69f650e3a08473b7293b23ab0367dfb27fd9959fd5a3916f862e4a743a66a050

Analysis

max time kernel
4294213s
max time network
151s
platform
windows7_x64
resource
win7-20220223-en
submitted
06-03-2022 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69f650e3a08473b7293b23ab0367dfb27fd9959fd5a3916f862e4a743a66a050.exe
Size

1.9MB
MD5

c92d4a257901ebf90deb87da967f6b57
SHA1

c3d91035b8809b4bbbe2c30ccba3f09b5d1d5cf6
SHA256

69f650e3a08473b7293b23ab0367dfb27fd9959fd5a3916f862e4a743a66a050
SHA512

0edc0afe3ec41f2955c976c6f1acc9151ba7714adcb5d085f9a2f8c47187a87896ff96dd8be33cbd9b6a01360b658a62edf489a4b46157d48fe4cbf5d25c8c24

Score

9^/10

bootkit google evasion persistence phishing

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Executes dropped EXE 9 IoCs

Processes:

OXYSploit-ByAlain-release.exeOXYSPloit-Release.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exe

pid	process
580	OXYSploit-ByAlain-release.exe
1540	OXYSPloit-Release.exe
316	OXYSPloitRelease4.exe
932	OXYSPloitRelease4.exe
832	OXYSPloitRelease4.exe
1220	OXYSPloitRelease4.exe
2032	OXYSPloitRelease4.exe
1336	OXYSPloitRelease4.exe
1940	OXYSPloitRelease4.exe

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OXYSPloitRelease4.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OXYSPloitRelease4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	OXYSPloitRelease4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	OXYSPloitRelease4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	OXYSPloitRelease4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	OXYSPloitRelease4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	OXYSPloitRelease4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	OXYSPloitRelease4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OXYSPloitRelease4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OXYSPloitRelease4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OXYSPloitRelease4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OXYSPloitRelease4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	OXYSPloitRelease4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OXYSPloitRelease4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OXYSPloitRelease4.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

OXYSPloitRelease4.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Wine	OXYSPloitRelease4.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Wine	OXYSPloitRelease4.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Wine	OXYSPloitRelease4.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Wine	OXYSPloitRelease4.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Wine	OXYSPloitRelease4.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Wine	OXYSPloitRelease4.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Wine	OXYSPloitRelease4.exe

Loads dropped DLL 8 IoCs

Processes:

69f650e3a08473b7293b23ab0367dfb27fd9959fd5a3916f862e4a743a66a050.execmd.exeOXYSPloit-Release.exeOXYSPloitRelease4.exe

pid	process
1092	69f650e3a08473b7293b23ab0367dfb27fd9959fd5a3916f862e4a743a66a050.exe
1092	69f650e3a08473b7293b23ab0367dfb27fd9959fd5a3916f862e4a743a66a050.exe
1092	69f650e3a08473b7293b23ab0367dfb27fd9959fd5a3916f862e4a743a66a050.exe
1208	cmd.exe
1540	OXYSPloit-Release.exe
1540	OXYSPloit-Release.exe
1540	OXYSPloit-Release.exe
316	OXYSPloitRelease4.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

OXYSPloitRelease4.exe

description ioc process

File opened for modification \??\PhysicalDrive0 OXYSPloitRelease4.exe
Detected potential entity reuse from brand google.
phishing google

description	ioc	process
File opened for modification	\??\PhysicalDrive0	OXYSPloitRelease4.exe

Drops file in Program Files directory 5 IoCs

Processes:

OXYSploit-ByAlain-release.exe

description	ioc	process
File created	C:\Program Files (x86)\__tmp_rar_sfx_access_check_259401005	OXYSploit-ByAlain-release.exe
File created	C:\Program Files (x86)\info.bat	OXYSploit-ByAlain-release.exe
File opened for modification	C:\Program Files (x86)\info.bat	OXYSploit-ByAlain-release.exe
File created	C:\Program Files (x86)\OXYSPloit-Release.exe	OXYSploit-ByAlain-release.exe
File opened for modification	C:\Program Files (x86)\OXYSPloit-Release.exe	OXYSploit-ByAlain-release.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 59 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\DOMStorage\en.softonic.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ab8535dea0c55241b6e6a02dc814678c00000000020000000000106600000001000020000000840a55d76e324d416c9c0296b796da3a1583d2665e38e9715d624d5ab8135a1c000000000e800000000200002000000091f0c0ecb243d53584b097812669991d9656b4cfba8b25e24a881d3de8ad29af90000000dfbda8d223557f122626ab0a0593cf6e4fdb1c8516514ec4826100edc9b6d2d7eb3573aabe032736e59326927a58b02d2ae277c126d1600d49410c4875ab01cbe4a5d2c596e9589fefe3133dabfa520290f14ba8958f9c09718345bd13880d45dfad52f7e59c572b31222f702996c3cff2e775b08fee1bf6174bb01570d2d82dfa47dd4dfea2f14cadc46e10126a1a3b4000000015782ac22bd6401e1f43872cc6bf6bc2e0de83774e7f04512a1870be3bf3acceb406b4a6383e3543c2f21f765ce146cc381fb05810a86bcd0acf1f8e58c45c1d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\DOMStorage\en.softonic.com\ = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\DOMStorage\en.softonic.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\DOMStorage\softonic.com\Total = "200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\DOMStorage\softonic.com\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "353364034"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\DOMStorage\en.softonic.com\ = "200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\DOMStorage\softonic.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{43F1C371-9D8D-11EC-B89F-C2DA94358FB2} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\DOMStorage\softonic.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "22"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c08357199a31d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\DOMStorage\softonic.com\Total = "22"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ab8535dea0c55241b6e6a02dc814678c000000000200000000001066000000010000200000009629f2642e6ef5dfdaad28fa7792bd44e2385211cb707527af41119ac7967255000000000e800000000200002000000027585498a03fd2886c8dff406bb4ffe46344f94ff09fc0aed3e01c83fc388b69200000009ee893a6429121e106ce6b62bbc3f8ebe4629bf404ce7a0f8a7a071567daa46b400000000d6f47302d61172956d4c0aa09085216ce8b4b095708c1a9510d4ede7a87259a1533e68a782b8f7dfca48510ff53c73826d0642b97caa4637892955bc7f2bd18	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

