SeDebugPrivilege	4280	tasklist.exe
Token: SeDebugPrivilege	3592	tasklist.exe
Token: SeDebugPrivilege	4824	tasklist.exe
Token: SeDebugPrivilege	2744	tasklist.exe
Token: SeDebugPrivilege	4516	tasklist.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe7zG.exe7zG.exePaperback.pifPaperback.pifPaperback.pif

pid	process
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
4684	7zG.exe
1048	7zG.exe
2732	Paperback.pif
2732	Paperback.pif
2732	Paperback.pif
644	Paperback.pif
644	Paperback.pif
644	Paperback.pif
4388	Paperback.pif
4388	Paperback.pif
4388	Paperback.pif

Suspicious use of SendNotifyMessage 39 IoCs

Processes:

chrome.exePaperback.pifPaperback.pifPaperback.pifPaperback.pifPaperback.pif

pid	process
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
2732	Paperback.pif
2732	Paperback.pif
2732	Paperback.pif
644	Paperback.pif
644	Paperback.pif
644	Paperback.pif
4388	Paperback.pif
4388	Paperback.pif
4388	Paperback.pif
5064	Paperback.pif
5064	Paperback.pif
5064	Paperback.pif
1448	Paperback.pif
1448	Paperback.pif
1448	Paperback.pif

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 228 wrote to memory of 4332	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4332	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4052	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4052	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4052	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4052	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4052	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4052	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4052	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4052	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4052	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4052	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4052	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4052	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4052	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4052	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4052	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4052	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4052	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4052	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4052	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4052	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4052	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4052	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4052	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4052	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4052	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4052	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4052	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4052	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4052	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4052	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4052	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4860	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4860	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4268	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4268	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4268	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4268	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4268	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4268	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4268	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4268	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4268	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4268	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4268	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4268	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4268	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4268	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4268	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4268	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4268	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4268	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4268	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4268	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4268	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4268	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4268	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4268	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4268	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4268	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4268	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4268	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4268	228	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://ryosx.cc/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed416ab58,0x7ffed416ab68,0x7ffed416ab78
2⤵
PID:4332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1976,i,11943445486095973633,17933295003541338812,131072 /prefetch:2
2⤵
PID:4052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1912 --field-trial-handle=1976,i,11943445486095973633,17933295003541338812,131072 /prefetch:8
2⤵
PID:4860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2112 --field-trial-handle=1976,i,11943445486095973633,17933295003541338812,131072 /prefetch:8
2⤵
PID:4268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=1976,i,11943445486095973633,17933295003541338812,131072 /prefetch:1
2⤵
PID:2612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3032 --field-trial-handle=1976,i,11943445486095973633,17933295003541338812,131072 /prefetch:1
2⤵
PID:1568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4192 --field-trial-handle=1976,i,11943445486095973633,17933295003541338812,131072 /prefetch:1
2⤵
PID:3088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 --field-trial-handle=1976,i,11943445486095973633,17933295003541338812,131072 /prefetch:8
2⤵
PID:3588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 --field-trial-handle=1976,i,11943445486095973633,17933295003541338812,131072 /prefetch:8
2⤵
PID:4120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4348 --field-trial-handle=1976,i,11943445486095973633,17933295003541338812,131072 /prefetch:8
2⤵
PID:2884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5616 --field-trial-handle=1976,i,11943445486095973633,17933295003541338812,131072 /prefetch:8
2⤵
PID:3856

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3464

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4056

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_Xpl0its by Ryosx.cc Web Byfron Bypass V3.zip\README.txt
1⤵
PID:4788

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Xpl0its by Ryosx.cc Web Byfron Bypass V3\" -spe -an -ai#7zMap24041:138:7zEvent24155
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4684

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Xpl0its by Ryosx.cc Web Byfron Bypass V3\xpl0its\" -spe -an -ai#7zMap22551:154:7zEvent15335
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1048

