Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://www.gulfupp....

windows10-1703-x64

10

Resubmissions

19/08/2024, 12:56

240819-p6tfcsycpm 10

19/08/2024, 12:54

240819-p46mxaveld 8

Analysis

  • max time kernel
    334s
  • max time network
    332s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    19/08/2024, 12:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://www.gulfupp.com/do.php?id=73715

Score
10/10
asyncratxmrigdefaultdefense_evasiondiscoveryevasionexecutionminerpersistenceratupx

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

Mutex

gueocjjkoyavszhfj

Attributes
  • c2_url_file

    https://raw.githubusercontent.com/thesunofme/upload/main/ip.txt

  • delay

    120

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Async RAT payload 1 IoCs
    rat
  • XMRig Miner payload 15 IoCs
    miner
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Downloads MZ/PE file
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 7 IoCs
  • UPX packed file 20 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Power Settings 1 TTPs 8 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Launches sc.exe 14 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 1 IoCs
  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 17 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://www.gulfupp.com/do.php?id=73715"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2824
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://www.gulfupp.com/do.php?id=73715
      2⤵
      • Subvert Trust Controls: Mark-of-the-Web Bypass
      • Checks processor information in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2840.0.711981344\1665997056" -parentBuildID 20221007134813 -prefsHandle 1712 -prefMapHandle 1688 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ec6cb60-1f20-4631-9863-67a728e9d2c0} 2840 "\\.\pipe\gecko-crash-server-pipe.2840" 1792 1925cbda258 gpu
        3⤵
          PID:2964
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2840.1.1616761454\831262408" -parentBuildID 20221007134813 -prefsHandle 2156 -prefMapHandle 2152 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ea52fc3-184b-41d0-b5f4-9d0005b6c51c} 2840 "\\.\pipe\gecko-crash-server-pipe.2840" 2168 1925cb05c58 socket
          3⤵
            PID:1896
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2840.2.1608987085\1762991846" -childID 1 -isForBrowser -prefsHandle 2876 -prefMapHandle 2872 -prefsLen 21711 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4dedad9e-da6c-4d9c-82c4-8b3fbd328bfb} 2840 "\\.\pipe\gecko-crash-server-pipe.2840" 2888 19260dcd958 tab
            3⤵
              PID:3948
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2840.3.1231827932\222852074" -childID 2 -isForBrowser -prefsHandle 3648 -prefMapHandle 3644 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {997cfde0-6498-4513-a261-f7a2bd990d72} 2840 "\\.\pipe\gecko-crash-server-pipe.2840" 3660 19251b5cd58 tab
              3⤵
                PID:4812
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2840.4.516837522\506992995" -childID 3 -isForBrowser -prefsHandle 4780 -prefMapHandle 4748 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {039da375-45df-4eea-a2b1-126198b8c243} 2840 "\\.\pipe\gecko-crash-server-pipe.2840" 4764 192605b4158 tab
                3⤵
                  PID:4756
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2840.5.1566037615\1336952777" -childID 4 -isForBrowser -prefsHandle 4796 -prefMapHandle 4792 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9116581e-99a2-4bb9-b7c6-7c119337148c} 2840 "\\.\pipe\gecko-crash-server-pipe.2840" 4816 19263f54d58 tab
                  3⤵
                    PID:1404
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2840.6.1969912280\1782789450" -childID 5 -isForBrowser -prefsHandle 4936 -prefMapHandle 4816 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6eac434-d04e-4e81-a72d-d1db407afc0a} 2840 "\\.\pipe\gecko-crash-server-pipe.2840" 5028 19263f54a58 tab
                    3⤵
                      PID:1560
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2840.7.893167164\727846959" -childID 6 -isForBrowser -prefsHandle 4464 -prefMapHandle 1488 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dbdb781c-8343-4dd9-9413-066e0bffb60f} 2840 "\\.\pipe\gecko-crash-server-pipe.2840" 5088 19263e93e58 tab
                      3⤵
                        PID:4500
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2840.8.1228188305\1272083030" -childID 7 -isForBrowser -prefsHandle 5580 -prefMapHandle 5576 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {319f7e1a-0eef-44b3-bc5d-d2001b8caa70} 2840 "\\.\pipe\gecko-crash-server-pipe.2840" 5612 19264a85458 tab
                        3⤵
                          PID:1580
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2840.9.1635592294\1962037294" -childID 8 -isForBrowser -prefsHandle 6004 -prefMapHandle 5988 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {298eff96-b349-480a-80df-9131d4cf2fa2} 2840 "\\.\pipe\gecko-crash-server-pipe.2840" 6056 19265a38658 tab
                          3⤵
                            PID:4540
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2840.10.2047697118\144437718" -childID 9 -isForBrowser -prefsHandle 6036 -prefMapHandle 6032 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {68f2d9b2-cb6c-4754-b911-81d65e11b55e} 2840 "\\.\pipe\gecko-crash-server-pipe.2840" 6072 19265a39e58 tab
                            3⤵
                              PID:3484
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2840.11.105465522\1026241018" -childID 10 -isForBrowser -prefsHandle 6196 -prefMapHandle 6072 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbc78d6a-670d-48fb-acdd-2c6505f35361} 2840 "\\.\pipe\gecko-crash-server-pipe.2840" 6284 19265a38358 tab
                              3⤵
                                PID:2648
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2840.12.1784318522\794008372" -childID 11 -isForBrowser -prefsHandle 5752 -prefMapHandle 5764 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0260abc3-079f-47b2-8251-bdf343bdb4a3} 2840 "\\.\pipe\gecko-crash-server-pipe.2840" 5724 19263ec9d58 tab
                                3⤵
                                  PID:2368
                                • C:\Users\Admin\Downloads\winrar-x64-701.exe
                                  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
                                  3⤵
                                  • Executes dropped EXE
                                  • Suspicious use of SetWindowsHookEx
                                  PID:4672
                            • C:\Windows\System32\rundll32.exe
                              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                              1⤵
                                PID:6096
                              • C:\Program Files\7-Zip\7zG.exe
                                "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap17306:72:7zEvent13499
                                1⤵
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of FindShellTrayWindow
                                PID:4340
                              • C:\Users\Admin\Downloads\102-HAX.exe
                                "C:\Users\Admin\Downloads\102-HAX.exe"
                                1⤵
                                • Executes dropped EXE
                                • Adds Run key to start application
                                PID:6056
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                  2⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3740
                                • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:5884
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\102cheat.exe'
                                  2⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:5892
                                • C:\Users\Admin\AppData\Local\Temp\102cheat.exe
                                  "C:\Users\Admin\AppData\Local\Temp\102cheat.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:948
                                  • C:\Windows\system32\sc.exe
                                    C:\Windows\system32\sc.exe stop UsoSvc
                                    3⤵
                                    • Launches sc.exe
                                    PID:5364
                                  • C:\Windows\system32\sc.exe
                                    C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                    3⤵
                                    • Launches sc.exe
                                    PID:5392
                                  • C:\Windows\system32\sc.exe
                                    C:\Windows\system32\sc.exe stop wuauserv
                                    3⤵
                                    • Launches sc.exe