OXYSPloitRelease4.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exe

pid	process
1220	OXYSPloitRelease4.exe
1220	OXYSPloitRelease4.exe
932	OXYSPloitRelease4.exe
1220	OXYSPloitRelease4.exe
932	OXYSPloitRelease4.exe
1220	OXYSPloitRelease4.exe
932	OXYSPloitRelease4.exe
1336	OXYSPloitRelease4.exe
2032	OXYSPloitRelease4.exe
832	OXYSPloitRelease4.exe
1220	OXYSPloitRelease4.exe
932	OXYSPloitRelease4.exe
1336	OXYSPloitRelease4.exe
2032	OXYSPloitRelease4.exe
1220	OXYSPloitRelease4.exe
932	OXYSPloitRelease4.exe
1336	OXYSPloitRelease4.exe
2032	OXYSPloitRelease4.exe
1220	OXYSPloitRelease4.exe
932	OXYSPloitRelease4.exe
1336	OXYSPloitRelease4.exe
2032	OXYSPloitRelease4.exe
1220	OXYSPloitRelease4.exe
932	OXYSPloitRelease4.exe
1336	OXYSPloitRelease4.exe
832	OXYSPloitRelease4.exe
2032	OXYSPloitRelease4.exe
1220	OXYSPloitRelease4.exe
932	OXYSPloitRelease4.exe
1336	OXYSPloitRelease4.exe
832	OXYSPloitRelease4.exe
2032	OXYSPloitRelease4.exe
1220	OXYSPloitRelease4.exe
832	OXYSPloitRelease4.exe
932	OXYSPloitRelease4.exe
1336	OXYSPloitRelease4.exe
2032	OXYSPloitRelease4.exe
1220	OXYSPloitRelease4.exe
2032	OXYSPloitRelease4.exe
932	OXYSPloitRelease4.exe
1336	OXYSPloitRelease4.exe
832	OXYSPloitRelease4.exe
1220	OXYSPloitRelease4.exe
932	OXYSPloitRelease4.exe
1336	OXYSPloitRelease4.exe
2032	OXYSPloitRelease4.exe
1220	OXYSPloitRelease4.exe
832	OXYSPloitRelease4.exe
932	OXYSPloitRelease4.exe
1336	OXYSPloitRelease4.exe
2032	OXYSPloitRelease4.exe
1220	OXYSPloitRelease4.exe
932	OXYSPloitRelease4.exe
1336	OXYSPloitRelease4.exe
832	OXYSPloitRelease4.exe
1220	OXYSPloitRelease4.exe
932	OXYSPloitRelease4.exe
1336	OXYSPloitRelease4.exe
2032	OXYSPloitRelease4.exe
832	OXYSPloitRelease4.exe
1220	OXYSPloitRelease4.exe
932	OXYSPloitRelease4.exe
1336	OXYSPloitRelease4.exe
2032	OXYSPloitRelease4.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	2756	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2756	AUDIODG.EXE
Token: 33	2756	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2756	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2500 iexplore.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2500	iexplore.exe
2500	iexplore.exe
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2288	IEXPLORE.EXE
2288	IEXPLORE.EXE
2288	IEXPLORE.EXE
2288	IEXPLORE.EXE
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

69f650e3a08473b7293b23ab0367dfb27fd9959fd5a3916f862e4a743a66a050.exeOXYSploit-ByAlain-release.execmd.exeOXYSPloit-Release.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exeiexplore.exe