C:\Users\Admin\Desktop\Xpl0its by Ryosx.cc Web Byfron Bypass V3\xpl0its\Executor V3.exe
"C:\Users\Admin\Desktop\Xpl0its by Ryosx.cc Web Byfron Bypass V3\xpl0its\Executor V3.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:2612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Ftp Ftp.cmd & Ftp.cmd & exit
2⤵
PID:1320

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4996

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
3⤵
PID:4500

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
3⤵
PID:1076

C:\Windows\SysWOW64\cmd.exe
cmd /c md 320189
3⤵
PID:3784

C:\Windows\SysWOW64\findstr.exe
findstr /V "lovessatellitevendorspetroleum" Sit
3⤵
PID:404

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Exports + Wm + Balls + Hobby + Shared + Awarded + Stanford 320189\E
3⤵
PID:988

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\320189\Paperback.pif
320189\Paperback.pif 320189\E
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2732

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
3⤵
- Runs ping.exe
PID:932

C:\Users\Admin\Desktop\Xpl0its by Ryosx.cc Web Byfron Bypass V3\xpl0its\Executor V3.exe
"C:\Users\Admin\Desktop\Xpl0its by Ryosx.cc Web Byfron Bypass V3\xpl0its\Executor V3.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Ftp Ftp.cmd & Ftp.cmd & exit
2⤵
PID:3168

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4876

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
3⤵
PID:3784

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3180

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
3⤵
PID:404

C:\Windows\SysWOW64\cmd.exe
cmd /c md 320189
3⤵
PID:2328

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Exports + Wm + Balls + Hobby + Shared + Awarded + Stanford 320189\E
3⤵
PID:2904

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\320189\Paperback.pif
320189\Paperback.pif 320189\E
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:644

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
3⤵
- Runs ping.exe
PID:4168

C:\Users\Admin\Desktop\Xpl0its by Ryosx.cc Web Byfron Bypass V3\xpl0its\Executor V3.exe
"C:\Users\Admin\Desktop\Xpl0its by Ryosx.cc Web Byfron Bypass V3\xpl0its\Executor V3.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:3648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Ftp Ftp.cmd & Ftp.cmd & exit
2⤵
PID:3672

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3540

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
3⤵
PID:1932

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
3⤵
PID:4460

C:\Windows\SysWOW64\cmd.exe
cmd /c md 320189
3⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Exports + Wm + Balls + Hobby + Shared + Awarded + Stanford 320189\E
3⤵
PID:4548

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\320189\Paperback.pif
320189\Paperback.pif 320189\E
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4388

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
3⤵
- Runs ping.exe
PID:1788

C:\Users\Admin\Desktop\Xpl0its by Ryosx.cc Web Byfron Bypass V3\xpl0its\Executor V3.exe
"C:\Users\Admin\Desktop\Xpl0its by Ryosx.cc Web Byfron Bypass V3\xpl0its\Executor V3.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:2568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Ftp Ftp.cmd & Ftp.cmd & exit
2⤵
PID:2052

C:\Users\Admin\Desktop\Xpl0its by Ryosx.cc Web Byfron Bypass V3\xpl0its\Executor V3.exe
"C:\Users\Admin\Desktop\Xpl0its by Ryosx.cc Web Byfron Bypass V3\xpl0its\Executor V3.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:540

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Ftp Ftp.cmd & Ftp.cmd & exit
2⤵
PID:2012

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
3⤵
PID:3544

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
3⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
cmd /c md 320189
3⤵
PID:3092

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Exports + Wm + Balls + Hobby + Shared + Awarded + Stanford 320189\E
3⤵
PID:3676

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\320189\Paperback.pif
320189\Paperback.pif 320189\E
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:5064

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
3⤵
- Runs ping.exe
PID:2332

C:\Users\Admin\Desktop\Xpl0its by Ryosx.cc Web Byfron Bypass V3\xpl0its\Executor V3.exe
"C:\Users\Admin\Desktop\Xpl0its by Ryosx.cc Web Byfron Bypass V3\xpl0its\Executor V3.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:1372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Ftp Ftp.cmd & Ftp.cmd & exit
2⤵
PID:1284