                                    PID:5504
                                  • C:\Windows\system32\sc.exe
                                    C:\Windows\system32\sc.exe stop bits
                                    3⤵
                                    • Launches sc.exe
                                    PID:4192
                                  • C:\Windows\system32\sc.exe
                                    C:\Windows\system32\sc.exe stop dosvc
                                    3⤵
                                    • Launches sc.exe
                                    PID:5092
                                  • C:\Windows\system32\powercfg.exe
                                    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                    3⤵
                                    • Power Settings
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5596
                                  • C:\Windows\system32\powercfg.exe
                                    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                    3⤵
                                    • Power Settings
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3092
                                  • C:\Windows\system32\powercfg.exe
                                    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                    3⤵
                                    • Power Settings
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5624
                                  • C:\Windows\system32\powercfg.exe
                                    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                    3⤵
                                    • Power Settings
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5612
                                  • C:\Windows\system32\sc.exe
                                    C:\Windows\system32\sc.exe delete "OneDrive"
                                    3⤵
                                    • Launches sc.exe
                                    PID:5812
                                  • C:\Windows\system32\sc.exe
                                    C:\Windows\system32\sc.exe create "OneDrive" binpath= "C:\ProgramData\OneDrive.exe" start= "auto"
                                    3⤵
                                    • Launches sc.exe
                                    PID:5880
                                  • C:\Windows\system32\sc.exe
                                    C:\Windows\system32\sc.exe stop eventlog
                                    3⤵
                                    • Launches sc.exe
                                    PID:5916
                                  • C:\Windows\system32\sc.exe
                                    C:\Windows\system32\sc.exe start "OneDrive"
                                    3⤵
                                    • Launches sc.exe
                                    PID:5920
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\102cheat.exe"
                                    3⤵
                                      PID:5968
                                      • C:\Windows\system32\choice.exe
                                        choice /C Y /N /D Y /T 3
                                        4⤵
                                          PID:6132
                                    • C:\Users\Admin\Downloads\102HAX.exe
                                      "C:\Users\Admin\Downloads\102HAX.exe"
                                      2⤵
                                      • Executes dropped EXE
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:3152
                                      • C:\Users\Admin\Downloads\daemon.exe
                                        C:\Users\Admin\Downloads\daemon.exe
                                        3⤵
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        PID:3460
                                  • C:\Windows\system32\werfault.exe
                                    werfault.exe /h /shared Global\86731a3e9a214a5eaa0690da4097f1ca /t 4920 /p 4672
                                    1⤵
                                      PID:3656
                                    • C:\ProgramData\OneDrive.exe
                                      C:\ProgramData\OneDrive.exe
                                      1⤵
                                      • Executes dropped EXE
                                      • Suspicious use of SetThreadContext
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:872
                                      • C:\Windows\system32\sc.exe
                                        C:\Windows\system32\sc.exe stop UsoSvc
                                        2⤵
                                        • Launches sc.exe
                                        PID:5388
                                      • C:\Windows\system32\sc.exe
                                        C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                        2⤵
                                        • Launches sc.exe
                                        PID:2980
                                      • C:\Windows\system32\sc.exe
                                        C:\Windows\system32\sc.exe stop wuauserv
                                        2⤵
                                        • Launches sc.exe
                                        PID:5952
                                      • C:\Windows\system32\sc.exe
                                        C:\Windows\system32\sc.exe stop bits
                                        2⤵
                                        • Launches sc.exe
                                        PID:4408
                                      • C:\Windows\system32\sc.exe
                                        C:\Windows\system32\sc.exe stop dosvc
                                        2⤵
                                        • Launches sc.exe
                                        PID:404
                                      • C:\Windows\system32\powercfg.exe
                                        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                        2⤵
                                        • Power Settings
                                        PID:6140
                                      • C:\Windows\system32\powercfg.exe
                                        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                        2⤵
                                        • Power Settings
                                        PID:5324
                                      • C:\Windows\system32\powercfg.exe
                                        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                        2⤵
                                        • Power Settings
                                        PID:5400
                                      • C:\Windows\system32\powercfg.exe
                                        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                        2⤵
                                        • Power Settings
                                        PID:2228
                                      • C:\Windows\system32\conhost.exe
                                        C:\Windows\system32\conhost.exe
                                        2⤵
                                          PID:5160
                                        • C:\Windows\explorer.exe
                                          explorer.exe
                                          2⤵
                                          • Modifies data under HKEY_USERS
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:6064
                                      • C:\Windows\system32\taskmgr.exe
                                        "C:\Windows\system32\taskmgr.exe" /4
                                        1⤵
                                        • Drops file in Windows directory
                                        • Checks SCSI registry key(s)
                                        • Suspicious use of FindShellTrayWindow
                                        • Suspicious use of SendNotifyMessage
                                        PID:5600
                                      • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                        "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                        1⤵
                                        • Drops file in System32 directory
                                        • Checks processor information in registry
                                        • Enumerates system info in registry
                                        • Modifies data under HKEY_USERS
                                        • Suspicious use of SetWindowsHookEx
                                        PID:5436