description	pid	process	target process
PID 1092 wrote to memory of 580	1092	69f650e3a08473b7293b23ab0367dfb27fd9959fd5a3916f862e4a743a66a050.exe	OXYSploit-ByAlain-release.exe
PID 1092 wrote to memory of 580	1092	69f650e3a08473b7293b23ab0367dfb27fd9959fd5a3916f862e4a743a66a050.exe	OXYSploit-ByAlain-release.exe
PID 1092 wrote to memory of 580	1092	69f650e3a08473b7293b23ab0367dfb27fd9959fd5a3916f862e4a743a66a050.exe	OXYSploit-ByAlain-release.exe
PID 1092 wrote to memory of 580	1092	69f650e3a08473b7293b23ab0367dfb27fd9959fd5a3916f862e4a743a66a050.exe	OXYSploit-ByAlain-release.exe
PID 580 wrote to memory of 1208	580	OXYSploit-ByAlain-release.exe	cmd.exe
PID 580 wrote to memory of 1208	580	OXYSploit-ByAlain-release.exe	cmd.exe
PID 580 wrote to memory of 1208	580	OXYSploit-ByAlain-release.exe	cmd.exe
PID 580 wrote to memory of 1208	580	OXYSploit-ByAlain-release.exe	cmd.exe
PID 1208 wrote to memory of 1540	1208	cmd.exe	OXYSPloit-Release.exe
PID 1208 wrote to memory of 1540	1208	cmd.exe	OXYSPloit-Release.exe
PID 1208 wrote to memory of 1540	1208	cmd.exe	OXYSPloit-Release.exe
PID 1208 wrote to memory of 1540	1208	cmd.exe	OXYSPloit-Release.exe
PID 1540 wrote to memory of 316	1540	OXYSPloit-Release.exe	OXYSPloitRelease4.exe
PID 1540 wrote to memory of 316	1540	OXYSPloit-Release.exe	OXYSPloitRelease4.exe
PID 1540 wrote to memory of 316	1540	OXYSPloit-Release.exe	OXYSPloitRelease4.exe
PID 1540 wrote to memory of 316	1540	OXYSPloit-Release.exe	OXYSPloitRelease4.exe
PID 316 wrote to memory of 932	316	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 316 wrote to memory of 932	316	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 316 wrote to memory of 932	316	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 316 wrote to memory of 932	316	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 316 wrote to memory of 832	316	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 316 wrote to memory of 832	316	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 316 wrote to memory of 832	316	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 316 wrote to memory of 832	316	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 316 wrote to memory of 1220	316	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 316 wrote to memory of 1220	316	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 316 wrote to memory of 1220	316	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 316 wrote to memory of 1220	316	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 316 wrote to memory of 2032	316	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 316 wrote to memory of 2032	316	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 316 wrote to memory of 2032	316	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 316 wrote to memory of 2032	316	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 316 wrote to memory of 1336	316	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 316 wrote to memory of 1336	316	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 316 wrote to memory of 1336	316	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 316 wrote to memory of 1336	316	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 316 wrote to memory of 1940	316	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 316 wrote to memory of 1940	316	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 316 wrote to memory of 1940	316	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 316 wrote to memory of 1940	316	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 1940 wrote to memory of 2380	1940	OXYSPloitRelease4.exe	notepad.exe
PID 1940 wrote to memory of 2380	1940	OXYSPloitRelease4.exe	notepad.exe
PID 1940 wrote to memory of 2380	1940	OXYSPloitRelease4.exe	notepad.exe
PID 1940 wrote to memory of 2380	1940	OXYSPloitRelease4.exe	notepad.exe
PID 1940 wrote to memory of 2500	1940	OXYSPloitRelease4.exe	iexplore.exe
PID 1940 wrote to memory of 2500	1940	OXYSPloitRelease4.exe	iexplore.exe
PID 1940 wrote to memory of 2500	1940	OXYSPloitRelease4.exe	iexplore.exe
PID 1940 wrote to memory of 2500	1940	OXYSPloitRelease4.exe	iexplore.exe
PID 2500 wrote to memory of 2596	2500	iexplore.exe	IEXPLORE.EXE
PID 2500 wrote to memory of 2596	2500	iexplore.exe	IEXPLORE.EXE
PID 2500 wrote to memory of 2596	2500	iexplore.exe	IEXPLORE.EXE
PID 2500 wrote to memory of 2596	2500	iexplore.exe	IEXPLORE.EXE
PID 2500 wrote to memory of 2852	2500	iexplore.exe	IEXPLORE.EXE
PID 2500 wrote to memory of 2852	2500	iexplore.exe	IEXPLORE.EXE
PID 2500 wrote to memory of 2852	2500	iexplore.exe	IEXPLORE.EXE
PID 2500 wrote to memory of 2852	2500	iexplore.exe	IEXPLORE.EXE
PID 2500 wrote to memory of 2820	2500	iexplore.exe	IEXPLORE.EXE
PID 2500 wrote to memory of 2820	2500	iexplore.exe	IEXPLORE.EXE
PID 2500 wrote to memory of 2820	2500	iexplore.exe	IEXPLORE.EXE
PID 2500 wrote to memory of 2820	2500	iexplore.exe	IEXPLORE.EXE
PID 2500 wrote to memory of 2288	2500	iexplore.exe	IEXPLORE.EXE
PID 2500 wrote to memory of 2288	2500	iexplore.exe	IEXPLORE.EXE
PID 2500 wrote to memory of 2288	2500	iexplore.exe	IEXPLORE.EXE
PID 2500 wrote to memory of 2288	2500	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\69f650e3a08473b7293b23ab0367dfb27fd9959fd5a3916f862e4a743a66a050.exe
"C:\Users\Admin\AppData\Local\Temp\69f650e3a08473b7293b23ab0367dfb27fd9959fd5a3916f862e4a743a66a050.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1092

C:\Users\Admin\Desktop\OXYSploit-ByAlain-release.exe
"C:\Users\Admin\Desktop\OXYSploit-ByAlain-release.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\info.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1208

C:\Program Files (x86)\OXYSPloit-Release.exe
OXYSPloit-Release.exe -pM1RYANNE -dC:\Users\Admin\Desktop
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1540

C:\Users\Admin\Desktop\OXYSPloitRelease4.exe
"C:\Users\Admin\Desktop\OXYSPloitRelease4.exe"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:316