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
3⤵
PID:4896

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
3⤵
PID:4264

C:\Windows\SysWOW64\cmd.exe
cmd /c md 320189
3⤵
PID:2648

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Exports + Wm + Balls + Hobby + Shared + Awarded + Stanford 320189\E
3⤵
PID:1176

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\320189\Paperback.pif
320189\Paperback.pif 320189\E
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:1448

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
3⤵
- Runs ping.exe
PID:856

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
288B

MD5
edb5a3ba8e5fc61f10eeb5b7c69f1d74

SHA1
06221942972efab0145c18632626f2c24e3b6bff

SHA256
c1e4a98e5c769b18a13bd99af6f0d7bf951f92208d887b5fcb951b24ddda236d

SHA512
d2e7ae2c788405f27659bebc091946809fae8c4f794f4be05e8085c30f80e8e2e706b8f29861f0bfab004c833d3a0a797b0746a397c66cff268d0a70d91d44e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
5KB

MD5
81565b7d87f2854c7f3060214594a92d

SHA1
d47bd4b23a85f957a54daeb535cc224d08dfb419

SHA256
500ad4572468962e46ab565a936f0e5f86dd873c5def32e8c3bad76700718f43

SHA512
e279f20cc9400b15c5bb096f3d97f1790267a8a3eb7914d315eaafe88af07f5c65fa1da92f32ff3d6944d33cdf5c693c5f8e480cc5756deb762ee592ce48629e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
197ae8361c9adbbd87c6b0a031006471

SHA1
80031d1aeb9d5fbb52b699d9252e06da796396de

SHA256
87e8d3be6244a109b2b5bf9d8a1df0e54f09d3b031b341c74b862723ad226f72

SHA512
8bb63dfad927f6f53f2f7e6dc3c231a80e1439e9c7d5b67b64b39b2cdbd136142c158a049f99d0dd6cd88009d24577d8ae7864228594f41c647e8375acf22645

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
57f728aa3be3c850115e0adfff6265bc

SHA1
5f711f9d46031577b16aff2bef8c844980dd2d9a

SHA256
a41940e4ece26d660fd1de7808d7e95e76b65791b3601ae28ad6a7c98d26b802

SHA512
12c7fa4b6cc932c3d3cba44ef9ea0a565ec529437710faa0939814dca12c5d85bd8ab78a9fa1f26f17d5ae44cf9ee08a413f4722848b0954d9d8ee9aee54825c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
29dcf56f00622918ddd580ee00dfca7b

SHA1
733d17153cb489f13db952a5710da65128b80640

SHA256
b5f7572aefdaf4690a9fc693db5f235967009deabe0c64aa8a9aca36230902af

SHA512
fffb3933663002f3d11f3c7e7ff514d9830ce7242826c65aef40577bade8f2643b82d6c4ed513c2ddd0d7d5f12ce305ff206ddf58ea545367e43360e384d6701

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
255KB

MD5
e4fd7faf71d28607a2b688009b26e49f

SHA1
e52b3c642cd03be3a421bca1624933c6d7a232a0

SHA256
2d56dd69fb18e95d42f34ef5cbb59c2fc25ef06d2632c17ae786c1c0e2ebe2e4

SHA512
1cd92179c59c711956bf2bcbbfe45623a60c344ba08d1bacb42be2366ccae7a63c7f0934b9584f65bab00b2dd8447b78e071bec5ba2e7bd32682c2b133366f23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
255KB

MD5
6fa3a7859e108ee33a687fcb3e5edc4e

SHA1
3b189fc2e4a5a02e92d2efad8c4aac1c8d0e8816

SHA256
5d618ed44dcafcdfc8b4f098d5a8eb8dd728570802560c3b213dec2be0f171b2

SHA512
dba7cd22aa38b7e9ce152dbe79761494878be2aae294e2ab64523b49f95c36b33980312781997ed4b67a59a69850da67a06c03e0093545cdba4cc588e9fa34dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\320189\E
Filesize
547KB