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Reconnaissance

                                      Resource Development

                                      Initial Access

                                      Execution

                                      Command and Scripting Interpreter

                                      1
                                      T1059

                                      PowerShell

                                      1
                                      T1059.001

                                      System Services

                                      2
                                      T1569

                                      Service Execution

                                      2
                                      T1569.002

                                      Persistence

                                      Boot or Logon Autostart Execution

                                      1
                                      T1547

                                      Registry Run Keys / Startup Folder

                                      1
                                      T1547.001

                                      Create or Modify System Process

                                      2
                                      T1543

                                      Windows Service

                                      2
                                      T1543.003

                                      Power Settings

                                      1
                                      T1653

                                      Privilege Escalation

                                      Boot or Logon Autostart Execution

                                      1
                                      T1547

                                      Registry Run Keys / Startup Folder

                                      1
                                      T1547.001

                                      Create or Modify System Process

                                      2
                                      T1543

                                      Windows Service

                                      2
                                      T1543.003

                                      Defense Evasion

                                      Impair Defenses

                                      1
                                      T1562

                                      Modify Registry

                                      1
                                      T1112

                                      Subvert Trust Controls

                                      1
                                      T1553

                                      SIP and Trust Provider Hijacking

                                      1
                                      T1553.003

                                      Credential Access

                                      Discovery

                                      Peripheral Device Discovery

                                      1
                                      T1120

                                      Query Registry

                                      4
                                      T1012

                                      System Information Discovery

                                      4
                                      T1082

                                      System Location Discovery

                                      1
                                      T1614

                                      System Language Discovery

                                      1
                                      T1614.001

                                      Lateral Movement

                                      Collection

                                      Command and Control

                                      Exfiltration

                                      Impact

                                      Service Stop

                                      1
                                      T1489

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                        Filesize

                                        3KB

                                        MD5

                                        ceec209b396ba67e4f95548385510ccd

                                        SHA1

                                        9c46f016b749ec62c6b5f0397b0b4977844feb1a

                                        SHA256

                                        fde239b4d3c2e9559ad947b042081d7372e2f86eb80c2ba0ea075eff8b6909da

                                        SHA512

                                        887de3a75c5b54f4604879ac029832916b2c72a6a90a802f1565c73f0db1aa3f9472d9c64bc896f680ac047db90523bb6270c429eb05524637a73db5faa876dd

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                        Filesize

                                        1KB

                                        MD5

                                        3c3efdf4371e0337fa2d750b66954f9f

                                        SHA1

                                        ef9d2d11a05ff383aac7f0cce140ac02d88aea0e

                                        SHA256

                                        a0a0e55cab764ff34dc76279712e2e077cf2534c8b0789d3362d9da18f34b24e

                                        SHA512

                                        a22c138ff16f10fbafa08748a3f01c696a0cf9ae0d9505fe7a308e853ac1a32785bcf56c689efa18bd4edba0cce6e8707cc9b9f6585751651064477ff748724e

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\1CCECF851334BDFAAD204ACFEF28B17A464F4E35
                                        Filesize

                                        60KB

                                        MD5

                                        587db76bcc7ac4225f8cc508953bdaa1

                                        SHA1

                                        a144c7cd9d41c7515911a94cbeb63de7fef0124c

                                        SHA256

                                        17d365f296609967b6e0c2ac6302f84cff9c18c36194c3acb59ddedeb7dbd368

                                        SHA512

                                        7deca89256dde13e7da9cd3509bb269fce74c481ee4305c3a3c310543097d60dbb1192b49b843901b1f0ca56054e330b079160bbc5cb525524ac1a8414b75a96

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\9357B92D7A82DC731CBB46EBC4F197AB314C7C11
                                        Filesize