C:\Users\Admin\Desktop\OXYSPloitRelease4.exe
"C:\Users\Admin\Desktop\OXYSPloitRelease4.exe" /watchdog
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
PID:932

C:\Users\Admin\Desktop\OXYSPloitRelease4.exe
"C:\Users\Admin\Desktop\OXYSPloitRelease4.exe" /watchdog
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
PID:2032

C:\Users\Admin\Desktop\OXYSPloitRelease4.exe
"C:\Users\Admin\Desktop\OXYSPloitRelease4.exe" /watchdog
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
PID:1220

C:\Users\Admin\Desktop\OXYSPloitRelease4.exe
"C:\Users\Admin\Desktop\OXYSPloitRelease4.exe" /watchdog
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
PID:832

C:\Users\Admin\Desktop\OXYSPloitRelease4.exe
"C:\Users\Admin\Desktop\OXYSPloitRelease4.exe" /watchdog
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
PID:1336

C:\Users\Admin\Desktop\OXYSPloitRelease4.exe
"C:\Users\Admin\Desktop\OXYSPloitRelease4.exe" /main
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
7⤵
PID:2380

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+to+get+money
7⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2500

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2500 CREDAT:275457 /prefetch:2
8⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2596

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2500 CREDAT:275474 /prefetch:2
8⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2852

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2500 CREDAT:2241556 /prefetch:2
8⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2820

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2500 CREDAT:2307088 /prefetch:2
8⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2288

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x144
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\OXYSPloit-Release.exe
MD5
4442d99b3a9fb90de40b94e2f0286474

SHA1
f3c823d663c6b5eeaaf34ba0d6d2b7e5c941a69d

SHA256
381ca43359eb49ca36ae4aeeae7b8376b1d4745fd27bd21ed1b70bfa39800ac2

SHA512
bb1c068c54bf438e74ad0f306808b64655c5b873bb32530d593e17f66e30cbf157be1de70d7e0a1c401dca45801022baf0bea54603852494d90292ebe576c532

Download Submit
C:\Program Files (x86)\OXYSPloit-Release.exe
MD5
4442d99b3a9fb90de40b94e2f0286474

SHA1
f3c823d663c6b5eeaaf34ba0d6d2b7e5c941a69d

SHA256
381ca43359eb49ca36ae4aeeae7b8376b1d4745fd27bd21ed1b70bfa39800ac2

SHA512
bb1c068c54bf438e74ad0f306808b64655c5b873bb32530d593e17f66e30cbf157be1de70d7e0a1c401dca45801022baf0bea54603852494d90292ebe576c532

Download Submit
C:\Program Files (x86)\info.bat
MD5
2af9dcd6a49591bbaaabb965384dba1d

SHA1
eb275f922d23e68121c3a1c813207c438feffb21

SHA256
bfa96019c8a18e924b11ea009400e9c309a0e0e58621b4304a111f9890100d73

SHA512
c0d85137ac4ae93d87b05665ae7c6fc51b808af2fee5efc41fd7b5c9a62b39bc9e5bbafaf2409584ed16711cf95bc1551a4d80ca59eab1f04b6740cabac8e89b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
MD5
3e8ef9570d28659adccea36a33d44ca7

SHA1
aed9c5bbdb7f13452c06f36b0cb5f10457ed0c47

SHA256
28ddf8892e626d7c5115c2f49e97cffbed9b4460f76d88ce95ebe23917f36bc3

SHA512
fd1cbe011c0284841219de8fe673766137905826b561c9a6f79b383464c3fc673bda0fbdc9efd5a8f90201f7b47cb5081181ea72e0eb340c6c65642e052731b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
637481df32351129e60560d5a5c100b5

SHA1
a46aee6e5a4a4893fba5806bcc14fc7fb3ce80ae

SHA256
1f1029d94ca4656a577d554cedd79d447658f475af08620084897a5523587052

SHA512
604bfd0a78a57dfddd45872803501ad89491e37e89e0778b0f13644fa9164ff509955a57469dfdd65a05bbedaf0acb669f68430e84800d17efe7d360a70569e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
MD5
64e9b8bb98e2303717538ce259bec57d

SHA1
2b07bf8e0d831da42760c54feff484635009c172

SHA256
76bd459ec8e467efc3e3fb94cb21b9c77a2aa73c9d4c0f3faf823677be756331

SHA512
8980af4a87a009f1ae165182d1edd4ccbd12b40a5890de5dbaea4dbf3aeb86edffd58b088b1e35e12d6b1197cc0db658a9392283583b3cb24a516ebc1f736c56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_463197BCFA59510875AC26CD4321C84A
MD5
06094c898db4b66640ed03c1a5c99304

SHA1
361354113ea2b4f8ec5cb09663eabb2e7de342ae

SHA256
475b20c3d9a22a4beeadd4a552a1961a1707562b7a80e2b45c6dd110a2f8fce4

SHA512
10c3824b6ec35ab4fdbe66f238391832e5f41721749483310b209717b4796495573073a253c1e3f7ba9ce07201c4ab108e319e5aaff3fd2e3168c2bf1b2ef7df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_3C1BF170B761A591ABEBC4A5CA9B0B8F
MD5
49709e7a47f36b4f957af391a13f3b9d

SHA1
be3617eb78697164a10629bf0680a1774ab1fbf6

SHA256
135a8c3011391fa48410805c6cbd84739b12dadccfcfd5e929e861836764e52d

SHA512
05bb8617e943b3905c8d928e677bdefa0529ae2f4a2697e04ac8abaae894eaab91d822ac18f4c01b7fce0fdac69841c73146c34c39c30c8170c9a741b1450e5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
MD5
eb0bc6ba631140171671ce9e4e49f1dd