MD5
a07090d5536d6b68a5bc3e75fff9a39e

SHA1
bd760ce01e9706fa87887f2c3c5901e81938c5c7

SHA256
dbc3319572f168f2176553e4f9291e716f429d74d3661d3380066b3852d7d80c

SHA512
ad2b772228b861dc7fa148d8e75a0f6657a87a0609258130bd0e383181f3c0c15edb9bf5904d52a84a7c7f164960bb1b587326598d466a1bc1f92fccb9c9e113

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\320189\Paperback.pif
Filesize
915KB

MD5
b06e67f9767e5023892d9698703ad098

SHA1
acc07666f4c1d4461d3e1c263cf6a194a8dd1544

SHA256
8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb

SHA512
7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Adventure
Filesize
43KB

MD5
9c8565cc855b673b1c11e65d6cee5f14

SHA1
996287ec020c9eedbb7ee034ca05d3983a209cb9

SHA256
808cfac711efa0f7d2539f73ad5b5c345446826e0bf82bedc963d977e9e7063f

SHA512
cee10f173fb860206f51e2a32d389166a898b2feca0c9525e02b37f8e2567eff2bdf6d59ac2e3ca8faa98daaefcc9b0e4e945653a2f24347bde376ca903e2fac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Aluminium
Filesize
47KB

MD5
408990bddad38af7802d874fa4da7047

SHA1
e457e365f4d02f41d3d75349ed7e462b30e9b9a9

SHA256
94f9920c5c6af66f71add2a5fc3d426be413324421bb675927a8062281ba62b7

SHA512
4c5995571c99f89d5fb71be35b0aba55109aaa5d585f5a0a7a46666ac612784f166e82d05d31791e8610a94f20c3dfbed03e7ad42f0f58ad5ec3395775e83b8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Awarded
Filesize
26KB

MD5
f66df9350eb62c394551a6bdd06cca5f

SHA1
a295696f4d3bf7e28ede17d7747ede52b5c85e3b

SHA256
33e3af4770f6ee0d2334fc2091d564ee2f50e1a7931c757c19c15b7eeafcd762

SHA512
34f4119f62efca0da1448ab8c091d5c3693618d5f5baa1f79a56bb46f71832e838e30f6d1e0ae97a0a595ad5e46926502c0cfe498dfd5999336502056efdc697

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Balls
Filesize
169KB

MD5
c06ebc0eea68bcab267bfeabde75cd41

SHA1
3af40fe9dc8db434ad81ef3406c49cdf23d0b9f4

SHA256
bd8b204aff198d37ba7651479f9cfba9422e42098a2d562b2ae478f9bfc81ebc

SHA512
741f436c5356615a0c7485d83b6b164a6d918b83e6e9739b0ee7e1bd2b21e76cde13a4fe54d56bbb294b8f16db12bab2bd66b56a0429d31af5f446cf23fef446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Clubs
Filesize
49KB

MD5
8f84bc252992e4fa3b06bb05eec67c52

SHA1
4f65911c222852324a98e97628bc41f83fde7745

SHA256
2b8a3d4b1bcff480b890fd95a36bf33fdfb63059ccd549adc4ef5179d6d353c9

SHA512
36e1a89940a82de86116ee1fed19346c4dfb8db981251c3acae4ac3b0316f0c6b6e86828f01dcc3e9d08c51baad4cbc83aee98ee96aa99770cd9a69c25cc6a8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Concentration
Filesize
14KB

MD5
85b6db997894a7d7c070e7acfd0326a4

SHA1
3b637285b2f7f91ff765ebb6df0e6048ab8e21a1

SHA256
bf3b5c8e9c9320fd4b128e6a5705622c0c131c34f3a31ae1a354c7dbf31fb96c

SHA512
be60f2cd2b72c9b840aa9bf04d0ee98e54ce8353338c0d5da4ddf9ffeab35c86513367ae9003d04e5e3368b1e98ee9189e7572f7caff71935f69fd955dd43cf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Entitled
Filesize
53KB