                                        218KB

                                        MD5

                                        865d120ffe2d3d8045df0cf3dd5e0ef9

                                        SHA1

                                        a2be550842cb1243af681c59e161de4b65102bbc

                                        SHA256

                                        d0d6f8009274ba9b7c73914bcae1cbcfbaf1b777932cdc02d0ca57f140754eb2

                                        SHA512

                                        e11fd33bb5fb7233f9c582ceda4c6d472fe7762cd6eb25f249345cd8bb45da245f9d4e65dd78766f4071e8367d5acb0963b898828249f180f07baa8df0523b9c

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\102cheat.exe
                                        Filesize

                                        5.0MB

                                        MD5

                                        6acfcb592bc33cc27771fba30bb74294

                                        SHA1

                                        06720e3ca0697ec44712deb68057c96ae9cfd894

                                        SHA256

                                        90efe46daa4feab2ec76478665f308a2626bbc76967b61438d0d4605c53a4eeb

                                        SHA512

                                        8c1b10fe4bc1fa6a65852042ca8944326bd87f0ddde13b39612bc2bab00ec005af4851652e0b6b8cc1581d8be6de6acac88d72b3c3b4b0007ec160920681e7a0

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                        Filesize

                                        74KB

                                        MD5

                                        f058be9238b38d54e6119414de0bbf08

                                        SHA1

                                        09b4596d988914784959d721ab26c57b3d83a35e

                                        SHA256

                                        b317b00927a920c2d63a60ca98e0cd65f5319da376f379791b86bf4d8a05519a

                                        SHA512

                                        ac080a9c221a0f736469afbc6caabce2144ecd51ba43ee3260683f9729819b51e27ad99eb538cb391f873720ced540bfe4488023217526f5563931470457de9c

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i1kntodz.mk1.ps1
                                        Filesize

                                        1B

                                        MD5

                                        c4ca4238a0b923820dcc509a6f75849b

                                        SHA1

                                        356a192b7913b04c54574d18c28d46e6395428ab

                                        SHA256

                                        6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                                        SHA512

                                        4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                                        Filesize

                                        442KB

                                        MD5

                                        85430baed3398695717b0263807cf97c

                                        SHA1

                                        fffbee923cea216f50fce5d54219a188a5100f41

                                        SHA256

                                        a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                                        SHA512

                                        06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                                        Filesize

                                        8.0MB

                                        MD5

                                        a01c5ecd6108350ae23d2cddf0e77c17

                                        SHA1

                                        c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                                        SHA256

                                        345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                                        SHA512

                                        b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
                                        Filesize

                                        17KB

                                        MD5

                                        f173be585c6f0a2c7a82bd18ecb2b980

                                        SHA1

                                        05f9a67f0685fcebe49eed7a46b91e449df1f229

                                        SHA256

                                        7b80db6ffb24d486aa26d57ff0e71b75b08ee9f42ef9ace93001ffa1e25a06b4

                                        SHA512

                                        2a75f7028780879c09ad1a0432bdfd9fafb36040d99a315e7d474f7508b265f7a2f1fdf019578d26102c492c1b3eb043b5e5ee357c0329af3a946625cf8da89d

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin
                                        Filesize

                                        2KB

                                        MD5

                                        cf38b95e42a391b91242a08e4c44b22d

                                        SHA1

                                        1414621043d241423ce3f31a37a0dabcf97f0b93

                                        SHA256

                                        ecb3de1113e5a718df253cc31bbeac81e26daa12fbe88b68e6c9fd175b929b06

                                        SHA512

                                        30faa3aaffb83a9dd8e336f765f191586e878afd88bd64483bc9c0c7225f895175cca09ed64cc81dc8269d7bb61d0b66238dd274ec841f40f71eaac9a6949e83

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\5d910bbc-5f84-40cc-8f20-1aef7f0ac153
                                        Filesize

                                        746B

                                        MD5

                                        c4783e458faec4af7502021aa292c77e

                                        SHA1

                                        390189b6d922aa07633051faac94e358700ebd23

                                        SHA256

                                        ac9ad2898256c04b95c71ae90a9124c0050facc3b2e0002718b97b579d647851

                                        SHA512

                                        8bf58212b439bd0fa2d5d9dbabec9105a2773b885c44f478b86d829e193ed2ce74d9e18402b35303bd346e8c7cba8ac3aef250f09b9d008f0b1021fb39e23970

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\d0687602-fa84-48bd-9702-5597cb1deb33
                                        Filesize

                                        10KB

                                        MD5

                                        04b7a385db83338e696136ee90c0dba0

                                        SHA1

                                        3b153e34f450f47092067a4225548a2805a2507d

                                        SHA256

                                        571fd967f4b0f3cc1bffa7f9b8564fd4f04eb1c8357abfe1b87ca2a0dd67310c

                                        SHA512

                                        4c2ebc8cec08e8e4fd2eb1e71aa3f3a72917238d2c3ceb68fc380b53e6a0da83c1742ed4f0d1c6fac594b7c4b104d167ba0bd81552f9e6eff02b5b195d805f5e

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
                                        Filesize

                                        997KB

                                        MD5

                                        fe3355639648c417e8307c6d051e3e37

                                        SHA1

                                        f54602d4b4778da21bc97c7238fc66aa68c8ee34

                                        SHA256

                                        1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                                        SHA512

                                        8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
                                        Filesize

                                        116B

                                        MD5

                                        3d33cdc0b3d281e67dd52e14435dd04f

                                        SHA1

                                        4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                                        SHA256