SHA1
2dd7d7ae5b6cfa7a632c2f3a200d5e776be48198

SHA256
4ccd7d5b8ba0409c0722f3120d50bd13bc055245061b26203812ee6018f61cc3

SHA512
ec48aec2e6c0de6c700802efceb620f5b9c6d362d00b741f16a832f40a49288414c8755322d29096106eadf1e8f033b77b29cfe694cd594d985b906df2acce9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
dbd162c7c7923832756de55405b4579f

SHA1
a31e9e3cdd8a6f125fca6aabdee1d5a1a11a7057

SHA256
a7ecc0e5933d124b3730517f17c5b5d450c8a88c60734af7cc2138743c354d26

SHA512
9a50e3c7348d6eaac978f1d00dc10e5eaeb622c6ab3c358e34ebd4e98729458804378026137cc8df79b1b92977a13e609eb50233d7914fa73a82b849591f4a53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
14ee11915241e515f4e0a4d267d5bd98

SHA1
d8622f4753204657fbd4c75ae4b0bb9914de9b91

SHA256
f6d1f5c9b55869e96314d0e96daed2ce06d197bc171a0ccd5d0e5be53dd4cb7f

SHA512
8ecc8002753274045ecab77e73926c66197427b5bf4326de62d386fc8cc69061b06a84e77b51a75ed0100dd0de00cc976c66d6ff957f4a06f390bacc75cbe837

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
24f4c10fb1fd933d0f36cc1d0f3ecb83

SHA1
4febe9dfa635dbbc60b5cb849082524e75761bc0

SHA256
6a2815894dfc844cdfc960e6c9da65e81691ad6968af1342c76678b115b62644

SHA512
2679895872f09e45ef5d4a57972f18abd5e7879c72f66fe217f8159eff6373818ed7f3570c08a5818e809983d2c2061c3b47e072934cada3efc688b963d6e3ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
MD5
205c74e9d98a407fbb4ff14652189145

SHA1
37494884682411929ad909d9312a8ebba348ebd1

SHA256
f9e2f304008a9e6a51b19cd41e7bb21cc13425b0397f55e55ac6a402073db124

SHA512
9552929571f0be22535d3762ac245e53fd5b696e46409df675791e48e8026c7576f0b7f37b4ac1165bd0ba2047b19352ac263d329b89f43c90966726dad6b323

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_463197BCFA59510875AC26CD4321C84A
MD5
2a8b5c857acbdbcf8b365f55a7cf1da8

SHA1
e296b887bf87a73aa2b6e7776fdd082669362be6

SHA256
16477327a3cc9d60eeca00a59d26b63eb8ca6d09f337728934c3fff51824f532

SHA512
0c157218ab42cf32fae57a9164cba80b58986d300bf5851a8d3a38168e093a9828f5f9e62e323eeb0aa0810355d409d0babe128c8bec17d80dd14060586a3ab4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_3C1BF170B761A591ABEBC4A5CA9B0B8F
MD5
6d2fb9706a0ca2d1c7bf919f38e58ae8

SHA1
087f150e0311e11b00e3d79cb6e0257b5bd25fc1

SHA256
ac740d52e6209b0a147f65add50debdf5efc32deee3e81cbe744d080ceff2db7

SHA512
044f718c5dd711c7fc6e1727f6c67cfb54f6d4e2e7d05126739852e5e1c275cb7ed528fdda93a54f71b59457cb4ec93f012b9d1bf2eb98cb4f3e6fe125e89c5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\rx62z5k\imagestore.dat
MD5
31dec3df31eac223239768193d63e5b0

SHA1
be7c2431c282f7e4aad279491e38db0910745fd8

SHA256
1c7c0668b0bae2ab59a764807a2ccd18b24354be5ecaef6bf2e911f73cfec7d8

SHA512
3e4e1a02c017a0216d8bbc3488a7322609aef100db4d1f7e5a5cf5b7e8484ccc30962f2aeed3bcde0166e497d19235015205bce8082b4637571d5530613de460

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\71VTPOTD\search[2].htm
MD5
fb34162913eabcbb6398556516adf1f0

SHA1
67019fbf6cdea9f8c5010b49383eba4dbe39a18e

SHA256
a36cea6ffb9e302703fe77b809583acd3cf1c9474fbf8190b1fe361a043fd348

SHA512
86167ecca48381530da30608890fb52d14b0c79fb5acf8f2fe86cfce873390c752d04d720baa0bc0a746e8eba3c076d0f6175ad77a32e107420e7f3150bc3eb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KML0NMF1\favicon[2].ico
MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KML0NMF1\search[1].htm
MD5
b2cce874a0faf830aff88d0f4fea4a43

SHA1
90aaa7fd6e71d89f69c9da825456fe840aa6eef1

SHA256
9554f1f17220f63f60110167b8973a0b5b3014c3d14b490c908855b4e859bc79

SHA512
b28e34382611d95b01dc64b90b005b634f637d3c539a223c8a3787a8f0edf9eccf2a4f99fb76ffab69b95094d2d5d5c01b96953c8cffc2e6f2080d523a9a9291

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\06DTIZMT.txt
MD5
02c7b7b502b99baba40c0144f9409f5c