MD5
ff6b23fc636864301e3caaa659c3102d

SHA1
de672686b47b9cfd4d5d0a1a57fe1cdc36a4fe2f

SHA256
04a8f656ca840d0acfb56834daeab37ce72d16b25665dd68905ed4f6bec422ca

SHA512
57765fceb856504d445d3ba07616f3b792b0e492ac8b3594a1e2ba25ed00a4c1268025d8ac5f38fe8300bb6460c08b6f8575c67f823e6e630c38e7629e08e4e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Expert
Filesize
32KB

MD5
40a21dddd713ecdf3306d83a18213a53

SHA1
6c501b423664058245b19934099bc03be2b00952

SHA256
c834a6d3c588cf565307cdb23d03bf1368ab156ad8db8a04745dea32c61c5f55

SHA512
99616fc719a283fab96f5cdd04f87a4720aff5c3644b5dd97e556d72d3fc4125bda7519dfcd433fa3e8a3644be7bb93c180422e2ccb4320047c59b0ace3eddb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Exports
Filesize
115KB

MD5
a2615814de9ce0bcfbd6fbbe038e5e6a

SHA1
e8203d41c30bed830020012ecf450b90419e0eb1

SHA256
5a85484002f916c1e0170e839b7b0ca32850576db184ce49e9ac3f637393d415

SHA512
dfbf084ed8726f9a377ef12214c2a60b077787df325d5265dda6231a9d8105cc624c8546f05ada7c390abf4eed1be7b475a4850039ec4026584dc8a523258752

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Fresh
Filesize
24KB

MD5
929fa2089a55870ce01ada2d52e63db5

SHA1
82638a15eb5b7d04c1ab0a160dfe1b21aba87429

SHA256
ebf8baf61e933b4169b0150bd467ac88be1a8827ec17b3711e7f75d13b30c34e

SHA512
ad7bf0959879852a5fec061ee4bfd05fa207460c4269f9eff3844d8d60f22eeeaa2592a5518a3cf5d5b50e34c5a82023d73f05c2020f0cc92881fd1ee3860d81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ftp
Filesize
20KB

MD5
397ab3b2031492e256d221c1961e3a01

SHA1
2c3e9f08365600a2819f2ee6d952071eba45c838

SHA256
8e0955244347b5a84ae6d09c709a6abe9deb1aa847abf7988826e9512895253c

SHA512
ae54d6f3ce07ba1ebfb40bc465804e14f9e08cc04d60716ec62376cffe9b6eee751295c2c8d90bbff4061142d072b135f4069c756f11f99dcd688c2b91037764

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ghana
Filesize
55KB

MD5
f9e720cc8b3308aa8b0dff4aa96491f1

SHA1
d8ba45a08def76d7549ac86c30caf5f115e1a27e

SHA256
37d903880f4af82b537f6469126a969e244c286011a992b4109b9c08b3cd5fa1

SHA512
898160ae5cf404932fc33463fa3696089e14d49147aa5351bb310d76a3c5335a065d07e3e7a9131c9e16d99f9c89d727edab4bb2fc39fdf6239eddbee96656d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Given
Filesize
59KB

MD5
9d4703e19a97dfa9178d4264d92d4515

SHA1
2a751185bc895ef2af9c02768df93b62bca44e49

SHA256
34ff2bfe827762b21e09694ab0fe9a9fcb599ad8bdaf34fa7484cb0517a97c7d

SHA512
b61944485b3043844ffa70b43757983b7c3191421a07eab74baad94a7964579f0c1aedac3a269aa1b529c8678397898ae0a2bd05478dfba6c1bad228aca223cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Hobby
Filesize
75KB