                                        f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                                        SHA512

                                        a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
                                        Filesize

                                        479B

                                        MD5

                                        49ddb419d96dceb9069018535fb2e2fc

                                        SHA1

                                        62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                                        SHA256

                                        2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                                        SHA512

                                        48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
                                        Filesize

                                        372B

                                        MD5

                                        8be33af717bb1b67fbd61c3f4b807e9e

                                        SHA1

                                        7cf17656d174d951957ff36810e874a134dd49e0

                                        SHA256

                                        e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                                        SHA512

                                        6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
                                        Filesize

                                        11.8MB

                                        MD5

                                        33bf7b0439480effb9fb212efce87b13

                                        SHA1

                                        cee50f2745edc6dc291887b6075ca64d716f495a

                                        SHA256

                                        8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                                        SHA512

                                        d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
                                        Filesize

                                        1KB

                                        MD5

                                        688bed3676d2104e7f17ae1cd2c59404

                                        SHA1

                                        952b2cdf783ac72fcb98338723e9afd38d47ad8e

                                        SHA256

                                        33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                                        SHA512

                                        7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
                                        Filesize

                                        1KB

                                        MD5

                                        937326fead5fd401f6cca9118bd9ade9

                                        SHA1

                                        4526a57d4ae14ed29b37632c72aef3c408189d91

                                        SHA256

                                        68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                                        SHA512

                                        b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js
                                        Filesize

                                        7KB

                                        MD5

                                        94f344ae1062a3a8a03a1ef8de8f91b9

                                        SHA1

                                        52f2e109529cc55f52880356223bf95c8200ad4f

                                        SHA256

                                        ab66962d0d41f5efc7ec5e7f920b4b33c84fabb8c05ffe4e8765079b0f356279

                                        SHA512

                                        6673d467e36edea7f3580a5484824c2cfd401d6191d34a9228fbc886ebd430124a0e86d844025cb30f58d6c4b55756c9f076414f11f9b330dc69fa02bb712283

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js
                                        Filesize

                                        6KB

                                        MD5

                                        dace83e678290d91c937ca76f0b8ee97

                                        SHA1

                                        5c38ff191bf15db3a72958f6addee9ec92bb9426

                                        SHA256

                                        433dd2a4fe8fd7e6655b97789aac813e1cb026fba4aca0199e82bbe99c3ae991

                                        SHA512

                                        4ccb886c6dec7f4a0a7d2212fb6584f15d170fa4a34ed1051eba86a9b39e06d9fabf4d40f221d3ad09711af89d576441f0e3515715ade6a3b14d211291a5b71e

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js
                                        Filesize

                                        6KB

                                        MD5

                                        2890761787f447cfc70391570d779ae6

                                        SHA1

                                        2567fe7be6a725f4dd2f45789c07c0c3bdc6e70e

                                        SHA256

                                        f7bd1d189c7b1e430eb77eb82b6da704f5398759c1ddf460471bc644cdbe4125

                                        SHA512

                                        51a0f84ba05b7e068ca920b70899032f8698f6e41cac8b3f6775701231dd5681632604a059ccee07ebc5ff76e7c141f142d764c19148028ca9bcb2c1761f723b

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js
                                        Filesize

                                        6KB

                                        MD5

                                        2e4cce9851400a01bbfbbbe559035ed4

                                        SHA1

                                        f5f9a142c1ec1513fd48d4dbfaf4cefe18128416

                                        SHA256

                                        d6494bb410ef3ffb59441fb8f237cc62eb07bd1d79b0d9caecc7002c88388408

                                        SHA512

                                        254790314e9b854a2ae5a47811d58ad5daaf464afba0dfb199e27dbb9c0e08a7bbd50789a08dc6d6b71e0b4431a65a3c8052e098e92a3e08538a4d9b32e9bc36

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js
                                        Filesize

                                        6KB

                                        MD5

                                        1fa35c97021bc8a40f2b3ecdc7c24923

                                        SHA1

                                        8c3093cdffa469a129ea51d835ed45e7ebe22bfe

                                        SHA256

                                        be5cfc70e9fb2d8d7a13c1bdc667a94a513a260bb62fdd11a65d1d97ea91b0f3

                                        SHA512

                                        cd8153eb3cca0db437de07a6adbcebbda684d30cc23454f2a77f2245cf6819a2476b85daee5bc04e4052e957135af5898de8cc1903c157513f86d0c34012a4d2

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js
                                        Filesize

                                        6KB

                                        MD5

                                        f99d7c6591256c776d1d899fd483e909

                                        SHA1

                                        c8b4e07ff1e41e065211a5d54e39209b1fb41960

                                        SHA256

                                        3f9e74c19722173ee243c2b9bf37659c0c829cbcdc8afa5318626cb1c4e9b4d5

                                        SHA512

                                        c33dfecc72022147be36ebf693ec33eb01c5779aa01dc10a80e2bcbfad7e6aabb727caf285ae0c004a7b82b7e8f29b8c5bdc31bd0fe89f7ec12abe42ed4ea456

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js
                                        Filesize

                                        6KB

                                        MD5

                                        2d34530cc727b8d982461d978aac2dc3

                                        SHA1

                                        9ca86102becd3d4cd74968bb3d3ceefe23ca7354

                                        SHA256

                                        62713cc29afb5f2562951c016f7b4525d883009cd4e314623d9a1a308eb04b43

                                        SHA512

                                        c49ece6f941f5c45ad2d4d7b6e06363095f535d63564b6b9b4511e860badc25ba5480e97698cf7a0ce426a465bc69b60fc1cf8c2b5d25afb891997ddbd422796