SHA1
c64c1ed62861aa0fed65f3059b0964439ce4411c

SHA256
616a976fbce2dcd434e5733aa7e0eec8638d9e1ff0ee68cc21708336e00fecaf

SHA512
e716ca31ec9f7604dd685c7459aa7c568daf0ee171502b1470adb77d543769d31ea26025b52d3e2f186b19820b1571d5873dcf3195878b552ed07d5604bedc8a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1VP8E1JH.txt
MD5
fe9210720cecb3376fa1e4420a5df751

SHA1
ca052bc5429d5f1a305b9f040f98ba2ec656dd73

SHA256
f3f84855c310dfb3d7f3ca318a0af0083b2c8a35808d2af409759684e540c87b

SHA512
06c1ddd56186ed8d71064df581355964dc8b2bd433a03562df5fb376d805d3c9b053d308a5f098c02fb18d22c165c210f0ae5a7387125bdc77e7e62cf67eaede

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\5H3QGLS3.txt
MD5
17ea9ad8621f9e1f9dd4e61e163cb8f5

SHA1
a01cab105875228141ded3e803621403727cf793

SHA256
59822199284094aff848dcde12e2ad43652088c8740fbeacc86c942e70175436

SHA512
5c923caaa51f5aef674a0ffe476200d25671cee71e1379ad8cb15b18a5e67ec0bcb1df21e9c17da10847a9eaf4a38a0901edf6ba12d45cf0d71e028ab8040d1c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\N42M5B1G.txt
MD5
b77c4829dec04a162f41d3eb84197d90

SHA1
b3d4a916ff514794f022bc04097e43b4141bac01

SHA256
114257c2b9af821173d37c7f3b0e662fa2e9d744d126a868818609177214c217

SHA512
05a0220928b564106fe6b9c963620efa03b7c61c6d359ed2e708e908466075b68b571d3615d7f0fcb6761c75851b5d916b8434560e8212274fa59cfe10cf5acb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\XLT250A2.txt
MD5
94bdeb22641358adce308e2f19d7b014

SHA1
a4d6bb76ab6f60fe0e553223ec9aa1ad39bca275

SHA256
589e49815d2bc6eb148631fd3d9f17933ba5b765f7bea65381ecc265b7ad836c

SHA512
6b517e19f9de08eea7e7d87bb9ece361ceffcc085398ba3139ad9e99df1ee600919833ec023da196aaf688285fa59af6f785dfa80a750588d5819a01289b1865

Download Submit
C:\Users\Admin\Desktop\OXYSPloitRelease4.exe
MD5
9cd4ef4aab1841cfb3274d36cc599760

SHA1
555df36876523dd1b395db32929eecfa4a759fa7

SHA256
5fe7604e5f080d91e2f43fbe3fd053b8d78f7437b8ceab86cf07aab8f4dcc452

SHA512
5aad5b5c9e3ac914d97057520e1c726f3e8c5fe3ac6acc7451c4d147c8d8e771be5463cfc8f0cb6fba75a2ec05e0da3fd1ca8df6ec6147fc6106291a1ab26d92

Download Submit
C:\Users\Admin\Desktop\OXYSPloitRelease4.exe
MD5
9cd4ef4aab1841cfb3274d36cc599760

SHA1
555df36876523dd1b395db32929eecfa4a759fa7

SHA256
5fe7604e5f080d91e2f43fbe3fd053b8d78f7437b8ceab86cf07aab8f4dcc452

SHA512
5aad5b5c9e3ac914d97057520e1c726f3e8c5fe3ac6acc7451c4d147c8d8e771be5463cfc8f0cb6fba75a2ec05e0da3fd1ca8df6ec6147fc6106291a1ab26d92

Download Submit
C:\Users\Admin\Desktop\OXYSPloitRelease4.exe
MD5
9cd4ef4aab1841cfb3274d36cc599760

SHA1
555df36876523dd1b395db32929eecfa4a759fa7

SHA256
5fe7604e5f080d91e2f43fbe3fd053b8d78f7437b8ceab86cf07aab8f4dcc452

SHA512
5aad5b5c9e3ac914d97057520e1c726f3e8c5fe3ac6acc7451c4d147c8d8e771be5463cfc8f0cb6fba75a2ec05e0da3fd1ca8df6ec6147fc6106291a1ab26d92

Download Submit
C:\Users\Admin\Desktop\OXYSPloitRelease4.exe
MD5
9cd4ef4aab1841cfb3274d36cc599760

SHA1
555df36876523dd1b395db32929eecfa4a759fa7

SHA256
5fe7604e5f080d91e2f43fbe3fd053b8d78f7437b8ceab86cf07aab8f4dcc452

SHA512
5aad5b5c9e3ac914d97057520e1c726f3e8c5fe3ac6acc7451c4d147c8d8e771be5463cfc8f0cb6fba75a2ec05e0da3fd1ca8df6ec6147fc6106291a1ab26d92

Download Submit
C:\Users\Admin\Desktop\OXYSPloitRelease4.exe
MD5
9cd4ef4aab1841cfb3274d36cc599760

SHA1
555df36876523dd1b395db32929eecfa4a759fa7

SHA256
5fe7604e5f080d91e2f43fbe3fd053b8d78f7437b8ceab86cf07aab8f4dcc452

SHA512
5aad5b5c9e3ac914d97057520e1c726f3e8c5fe3ac6acc7451c4d147c8d8e771be5463cfc8f0cb6fba75a2ec05e0da3fd1ca8df6ec6147fc6106291a1ab26d92