MD5
20ef1d301be9e22304570001305102ee

SHA1
bb4c617b4d99b454ea2691c56604f333d43bb4c2

SHA256
6b49c8bc7977534acfbadc516ecf1e303461dec329addcb7134748bf23dddec2

SHA512
9cc0166f2f96f22f7327ae0802da81ad1627f41cba3edb984b853629cab461aff8ad5228045afa911e213c523f9db818a013d6d7aa287c7d8d5e27c8370d9139

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Holds
Filesize
36KB

MD5
a554ca234387ef88491511c65a9e5fae

SHA1
18c20e58d5ded6a109c818711123d13a0e9071a2

SHA256
1d832bd0360a2398726384362e58a6f1fc170c4d33f6df837d04639219defefa

SHA512
10cead71a50bbe73ca55e2d571f5904b53df8d88b24b605b973140567a50785dea971a74a5591fe23336183502dac84f7f9b8f828cb97363603b4b11fb55a743

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Jimmy
Filesize
27KB

MD5
79f47bcf459782c895862bafb5985ce5

SHA1
0c711e3bc359ed4fd1baf51290bc89ac3cf82a96

SHA256
390a3f6fb97a16ddf13d05f4a35a06d151ac53c06ec932e7ad15b3a38303b504

SHA512
42e50d396b90e712fa5416c8b25befbd73bdac580bd9732e86f7de4e4a4db87bf77c03c3304debe9d62af4de3d394260966dabc0bad60f5591e36b8f6e7414cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Learned
Filesize
59KB

MD5
2a87824b6839b9c1e74053383e8c589f

SHA1
eabf26bbfa5bcac53dc2d0e9a3ea01d12bb10c1f

SHA256
52d824faebd98180be0b41307dc90fca13f519531a3b425ef90af7e11293182e

SHA512
d0a3d1c79c82b8f4aaaea8d80d176df72671088d930229e38c0f0ba455130e22cf24e262a418cd60be569e9acafcbd3a9eafb0da5e11f1a5bfdf04a9788bd182

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Marble
Filesize
9KB

MD5
ef06ee1188bc07b1564d57c6c30f01a8

SHA1
0c366b220a788e51ce922707a59210f3129c0c32

SHA256
04e9867bc75846c9af9e3157a78a09a994d332a877f6fffb4edb379006ff1e63

SHA512
dec4730166b0a5a584bff18747f84ff8e8eb33731358e7cc1d7aa539ecfef1ba4d6b6690673dd267dacc8eb43516d7443f785d43a1639dba3a235831206dbf2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Mel
Filesize
62KB

MD5
4220adf178308e0ed78717499b9a2496

SHA1
34bf3553751d91de402a22656c93075f43147ce4

SHA256
55a1e1f9a1c61f1e5e96be62207361f5b5986d0cee14a470d18cc5364f3d3733

SHA512
785bd573813af3ba8e2a5c80d302eeb43eb2d9e4b2c43ebe443d823951576308c4cf87591ad86457b1f255b63b5a1a67f2139728f549c1ab118e72fe1d391780

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Miscellaneous
Filesize
40KB

MD5
babf7ec18005b270895bd6570ad9c296

SHA1
ced46bf7cf2ef2f691ca65eb15eb56c5fdb9c800

SHA256
638d0601bb3c6e209b052d9643e5301c1e4b7c660c33da662655cb1022899fb5

SHA512
62b8cadbb38f9259e61a3523158ba2cda6c58ac9a25a9136bef1deb6b3a4b3bb8f9012db812ba713582683f669cf271bc557ee26e43f86fc4030fc656b3b5e09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Organic
Filesize
67KB

MD5
ccc80b4733cdc5525890811f6f947c61

SHA1
48abd4cabc7e596c90e03e2c4f29fa7bbf4a3799

SHA256
080a42a16a17fd03ec5ab98b1eab6c82b46afdc57e2f726e27d81c3aa602c437

SHA512
23bffa197c5c0c736dfcec397f5af5f475c8bf3873bc36c3c817fd290134a1956ad05b1fbcc49d835b9f168a49dd584574a92383bfd148c25f6c8e38ce49a3c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Patrick
Filesize
7KB