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
                                        Filesize

                                        5KB

                                        MD5

                                        d11ea9069464aaf4e5e1e52cd9b98950

                                        SHA1

                                        4242866e88ebf8009fd5a65cb451513fea6d4ee1

                                        SHA256

                                        b794d9040677292d7dabe5b6bd557613d9d2d00f6983083322f89937ce712884

                                        SHA512

                                        018871af32c8d30ebb7cf29e9a564e3d0ae348b3a4516c5b9fb744c44cc6d196fd3efddad6bb02cd2992fea5e7c3c617e46331b11c8233b3a02070c3b5f8f7a6

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
                                        Filesize

                                        5KB

                                        MD5

                                        5ec1b76104911881f5195fb5cfa130da

                                        SHA1

                                        831d354bf12b4fe7aca0fa442ce1c66ede834216

                                        SHA256

                                        a1be0cd728f6a10e528c753be4c53376d04dcd682b0eef80e1775f5bd2ae78b6

                                        SHA512

                                        bb5705cb4ed1fcb02eeb4fb64bfb37b9a635ee24717015ec420158d9dbefbc8b8f06eede2e925283025ad05937f4a3343a9f2830ce85d1cafe1170c99b135806

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
                                        Filesize

                                        1KB

                                        MD5

                                        f28679b2e7426ef6123be9688a38871a

                                        SHA1

                                        7564886d930979e7136385bfab324244e3aeecca

                                        SHA256

                                        8c0ca3e6d5c278c70897072c420bf33fa60310d24866fecc2dfac8d533d6385f

                                        SHA512

                                        f63ace9b4593c478385a32192067a16e1d69b14eba1174506352eb74d7adcd98e05f991402d4827d5f04c1fae21c552424fece45652581ccbf46b25614801c11

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
                                        Filesize

                                        5KB

                                        MD5

                                        05fe9fd886fee3d74fe2e6bbc470b413

                                        SHA1

                                        b80f4fb2be21c13796e387ff008382b48d084d03

                                        SHA256

                                        f0a1f48f346f09d86d10b144225dd8bed80a1898bea0b2b98a229b438b0f34b9

                                        SHA512

                                        dd86b1ddfc5ea62c12f5052c8a1ec0716217b4e2816457c274ea9b7b0efdd979c75b513b99dc6e865e9f78a625c58b674d9f21c04f0bb08490f82f2acf926985

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
                                        Filesize

                                        5KB

                                        MD5

                                        079b45a23df65b741671a7436f09a3eb

                                        SHA1

                                        8c8abb2adfa3ce2c6eebc11c1df544b5fc7c5e95

                                        SHA256

                                        ec71a4fb3cf09745cb8170bf5efb436fda76eadbd3624eb1e7ec3237171b8a5e

                                        SHA512

                                        83c2d3aaf600739e3be989e3daccd7285bfaeea319ddf2f3d524dd58c49963ef8e1fa9b88de59cfb98f700b2f022e4b0232e564cbf3958b6bbf9c0c42f3f51a4

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
                                        Filesize

                                        9KB

                                        MD5

                                        7085b0b2d77641de562c78fc3d9fd572

                                        SHA1

                                        4edb1f155095022766c00fbcea185178454285ff

                                        SHA256

                                        415513245846655cdf3a27c878fe4129c9aed453175b8a1859a0e7ff71066dc2

                                        SHA512

                                        e539619b0611094504c61ba6223d0f1e82288fe68ca50f03dde6fc7d31a2d96b7cd21762af6f4aac643e320ad9f61e8ea875bdf5d17c92ca623f14cd41e57755

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
                                        Filesize

                                        9KB

                                        MD5

                                        8e2b319d77a8d36d562fa8c7280ce7b4

                                        SHA1

                                        125e2edc18f6b03291ba7055b8edaecd4686e728

                                        SHA256

                                        2b7a6719e469d43d6cd400b65376dbb171ef4d897de35f35434664283faa0be3

                                        SHA512

                                        d787ad2717a2fb17f6dc7567bd171fe66791ad8f7dd0ffa562bce0ad013ce5138f019c04df8a9a7e6be39bb00802d0de036df8dcd4fb5373952e2d2198fb41ce

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
                                        Filesize

                                        9KB

                                        MD5

                                        1ca95e670323c7e5693d0d00e37dbb16

                                        SHA1

                                        c0de476714a864dfc7b0bc6c4123d0dc6ac2b3c5

                                        SHA256

                                        c657c7f16fdce49c2fc91ef814bda6b27a2b81e4aa40aaff2f070962f259cdee

                                        SHA512

                                        e357487ed1557b11a58af463c163a019949ba81381af4aaabf6607d84f9cabe58da97ecceff7cf82475c069575d3dbe76d85ea7c053480eb3a9406984cf603e2

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
                                        Filesize

                                        9KB

                                        MD5

                                        ed287e883479951c59f550d56026168f

                                        SHA1

                                        34b2d0372e1363e0a69cad06b422441e84899518

                                        SHA256

                                        0f4c9e7c5481d6b640e5522b90b423309d5ec6479050bbbf8e81a1b2fe5d309a

                                        SHA512

                                        f08639c0c22c17a0fbf3976bba32695cf10ab55f06607504d95c9d63f045f67ea41234e725a3f97a4729329c20bb86b7fff0e96ba7c3bebfbe02892d80e7ff6c