Download Submit
C:\Users\Admin\Desktop\OXYSPloitRelease4.exe
MD5
9cd4ef4aab1841cfb3274d36cc599760

SHA1
555df36876523dd1b395db32929eecfa4a759fa7

SHA256
5fe7604e5f080d91e2f43fbe3fd053b8d78f7437b8ceab86cf07aab8f4dcc452

SHA512
5aad5b5c9e3ac914d97057520e1c726f3e8c5fe3ac6acc7451c4d147c8d8e771be5463cfc8f0cb6fba75a2ec05e0da3fd1ca8df6ec6147fc6106291a1ab26d92

Download Submit
C:\Users\Admin\Desktop\OXYSPloitRelease4.exe
MD5
9cd4ef4aab1841cfb3274d36cc599760

SHA1
555df36876523dd1b395db32929eecfa4a759fa7

SHA256
5fe7604e5f080d91e2f43fbe3fd053b8d78f7437b8ceab86cf07aab8f4dcc452

SHA512
5aad5b5c9e3ac914d97057520e1c726f3e8c5fe3ac6acc7451c4d147c8d8e771be5463cfc8f0cb6fba75a2ec05e0da3fd1ca8df6ec6147fc6106291a1ab26d92

Download Submit
C:\Users\Admin\Desktop\OXYSPloitRelease4.exe
MD5
9cd4ef4aab1841cfb3274d36cc599760

SHA1
555df36876523dd1b395db32929eecfa4a759fa7

SHA256
5fe7604e5f080d91e2f43fbe3fd053b8d78f7437b8ceab86cf07aab8f4dcc452

SHA512
5aad5b5c9e3ac914d97057520e1c726f3e8c5fe3ac6acc7451c4d147c8d8e771be5463cfc8f0cb6fba75a2ec05e0da3fd1ca8df6ec6147fc6106291a1ab26d92

Download Submit
C:\Users\Admin\Desktop\OXYSploit-ByAlain-release.exe
MD5
f59b1658efb38fd8fb7eb36d99896d2d

SHA1
931646cb9dcc2afb7261daffe96e09880fa68a42

SHA256
654091267fe517ccb5db63e446d2fb16c1e43cf9ca96fb7eb138fcf0ffefd536

SHA512
e576c565f2fd765786866e51e713d8114c79410d4ef40143780ab06ccf07e84484499db3aa134aea7b9a5755accf677d2c9c2ad0ab45f0dd5e9180eba4f70ace

Download Submit
C:\Users\Admin\Desktop\OXYSploit-ByAlain-release.exe
MD5
f59b1658efb38fd8fb7eb36d99896d2d

SHA1
931646cb9dcc2afb7261daffe96e09880fa68a42

SHA256
654091267fe517ccb5db63e446d2fb16c1e43cf9ca96fb7eb138fcf0ffefd536

SHA512
e576c565f2fd765786866e51e713d8114c79410d4ef40143780ab06ccf07e84484499db3aa134aea7b9a5755accf677d2c9c2ad0ab45f0dd5e9180eba4f70ace

Download Submit
C:\note.txt
MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
\Program Files (x86)\OXYSPloit-Release.exe
MD5
4442d99b3a9fb90de40b94e2f0286474

SHA1
f3c823d663c6b5eeaaf34ba0d6d2b7e5c941a69d

SHA256
381ca43359eb49ca36ae4aeeae7b8376b1d4745fd27bd21ed1b70bfa39800ac2

SHA512
bb1c068c54bf438e74ad0f306808b64655c5b873bb32530d593e17f66e30cbf157be1de70d7e0a1c401dca45801022baf0bea54603852494d90292ebe576c532

Download Submit
\Users\Admin\Desktop\OXYSPloitRelease4.exe
MD5
9cd4ef4aab1841cfb3274d36cc599760

SHA1
555df36876523dd1b395db32929eecfa4a759fa7

SHA256
5fe7604e5f080d91e2f43fbe3fd053b8d78f7437b8ceab86cf07aab8f4dcc452

SHA512
5aad5b5c9e3ac914d97057520e1c726f3e8c5fe3ac6acc7451c4d147c8d8e771be5463cfc8f0cb6fba75a2ec05e0da3fd1ca8df6ec6147fc6106291a1ab26d92

Download Submit
\Users\Admin\Desktop\OXYSPloitRelease4.exe
MD5
9cd4ef4aab1841cfb3274d36cc599760

SHA1
555df36876523dd1b395db32929eecfa4a759fa7

SHA256
5fe7604e5f080d91e2f43fbe3fd053b8d78f7437b8ceab86cf07aab8f4dcc452

SHA512
5aad5b5c9e3ac914d97057520e1c726f3e8c5fe3ac6acc7451c4d147c8d8e771be5463cfc8f0cb6fba75a2ec05e0da3fd1ca8df6ec6147fc6106291a1ab26d92

Download Submit
\Users\Admin\Desktop\OXYSPloitRelease4.exe
MD5
9cd4ef4aab1841cfb3274d36cc599760

SHA1
555df36876523dd1b395db32929eecfa4a759fa7

SHA256
5fe7604e5f080d91e2f43fbe3fd053b8d78f7437b8ceab86cf07aab8f4dcc452

SHA512
5aad5b5c9e3ac914d97057520e1c726f3e8c5fe3ac6acc7451c4d147c8d8e771be5463cfc8f0cb6fba75a2ec05e0da3fd1ca8df6ec6147fc6106291a1ab26d92

Download Submit
\Users\Admin\Desktop\OXYSPloitRelease4.exe
MD5
9cd4ef4aab1841cfb3274d36cc599760

SHA1
555df36876523dd1b395db32929eecfa4a759fa7

SHA256
5fe7604e5f080d91e2f43fbe3fd053b8d78f7437b8ceab86cf07aab8f4dcc452

SHA512
5aad5b5c9e3ac914d97057520e1c726f3e8c5fe3ac6acc7451c4d147c8d8e771be5463cfc8f0cb6fba75a2ec05e0da3fd1ca8df6ec6147fc6106291a1ab26d92

Download Submit
\Users\Admin\Desktop\OXYSploit-ByAlain-release.exe
MD5
f59b1658efb38fd8fb7eb36d99896d2d

SHA1
931646cb9dcc2afb7261daffe96e09880fa68a42

SHA256
654091267fe517ccb5db63e446d2fb16c1e43cf9ca96fb7eb138fcf0ffefd536

SHA512
e576c565f2fd765786866e51e713d8114c79410d4ef40143780ab06ccf07e84484499db3aa134aea7b9a5755accf677d2c9c2ad0ab45f0dd5e9180eba4f70ace

Download Submit
\Users\Admin\Desktop\OXYSploit-ByAlain-release.exe
MD5
f59b1658efb38fd8fb7eb36d99896d2d

SHA1
931646cb9dcc2afb7261daffe96e09880fa68a42

SHA256
654091267fe517ccb5db63e446d2fb16c1e43cf9ca96fb7eb138fcf0ffefd536

SHA512
e576c565f2fd765786866e51e713d8114c79410d4ef40143780ab06ccf07e84484499db3aa134aea7b9a5755accf677d2c9c2ad0ab45f0dd5e9180eba4f70ace

Download Submit
\Users\Admin\Desktop\OXYSploit-ByAlain-release.exe
MD5
f59b1658efb38fd8fb7eb36d99896d2d

SHA1
931646cb9dcc2afb7261daffe96e09880fa68a42

SHA256
654091267fe517ccb5db63e446d2fb16c1e43cf9ca96fb7eb138fcf0ffefd536

SHA512
e576c565f2fd765786866e51e713d8114c79410d4ef40143780ab06ccf07e84484499db3aa134aea7b9a5755accf677d2c9c2ad0ab45f0dd5e9180eba4f70ace

Download Submit
memory/316-72-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/316-71-0x0000000000190000-0x00000000003EB000-memory.dmp

Filesize
2.4MB

Download
memory/316-73-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/316-81-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/832-92-0x0000000000190000-0x00000000003EB000-memory.dmp

Filesize
2.4MB

Download
memory/832-120-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/832-114-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/832-107-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/832-130-0x0000000000560000-0x0000000000562000-memory.dmp

Filesize
8KB

Download
memory/832-93-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/832-121-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/932-104-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/932-95-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/932-103-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/932-128-0x0000000001F10000-0x0000000001F12000-memory.dmp

Filesize
8KB

Download
memory/932-90-0x0000000000190000-0x00000000003EB000-memory.dmp

Filesize
2.4MB

Download
memory/932-111-0x0000000001F60000-0x0000000001F61000-memory.dmp

Filesize
4KB

Download
memory/1092-54-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/1220-110-0x0000000001F80000-0x0000000001F81000-memory.dmp

Filesize
4KB

Download
memory/1220-109-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

Filesize
4KB

Download
memory/1220-108-0x0000000002030000-0x0000000002031000-memory.dmp

Filesize
4KB

Download
memory/1220-87-0x0000000000190000-0x00000000003EB000-memory.dmp

Filesize
2.4MB

Download
memory/1220-127-0x0000000001F90000-0x0000000001F92000-memory.dmp

Filesize
8KB

Download
memory/1220-101-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/1220-91-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/1220-94-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1220-102-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/1336-129-0x0000000002010000-0x0000000002012000-memory.dmp

Filesize
8KB

Download
memory/1336-126-0x0000000001EC0000-0x0000000001EC1000-memory.dmp

Filesize
4KB

Download
memory/1336-117-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

Filesize
4KB

Download
memory/1336-118-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/1336-119-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/1336-106-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/1336-105-0x0000000000190000-0x00000000003EB000-memory.dmp

Filesize
2.4MB

Download
memory/1336-124-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/1336-125-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download
memory/1940-134-0x0000000001EC0000-0x0000000001EC1000-memory.dmp

Filesize
4KB

Download
memory/1940-100-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

Filesize
4KB

Download
memory/1940-96-0x0000000000190000-0x00000000003EB000-memory.dmp

Filesize
2.4MB

Download
memory/1940-97-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/1940-147-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/1940-98-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

Filesize
4KB

Download
memory/1940-99-0x0000000002030000-0x0000000002031000-memory.dmp

Filesize
4KB

Download
memory/1940-135-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/2032-112-0x0000000000190000-0x00000000003EB000-memory.dmp

Filesize
2.4MB

Download
memory/2032-122-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/2032-123-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/2032-116-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/2032-131-0x0000000000710000-0x0000000000712000-memory.dmp

Filesize
8KB

Download
memory/2032-115-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/2032-113-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download