MD5
de2a5aa29259b38578aac3e4aa778fe5

SHA1
fab585c35270ee9e4eeeeacc44a415ded878fa01

SHA256
f907d5cab006a0b9f9e293995e146ad8411fdc334b8b00ae49178fb7fae84173

SHA512
847c02b2676b629c1e71bee2a2cff9ab4488c88cb63251d18ffe68f61ff87c0813c23ec2f6b5e16264f89e0d471634449f6e2db6524d8068d7ea1d452adf321e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Pics
Filesize
29KB

MD5
0dd882aa8bf9f0234d78fe674673372c

SHA1
e3c9b584a5665c3f33c11f41fa947154a97ec988

SHA256
464f63af78ecfa7078942816cbb67f078d166f1d09c78a8fc8605eca7413b7cc

SHA512
2f971ff49560a1c27c2d143c9fb5aeb3e472a5f8a4394994fad19e9bced618bc917186f85470f5a87fe58d66075197314156842d4cfb8dab31e72cfe69dd4025

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Realized
Filesize
63KB

MD5
0f4803213016184cc9662b02b46d1042

SHA1
df97647918cbb59adf7d4988ee3ac66aec4bd5b4

SHA256
1621ee5ffc525f54c176fa50f3af4c10f611fccc3adc1ba2beae308e690b486e

SHA512
655624b9302fa519ad9d626e693641194fcd7b4635c04b05df550311f8789f6d630c4fdf07d102019610a89de1e5a20c247cc748c012ecf2e19500a8b256af19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Seo
Filesize
67KB

MD5
3266826f5c17795eba89ce11da48ee82

SHA1
46521685a9eb28996efaa14d753e5b814dd75754

SHA256
d985082071231b1afd871cfeb318a201d016541e0598fe4048805554e18621be

SHA512
77e5a933e5c54262b2be95ab6377d3e0f5a241168e8fb903172ee2c5eca81872ea85525bb276dee41eaf8b506af828db95f84222ad976259c9ca7faad77b5758

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Server
Filesize
47KB

MD5
c4c006b7deaab1e31d1421445d8b49e3

SHA1
3c206ad20b74f9cb4f9edc59486e36096576dbbc

SHA256
51f2f66d29b019b4919c1678ae494af565935f57f8ed30d948c472a99d6e14c4

SHA512
6b735cf8f33c913490c149dca398ab0c04622cfb719559d9495cdb84586a6428327abe0a93bfdf9917118f5d7884c471974800a6d9ea6a09e5cfeb219cefff24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Shared
Filesize
66KB

MD5
87ac6d40ea981b77863126d17bd70585

SHA1
de7d02f22ef23a80ee8063cb84adc3cf00294011

SHA256
0b379c6cc9fce908ad746803adac04caa83d8fe55676a1cb8f8d0d9c18a9b492

SHA512
099a3500ca07d6f47b30b36d56247918114700f8b345fda46de650a6bef6f6731ec60c0e73f2e906bf653b5628014e8713139f9571bff33196c60eae51fff487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sit
Filesize
85B

MD5
b21e7b4104d10f9b66e23f21233e9809

SHA1
c657b11e0ebcd67a001307a8317f39d2a7aef0c4

SHA256
cdff1c6ce4ffa0551d6d3d26904b7c47998dd423ed478e8690f4b3b0754d4186

SHA512
f6f776de9943500d4c87c1efa1fc37247a8bad38fc8f25ae89a02b3015bbf7dedaafe4c0c17917e1672ad432fd0a19a102dceae1c2a4b21a2607f1dab919be70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sleeping
Filesize
5KB