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
                                        Filesize

                                        5KB

                                        MD5

                                        e0c115245ccd017b18b0fd35072d6ff7

                                        SHA1

                                        6dc125f217f8fb3443677b7c29931e25b1280d70

                                        SHA256

                                        c675f7d6af8d0d02e4df8b016e234c0044c9b1a73c37a9f6e8802ef9cc8bde0a

                                        SHA512

                                        90525bcf0703033ed03e4987c43724c864923ef7b43983d9795cabc2282e3f9f1abcb49eef2e49f5b557238b696355a80b3561696ca64ffa56d2096e2865d437

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                                        Filesize

                                        192KB

                                        MD5

                                        05061daf0deb89557c9c51590a9f2da9

                                        SHA1

                                        201ef85bb2f141746b6620be1405aba92503c9f7

                                        SHA256

                                        203a01496039333c4746f73681fc0252b197d1c42c28a1e8387365245fbea414

                                        SHA512

                                        74281aea2f6526f9706bb60f587b9c190faf9f3b65c4d6652510942ad12820c6b4c12178187fd680ac6c305086de74c0a1273e350013aaf18207bfcdb1fc3d57

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                                        Filesize

                                        184KB

                                        MD5

                                        acb98d3d4e718735b97cfa91dc502aeb

                                        SHA1

                                        169e52e36b0118c591b2c7c4566f7d24bb48a1fe

                                        SHA256

                                        d7f03e1c2f27c7dcae5c28ea3c52ddb1d5c8086870d28206e8afc039d6779ce5

                                        SHA512

                                        a8aa54bcc302f0e67fc2d856e540696259ef259dfc9ca8cf59a02a9552f86e004a251129ea53acd0109f6c6e10395003c884bf45a25424a93165b1b25b883227

                                        Download Submit

                                      • C:\Users\Admin\Downloads\102-HAX.exe
                                        Filesize

                                        4.8MB

                                        MD5

                                        25b2b6c51d25b53d31899d5e7531e516

                                        SHA1

                                        e3a49bb9f597f6708aacf5970462ea781262ade7

                                        SHA256

                                        060f5367e19523ddd903ca747fe58cc0b1a932d3d5886082dccbd58658bca4e4

                                        SHA512

                                        efa3452dc2114bd1d0024ab36981de19e6221adfd66ee36bda6076cfecd6a35c9d01e8418d5c8377f1ff66dbcff73c8a0e8c121bfffd4ae35bafc45df11a423a

                                        Download Submit

                                      • C:\Users\Admin\Downloads\102HAX.exe
                                        Filesize

                                        1.2MB

                                        MD5

                                        bc6da18b48ecd5963ac1c4430e9bc4e2

                                        SHA1

                                        9afc20943c5a54b82c0b54458c888026795d804f

                                        SHA256

                                        d6dc2df2284c205a9e751ab5e3cc96a6e42f848d962f30c115559c834bf0a15a

                                        SHA512

                                        7015076752ab226eb6944af0ea06976521b2d90b6b298b0908710c956494eecb13e4a3fad0db754e705cb56486e44ba2c108a77c5ee7913ab7344d0088208dda

                                        Download Submit

                                      • C:\Users\Admin\Downloads\daemon.exe
                                        Filesize

                                        378KB

                                        MD5

                                        207827e053174afbfa7bff685d03dd5a

                                        SHA1

                                        d7f25603519deaa8a240b6b8599200889c0939f7

                                        SHA256

                                        7a943c6fb763e210f1ed4dac2a5ca1670635a603d24ed348968c242ec9ba0942

                                        SHA512

                                        5d6018b6ffd1177b641bb782f7844ddde18e71524ec86d80613f9b8f103883370f48f8369fe052c9327592aa85ef5cc73a619eab74d6f9a619ef628290387396

                                        Download Submit

                                      • C:\Users\Admin\Downloads\winrar-x64-701.WuperKSH.exe.part
                                        Filesize

                                        3.8MB

                                        MD5

                                        46c17c999744470b689331f41eab7df1

                                        SHA1

                                        b8a63127df6a87d333061c622220d6d70ed80f7c

                                        SHA256

                                        c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

                                        SHA512

                                        4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

                                        Download Submit

                                      • C:\Users\Admin\Downloads\الهاك.8bJ0DyQJ.rar.part
                                        Filesize

                                        10KB

                                        MD5

                                        7323fcfc8890f8c4d268f0cf8bbd9eef

                                        SHA1

                                        0b733b3e9a30fe78ffd58a0e8ed46b240a7f2d70

                                        SHA256

                                        6e51eaad1dc756d432c13b9e5bf154e2cea8d3ea081261326d2a685e8c3f0a07

                                        SHA512

                                        3af7275bff4faefbb39f5607f014a621231ffc67255168eac93c792fd3631c780fdea0cd4415d90093f644497ee10ec9505ff11282554f6697ac199b54dab0f4

                                        Download Submit

                                      • C:\Users\Admin\Downloads\الهاك.rar
                                        Filesize

                                        4.7MB

                                        MD5

                                        68d5ac479a6b22302b8e5800d53c6a11

                                        SHA1

                                        0978dfed3f040d7d64a2cde1a2ab5c6ec7fd0682

                                        SHA256

                                        4c736e4dc6b0609a75b332a8cc5d1b92f2972c36c79135b60b052e5bca93fa3c

                                        SHA512

                                        9436e0980e8ce71b5ddd8d9db5c7ac410274039e372c3e76094f0d8323c703e8b507db7407d8493d90c0337e17b872eb40dc5ff10d5b479373bc3db7f5bf39ff

                                        Download Submit

                                      • memory/3460-767-0x0000000000AC0000-0x0000000000B25000-memory.dmp

                                        Filesize

                                        404KB

                                        Download

                                      • memory/3460-769-0x0000000000AC0000-0x0000000000B25000-memory.dmp

                                        Filesize

                                        404KB

                                        Download

                                      • memory/3740-518-0x00000255658B0000-0x00000255658D2000-memory.dmp

                                        Filesize

                                        136KB

                                        Download

                                      • memory/3740-521-0x0000025565CD0000-0x0000025565D46000-memory.dmp

                                        Filesize

                                        472KB

                                        Download

                                      • memory/5160-633-0x0000000140000000-0x000000014000E000-memory.dmp

                                        Filesize

                                        56KB

                                        Download

                                      • memory/5160-634-0x0000000140000000-0x000000014000E000-memory.dmp

                                        Filesize

                                        56KB

                                        Download

                                      • memory/5160-635-0x0000000140000000-0x000000014000E000-memory.dmp

                                        Filesize

                                        56KB

                                        Download

                                      • memory/5160-632-0x0000000140000000-0x000000014000E000-memory.dmp

                                        Filesize

                                        56KB

                                        Download

                                      • memory/5160-631-0x0000000140000000-0x000000014000E000-memory.dmp

                                        Filesize

                                        56KB

                                        Download

                                      • memory/5160-638-0x0000000140000000-0x000000014000E000-memory.dmp

                                        Filesize

                                        56KB

                                        Download

                                      • memory/5884-565-0x0000000000660000-0x0000000000678000-memory.dmp

                                        Filesize

                                        96KB

                                        Download

                                      • memory/6056-505-0x0000000000E40000-0x000000000131C000-memory.dmp

                                        Filesize

                                        4.9MB

                                        Download

                                      • memory/6064-645-0x0000000140000000-0x0000000140848000-memory.dmp

                                        Filesize

                                        8.3MB

                                        Download

                                      • memory/6064-670-0x0000000140000000-0x0000000140848000-memory.dmp

                                        Filesize

                                        8.3MB

                                        Download

                                      • memory/6064-669-0x0000000140000000-0x0000000140848000-memory.dmp

                                        Filesize

                                        8.3MB

                                        Download

                                      • memory/6064-671-0x0000000140000000-0x0000000140848000-memory.dmp

                                        Filesize

                                        8.3MB

                                        Download

                                      • memory/6064-672-0x0000000140000000-0x0000000140848000-memory.dmp

                                        Filesize

                                        8.3MB

                                        Download

                                      • memory/6064-666-0x0000000140000000-0x0000000140848000-memory.dmp

                                        Filesize

                                        8.3MB

                                        Download

                                      • memory/6064-664-0x0000000140000000-0x0000000140848000-memory.dmp

                                        Filesize

                                        8.3MB

                                        Download

                                      • memory/6064-665-0x0000000140000000-0x0000000140848000-memory.dmp

                                        Filesize

                                        8.3MB

                                        Download

                                      • memory/6064-663-0x0000000140000000-0x0000000140848000-memory.dmp

                                        Filesize

                                        8.3MB

                                        Download

                                      • memory/6064-640-0x0000000140000000-0x0000000140848000-memory.dmp

                                        Filesize

                                        8.3MB

                                        Download

                                      • memory/6064-639-0x0000000140000000-0x0000000140848000-memory.dmp

                                        Filesize

                                        8.3MB

                                        Download

                                      • memory/6064-642-0x0000000140000000-0x0000000140848000-memory.dmp

                                        Filesize

                                        8.3MB

                                        Download

                                      • memory/6064-643-0x0000000140000000-0x0000000140848000-memory.dmp

                                        Filesize

                                        8.3MB

                                        Download

                                      • memory/6064-644-0x0000000140000000-0x0000000140848000-memory.dmp

                                        Filesize

                                        8.3MB

                                        Download

                                      • memory/6064-647-0x0000000140000000-0x0000000140848000-memory.dmp

                                        Filesize

                                        8.3MB

                                        Download

                                      • memory/6064-648-0x0000000140000000-0x0000000140848000-memory.dmp

                                        Filesize

                                        8.3MB

                                        Download

                                      • memory/6064-649-0x0000000140000000-0x0000000140848000-memory.dmp

                                        Filesize

                                        8.3MB

                                        Download

                                      • memory/6064-651-0x0000000140000000-0x0000000140848000-memory.dmp

                                        Filesize

                                        8.3MB

                                        Download

                                      • memory/6064-650-0x0000000140000000-0x0000000140848000-memory.dmp

                                        Filesize

                                        8.3MB

                                        Download

                                      • memory/6064-646-0x0000000000E50000-0x0000000000E70000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/6064-641-0x0000000140000000-0x0000000140848000-memory.dmp

                                        Filesize

                                        8.3MB

                                        Download