MD5
7a4ce0c561d328f486f731eb75f38f67

SHA1
4db17866d13a560c0d4b3bf0ad48225208b7dccd

SHA256
5c0469088db87c2775a851c6889b5ce1344b3175a8c98c2eb66bfb02a2543eb8

SHA512
1e14efa6d22ebcff9f1566b115719a57d67ff4476209797d19b4514bfae0c3fa5fd3b0e4c319e677dae3b3beb9f865f7ed6a0898832556c420f398b1b63910fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Stanford
Filesize
30KB

MD5
4dc405d6b7d21d19c3880f994dd24269

SHA1
4343cb615c6615cd0cdbbb19663f8b7b0ed64a47

SHA256
db9a262280405546eabfaa2e0564006ec430302353742fe7cfa2a0fd9a46999d

SHA512
8721fce59a18e95a2eec3c9d1cea6583cdd9b0deb933c1deba3580908dd8beeb1872e4e6330db10c6d48ac5987feed2f8c1da26ca7ec8945e487f0ddd42c9dd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Venues
Filesize
21KB

MD5
ecb7450336c4278dc1f0e1a3c1b04ad7

SHA1
045f115c6c63f6d6f32f0b8f0cf773c28a7d4fc8

SHA256
27182c882ac947493c1ed1736fc5d3dc5ad4edc5fa21e883946bb781fdb387a3

SHA512
94a7dad133cfbae86c711800ccfe190a829b819dc4cab563072fc2b54b99880a2fa236128fcba9373ca1fe53f0c1fee8442a0a6c20cb1841399b19a1fa67f4e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Wm
Filesize
66KB

MD5
5bce95dee7cad385f82eaada5551bb99

SHA1
86958fa4bf3786891428fe5ef8c72ae4efaa0937

SHA256
dfda4fe7e801d43324b02cdc9608a35111fc9178229ef7c11c0b16ae6a0aa311

SHA512
2bd6964d2ea42eafa80d1e5edb50b5fc991245b35cd48147d8c17247d358ce73b9d43e9f7b22877eb3741700149e63fe9828a0efc223336f27d56a746c06f4c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx97F6.tmp
Filesize
1.5MB

MD5
a4abac6f3af681f17b1b0c65ae1fa35b

SHA1
40d14caee91ce7976a9fb8f844fb758b8875f4ff

SHA256
a5e7c79dfb044c11c2725bc0c82ebc62da8d122925c811c83dfa79e7b61584d3

SHA512
607a76cfe7fef00e2fe9408ada36feac0e8ee80140a30e106dac2fdf3184e9ccba9268f5b8a01622d40d22e3134490ff33b8e1fac3090d627cff384a5973e1e5

Download Submit
C:\Users\Admin\Desktop\Xpl0its by Ryosx.cc Web Byfron Bypass V3.zip
Filesize
9.7MB

MD5
47a3def655d2de1b1bae7e4d042d241a

SHA1
b29c74dd203230df67c43ec6cd2f75f51d6589b6

SHA256
76211ccfc2e91b0d87a2201a1d86d69b707f1d17b8859815fa13f15769b8961d

SHA512
2ff7e8091bd9ce4512083500335cd8789a993a193656deaf7a09d42d7b6430163bfaa693cdb59393177d5ca41bbd98c3aa383dd80dc2981da425d02164dfe5e2

Download Submit
C:\Users\Admin\Desktop\Xpl0its by Ryosx.cc Web Byfron Bypass V3\xpl0its.rar
Filesize
9.7MB

MD5
e4bf11fde2e577523f0550efe5058f12

SHA1
07ea0cba940e6c80b44751886750c0330398b4b0

SHA256
2af37a6efd7405898d6d4cf2cfb6b20612ff5cc407753ac333d4ace6a5a27bc7

SHA512
af85675afcef5373be82f11ce8cc24278f04ba507c6713bffa521b87b4e8a3e32e18dddb6e36d2f794bcd1975f2ec1c096f17850122cd8393663505ad96afe93

Download Submit
\??\pipe\crashpad_228_SFCZRODQEKBJKQFT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit