69f650e3a08473b7293b23ab0367dfb27fd9959fd5a3916f862e4a743a66a050

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
06-03-2022 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69f650e3a08473b7293b23ab0367dfb27fd9959fd5a3916f862e4a743a66a050.exe
Size

1.9MB
MD5

c92d4a257901ebf90deb87da967f6b57
SHA1

c3d91035b8809b4bbbe2c30ccba3f09b5d1d5cf6
SHA256

69f650e3a08473b7293b23ab0367dfb27fd9959fd5a3916f862e4a743a66a050
SHA512

0edc0afe3ec41f2955c976c6f1acc9151ba7714adcb5d085f9a2f8c47187a87896ff96dd8be33cbd9b6a01360b658a62edf489a4b46157d48fe4cbf5d25c8c24

Score

9^/10

bootkit evasion persistence

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Executes dropped EXE 9 IoCs

Processes:

OXYSploit-ByAlain-release.exeOXYSPloit-Release.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exe

pid	process
3732	OXYSploit-ByAlain-release.exe
1420	OXYSPloit-Release.exe
2696	OXYSPloitRelease4.exe
4024	OXYSPloitRelease4.exe
2944	OXYSPloitRelease4.exe
3588	OXYSPloitRelease4.exe
1632	OXYSPloitRelease4.exe
1748	OXYSPloitRelease4.exe
4780	OXYSPloitRelease4.exe

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OXYSPloitRelease4.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OXYSPloitRelease4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OXYSPloitRelease4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	OXYSPloitRelease4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OXYSPloitRelease4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	OXYSPloitRelease4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OXYSPloitRelease4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	OXYSPloitRelease4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	OXYSPloitRelease4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OXYSPloitRelease4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	OXYSPloitRelease4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OXYSPloitRelease4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	OXYSPloitRelease4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	OXYSPloitRelease4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OXYSPloitRelease4.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OXYSPloit-Release.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exe69f650e3a08473b7293b23ab0367dfb27fd9959fd5a3916f862e4a743a66a050.exeOXYSploit-ByAlain-release.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	OXYSPloit-Release.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	OXYSPloitRelease4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	OXYSPloitRelease4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	69f650e3a08473b7293b23ab0367dfb27fd9959fd5a3916f862e4a743a66a050.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	OXYSploit-ByAlain-release.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

OXYSPloitRelease4.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Wine	OXYSPloitRelease4.exe
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Wine	OXYSPloitRelease4.exe
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Wine	OXYSPloitRelease4.exe
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Wine	OXYSPloitRelease4.exe
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Wine	OXYSPloitRelease4.exe
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Wine	OXYSPloitRelease4.exe
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Wine	OXYSPloitRelease4.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

OXYSPloitRelease4.exe

description ioc process

File opened for modification \??\PhysicalDrive0 OXYSPloitRelease4.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	OXYSPloitRelease4.exe

Drops file in Program Files directory 7 IoCs

Processes:

OXYSploit-ByAlain-release.exesetup.exe

description	ioc	process
File created	C:\Program Files (x86)\info.bat	OXYSploit-ByAlain-release.exe
File opened for modification	C:\Program Files (x86)\info.bat	OXYSploit-ByAlain-release.exe
File created	C:\Program Files (x86)\OXYSPloit-Release.exe	OXYSploit-ByAlain-release.exe
File opened for modification	C:\Program Files (x86)\OXYSPloit-Release.exe	OXYSploit-ByAlain-release.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\fa1a8881-e213-4e4c-9091-24bd30d368bc.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220306203748.pma	setup.exe
File created	C:\Program Files (x86)\__tmp_rar_sfx_access_check_30230109	OXYSploit-ByAlain-release.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

OXYSPloitRelease4.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exe

pid	process
4024	OXYSPloitRelease4.exe
4024	OXYSPloitRelease4.exe
1748	OXYSPloitRelease4.exe
1748	OXYSPloitRelease4.exe
3588	OXYSPloitRelease4.exe
3588	OXYSPloitRelease4.exe
4024	OXYSPloitRelease4.exe
4024	OXYSPloitRelease4.exe
1632	OXYSPloitRelease4.exe
1632	OXYSPloitRelease4.exe
2944	OXYSPloitRelease4.exe
2944	OXYSPloitRelease4.exe
1748	OXYSPloitRelease4.exe
1748	OXYSPloitRelease4.exe
4024	OXYSPloitRelease4.exe
4024	OXYSPloitRelease4.exe
3588	OXYSPloitRelease4.exe
3588	OXYSPloitRelease4.exe
1748	OXYSPloitRelease4.exe
1748	OXYSPloitRelease4.exe
2944	OXYSPloitRelease4.exe
2944	OXYSPloitRelease4.exe
1632	OXYSPloitRelease4.exe
1632	OXYSPloitRelease4.exe
1632	OXYSPloitRelease4.exe
1632	OXYSPloitRelease4.exe
1748	OXYSPloitRelease4.exe
1748	OXYSPloitRelease4.exe
2944	OXYSPloitRelease4.exe
2944	OXYSPloitRelease4.exe
3588	OXYSPloitRelease4.exe
3588	OXYSPloitRelease4.exe
4024	OXYSPloitRelease4.exe
4024	OXYSPloitRelease4.exe
2944	OXYSPloitRelease4.exe
2944	OXYSPloitRelease4.exe
1748	OXYSPloitRelease4.exe
1748	OXYSPloitRelease4.exe
1632	OXYSPloitRelease4.exe
1632	OXYSPloitRelease4.exe
4024	OXYSPloitRelease4.exe
4024	OXYSPloitRelease4.exe
3588	OXYSPloitRelease4.exe
3588	OXYSPloitRelease4.exe
1632	OXYSPloitRelease4.exe
1632	OXYSPloitRelease4.exe
1748	OXYSPloitRelease4.exe
1748	OXYSPloitRelease4.exe
3588	OXYSPloitRelease4.exe
3588	OXYSPloitRelease4.exe
4024	OXYSPloitRelease4.exe
4024	OXYSPloitRelease4.exe
2944	OXYSPloitRelease4.exe
2944	OXYSPloitRelease4.exe
3588	OXYSPloitRelease4.exe
3588	OXYSPloitRelease4.exe
1632	OXYSPloitRelease4.exe
1632	OXYSPloitRelease4.exe
1632	OXYSPloitRelease4.exe
1632	OXYSPloitRelease4.exe
3588	OXYSPloitRelease4.exe
3588	OXYSPloitRelease4.exe
2944	OXYSPloitRelease4.exe
1748	OXYSPloitRelease4.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

1716 msedge.exe
1716 msedge.exe
1716 msedge.exe
1716 msedge.exe
1716 msedge.exe
1716 msedge.exe
1716 msedge.exe
1716 msedge.exe

pid	process
1716	msedge.exe
1716	msedge.exe
1716	msedge.exe
1716	msedge.exe
1716	msedge.exe
1716	msedge.exe
1716	msedge.exe
1716	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

svchost.exeAUDIODG.EXE

description	pid	process
Token: SeTcbPrivilege	5072	svchost.exe
Token: SeTcbPrivilege	5072	svchost.exe
Token: SeTcbPrivilege	5072	svchost.exe
Token: SeTcbPrivilege	5072	svchost.exe
Token: SeTcbPrivilege	5072	svchost.exe
Token: 33	64	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	64	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

1716 msedge.exe
1716 msedge.exe
1716 msedge.exe

pid	process
1716	msedge.exe
1716	msedge.exe
1716	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

69f650e3a08473b7293b23ab0367dfb27fd9959fd5a3916f862e4a743a66a050.exeOXYSploit-ByAlain-release.execmd.exeOXYSPloit-Release.exeOXYSPloitRelease4.exeOXYSPloitRelease4.exemsedge.exe

description	pid	process	target process
PID 2256 wrote to memory of 3732	2256	69f650e3a08473b7293b23ab0367dfb27fd9959fd5a3916f862e4a743a66a050.exe	OXYSploit-ByAlain-release.exe
PID 2256 wrote to memory of 3732	2256	69f650e3a08473b7293b23ab0367dfb27fd9959fd5a3916f862e4a743a66a050.exe	OXYSploit-ByAlain-release.exe
PID 2256 wrote to memory of 3732	2256	69f650e3a08473b7293b23ab0367dfb27fd9959fd5a3916f862e4a743a66a050.exe	OXYSploit-ByAlain-release.exe
PID 3732 wrote to memory of 4808	3732	OXYSploit-ByAlain-release.exe	cmd.exe
PID 3732 wrote to memory of 4808	3732	OXYSploit-ByAlain-release.exe	cmd.exe
PID 3732 wrote to memory of 4808	3732	OXYSploit-ByAlain-release.exe	cmd.exe
PID 4808 wrote to memory of 1420	4808	cmd.exe	OXYSPloit-Release.exe
PID 4808 wrote to memory of 1420	4808	cmd.exe	OXYSPloit-Release.exe
PID 4808 wrote to memory of 1420	4808	cmd.exe	OXYSPloit-Release.exe
PID 1420 wrote to memory of 2696	1420	OXYSPloit-Release.exe	OXYSPloitRelease4.exe
PID 1420 wrote to memory of 2696	1420	OXYSPloit-Release.exe	OXYSPloitRelease4.exe
PID 1420 wrote to memory of 2696	1420	OXYSPloit-Release.exe	OXYSPloitRelease4.exe
PID 2696 wrote to memory of 4024	2696	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 2696 wrote to memory of 4024	2696	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 2696 wrote to memory of 4024	2696	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 2696 wrote to memory of 2944	2696	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 2696 wrote to memory of 2944	2696	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 2696 wrote to memory of 2944	2696	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 2696 wrote to memory of 3588	2696	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 2696 wrote to memory of 3588	2696	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 2696 wrote to memory of 3588	2696	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 2696 wrote to memory of 1632	2696	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 2696 wrote to memory of 1632	2696	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 2696 wrote to memory of 1632	2696	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 2696 wrote to memory of 1748	2696	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 2696 wrote to memory of 1748	2696	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 2696 wrote to memory of 1748	2696	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 2696 wrote to memory of 4780	2696	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 2696 wrote to memory of 4780	2696	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 2696 wrote to memory of 4780	2696	OXYSPloitRelease4.exe	OXYSPloitRelease4.exe
PID 4780 wrote to memory of 4540	4780	OXYSPloitRelease4.exe	notepad.exe
PID 4780 wrote to memory of 4540	4780	OXYSPloitRelease4.exe	notepad.exe
PID 4780 wrote to memory of 4540	4780	OXYSPloitRelease4.exe	notepad.exe
PID 4780 wrote to memory of 1716	4780	OXYSPloitRelease4.exe	msedge.exe
PID 4780 wrote to memory of 1716	4780	OXYSPloitRelease4.exe	msedge.exe
PID 1716 wrote to memory of 4840	1716	msedge.exe	msedge.exe
PID 1716 wrote to memory of 4840	1716	msedge.exe	msedge.exe
PID 1716 wrote to memory of 4516	1716	msedge.exe	msedge.exe
PID 1716 wrote to memory of 4516	1716	msedge.exe	msedge.exe
PID 1716 wrote to memory of 4516	1716	msedge.exe	msedge.exe
PID 1716 wrote to memory of 4516	1716	msedge.exe	msedge.exe
PID 1716 wrote to memory of 4516	1716	msedge.exe	msedge.exe
PID 1716 wrote to memory of 4516	1716	msedge.exe	msedge.exe
PID 1716 wrote to memory of 4516	1716	msedge.exe	msedge.exe
PID 1716 wrote to memory of 4516	1716	msedge.exe	msedge.exe
PID 1716 wrote to memory of 4516	1716	msedge.exe	msedge.exe
PID 1716 wrote to memory of 4516	1716	msedge.exe	msedge.exe
PID 1716 wrote to memory of 4516	1716	msedge.exe	msedge.exe
PID 1716 wrote to memory of 4516	1716	msedge.exe	msedge.exe
PID 1716 wrote to memory of 4516	1716	msedge.exe	msedge.exe
PID 1716 wrote to memory of 4516	1716	msedge.exe	msedge.exe
PID 1716 wrote to memory of 4516	1716	msedge.exe	msedge.exe
PID 1716 wrote to memory of 4516	1716	msedge.exe	msedge.exe
PID 1716 wrote to memory of 4516	1716	msedge.exe	msedge.exe
PID 1716 wrote to memory of 4516	1716	msedge.exe	msedge.exe
PID 1716 wrote to memory of 4516	1716	msedge.exe	msedge.exe
PID 1716 wrote to memory of 4516	1716	msedge.exe	msedge.exe
PID 1716 wrote to memory of 4516	1716	msedge.exe	msedge.exe
PID 1716 wrote to memory of 4516	1716	msedge.exe	msedge.exe
PID 1716 wrote to memory of 4516	1716	msedge.exe	msedge.exe
PID 1716 wrote to memory of 4516	1716	msedge.exe	msedge.exe
PID 1716 wrote to memory of 4516	1716	msedge.exe	msedge.exe
PID 1716 wrote to memory of 4516	1716	msedge.exe	msedge.exe
PID 1716 wrote to memory of 4516	1716	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\69f650e3a08473b7293b23ab0367dfb27fd9959fd5a3916f862e4a743a66a050.exe
"C:\Users\Admin\AppData\Local\Temp\69f650e3a08473b7293b23ab0367dfb27fd9959fd5a3916f862e4a743a66a050.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2256

C:\Users\Admin\Desktop\OXYSploit-ByAlain-release.exe
"C:\Users\Admin\Desktop\OXYSploit-ByAlain-release.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\info.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4808

C:\Program Files (x86)\OXYSPloit-Release.exe
OXYSPloit-Release.exe -pM1RYANNE -dC:\Users\Admin\Desktop
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1420

C:\Users\Admin\Desktop\OXYSPloitRelease4.exe
"C:\Users\Admin\Desktop\OXYSPloitRelease4.exe"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of WriteProcessMemory
PID:2696

C:\Users\Admin\Desktop\OXYSPloitRelease4.exe
"C:\Users\Admin\Desktop\OXYSPloitRelease4.exe" /watchdog
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
PID:4024

C:\Users\Admin\Desktop\OXYSPloitRelease4.exe
"C:\Users\Admin\Desktop\OXYSPloitRelease4.exe" /watchdog
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
PID:2944

C:\Users\Admin\Desktop\OXYSPloitRelease4.exe
"C:\Users\Admin\Desktop\OXYSPloitRelease4.exe" /watchdog
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
PID:1632

C:\Users\Admin\Desktop\OXYSPloitRelease4.exe
"C:\Users\Admin\Desktop\OXYSPloitRelease4.exe" /watchdog
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
PID:3588

C:\Users\Admin\Desktop\OXYSPloitRelease4.exe
"C:\Users\Admin\Desktop\OXYSPloitRelease4.exe" /watchdog
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
PID:1748

C:\Users\Admin\Desktop\OXYSPloitRelease4.exe
"C:\Users\Admin\Desktop\OXYSPloitRelease4.exe" /main
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:4780

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
7⤵
PID:4540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://google.co.ck/search?q=internet+explorer+is+the+best+browser
7⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbf66146f8,0x7ffbf6614708,0x7ffbf6614718
8⤵
PID:4840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,10819858720175022139,17022612399518457600,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
8⤵
PID:4516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,10819858720175022139,17022612399518457600,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
8⤵
PID:4524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,10819858720175022139,17022612399518457600,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
8⤵
PID:3132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10819858720175022139,17022612399518457600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
8⤵
PID:900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10819858720175022139,17022612399518457600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:1
8⤵
PID:948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2056,10819858720175022139,17022612399518457600,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5016 /prefetch:8
8⤵
PID:4928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10819858720175022139,17022612399518457600,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
8⤵
PID:1752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10819858720175022139,17022612399518457600,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
8⤵
PID:1172

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,10819858720175022139,17022612399518457600,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6004 /prefetch:8
8⤵
PID:4276

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
8⤵
- Drops file in Program Files directory
PID:2396

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x22c,0x230,0x234,0x208,0x238,0x7ff7b0a25460,0x7ff7b0a25470,0x7ff7b0a25480
9⤵
PID:5160

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,10819858720175022139,17022612399518457600,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6004 /prefetch:8
8⤵
PID:5304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10819858720175022139,17022612399518457600,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
8⤵
PID:5576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10819858720175022139,17022612399518457600,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6676 /prefetch:1
8⤵
PID:5988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10819858720175022139,17022612399518457600,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:1
8⤵
PID:5404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2056,10819858720175022139,17022612399518457600,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7076 /prefetch:8
8⤵
PID:3288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10819858720175022139,17022612399518457600,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
8⤵
PID:5688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2056,10819858720175022139,17022612399518457600,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6848 /prefetch:8
8⤵
PID:5840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://google.co.ck/search?q=how+to+send+a+virus+to+my+friend
7⤵
PID:5508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffbf66146f8,0x7ffbf6614708,0x7ffbf6614718
8⤵
PID:5524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://google.co.ck/search?q=virus+builder+legit+free+download
7⤵
PID:5920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbf66146f8,0x7ffbf6614708,0x7ffbf6614718
8⤵
PID:5936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://google.co.ck/search?q=virus.exe
7⤵
PID:5180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbf66146f8,0x7ffbf6614708,0x7ffbf6614718
8⤵
PID:1920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://google.co.ck/search?q=how+to+remove+memz+trojan+virus
7⤵
PID:5672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffbf66146f8,0x7ffbf6614708,0x7ffbf6614718
8⤵
PID:888

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x48c 0x2c8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:64

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\OXYSPloit-Release.exe
MD5
4442d99b3a9fb90de40b94e2f0286474

SHA1
f3c823d663c6b5eeaaf34ba0d6d2b7e5c941a69d

SHA256
381ca43359eb49ca36ae4aeeae7b8376b1d4745fd27bd21ed1b70bfa39800ac2

SHA512
bb1c068c54bf438e74ad0f306808b64655c5b873bb32530d593e17f66e30cbf157be1de70d7e0a1c401dca45801022baf0bea54603852494d90292ebe576c532

Download Submit
C:\Program Files (x86)\OXYSPloit-Release.exe
MD5
4442d99b3a9fb90de40b94e2f0286474

SHA1
f3c823d663c6b5eeaaf34ba0d6d2b7e5c941a69d

SHA256
381ca43359eb49ca36ae4aeeae7b8376b1d4745fd27bd21ed1b70bfa39800ac2

SHA512
bb1c068c54bf438e74ad0f306808b64655c5b873bb32530d593e17f66e30cbf157be1de70d7e0a1c401dca45801022baf0bea54603852494d90292ebe576c532

Download Submit
C:\Program Files (x86)\info.bat
MD5
2af9dcd6a49591bbaaabb965384dba1d

SHA1
eb275f922d23e68121c3a1c813207c438feffb21

SHA256
bfa96019c8a18e924b11ea009400e9c309a0e0e58621b4304a111f9890100d73

SHA512
c0d85137ac4ae93d87b05665ae7c6fc51b808af2fee5efc41fd7b5c9a62b39bc9e5bbafaf2409584ed16711cf95bc1551a4d80ca59eab1f04b6740cabac8e89b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
ee62affb981b3e9a3246eef79249ad40

SHA1
a1c3564d86bb6341894e1efa65cd923a5c280c8f

SHA256
4a3834071a2ac2372115d0e1146132f41a1497b6616d822eb926bf3ab32dc1ca

SHA512
1450bfd79cbedfb186adfd9f7f2ff9c9296ffd5badae62048bbc67f808d431325ab5afbcc980251833a93f28dc3d6a74d2febdaf6d46697eacfac53c82b2acc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
ee62affb981b3e9a3246eef79249ad40

SHA1
a1c3564d86bb6341894e1efa65cd923a5c280c8f

SHA256
4a3834071a2ac2372115d0e1146132f41a1497b6616d822eb926bf3ab32dc1ca

SHA512
1450bfd79cbedfb186adfd9f7f2ff9c9296ffd5badae62048bbc67f808d431325ab5afbcc980251833a93f28dc3d6a74d2febdaf6d46697eacfac53c82b2acc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
ee62affb981b3e9a3246eef79249ad40

SHA1
a1c3564d86bb6341894e1efa65cd923a5c280c8f

SHA256
4a3834071a2ac2372115d0e1146132f41a1497b6616d822eb926bf3ab32dc1ca

SHA512
1450bfd79cbedfb186adfd9f7f2ff9c9296ffd5badae62048bbc67f808d431325ab5afbcc980251833a93f28dc3d6a74d2febdaf6d46697eacfac53c82b2acc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
ee62affb981b3e9a3246eef79249ad40

SHA1
a1c3564d86bb6341894e1efa65cd923a5c280c8f

SHA256
4a3834071a2ac2372115d0e1146132f41a1497b6616d822eb926bf3ab32dc1ca

SHA512
1450bfd79cbedfb186adfd9f7f2ff9c9296ffd5badae62048bbc67f808d431325ab5afbcc980251833a93f28dc3d6a74d2febdaf6d46697eacfac53c82b2acc4

Download Submit
C:\Users\Admin\Desktop\OXYSPloitRelease4.exe
MD5
9cd4ef4aab1841cfb3274d36cc599760

SHA1
555df36876523dd1b395db32929eecfa4a759fa7

SHA256
5fe7604e5f080d91e2f43fbe3fd053b8d78f7437b8ceab86cf07aab8f4dcc452

SHA512
5aad5b5c9e3ac914d97057520e1c726f3e8c5fe3ac6acc7451c4d147c8d8e771be5463cfc8f0cb6fba75a2ec05e0da3fd1ca8df6ec6147fc6106291a1ab26d92

Download Submit
C:\Users\Admin\Desktop\OXYSPloitRelease4.exe
MD5
9cd4ef4aab1841cfb3274d36cc599760

SHA1
555df36876523dd1b395db32929eecfa4a759fa7

SHA256
5fe7604e5f080d91e2f43fbe3fd053b8d78f7437b8ceab86cf07aab8f4dcc452

SHA512
5aad5b5c9e3ac914d97057520e1c726f3e8c5fe3ac6acc7451c4d147c8d8e771be5463cfc8f0cb6fba75a2ec05e0da3fd1ca8df6ec6147fc6106291a1ab26d92

Download Submit
C:\Users\Admin\Desktop\OXYSPloitRelease4.exe
MD5
9cd4ef4aab1841cfb3274d36cc599760

SHA1
555df36876523dd1b395db32929eecfa4a759fa7

SHA256
5fe7604e5f080d91e2f43fbe3fd053b8d78f7437b8ceab86cf07aab8f4dcc452

SHA512
5aad5b5c9e3ac914d97057520e1c726f3e8c5fe3ac6acc7451c4d147c8d8e771be5463cfc8f0cb6fba75a2ec05e0da3fd1ca8df6ec6147fc6106291a1ab26d92

Download Submit
C:\Users\Admin\Desktop\OXYSPloitRelease4.exe
MD5
9cd4ef4aab1841cfb3274d36cc599760

SHA1
555df36876523dd1b395db32929eecfa4a759fa7

SHA256
5fe7604e5f080d91e2f43fbe3fd053b8d78f7437b8ceab86cf07aab8f4dcc452

SHA512
5aad5b5c9e3ac914d97057520e1c726f3e8c5fe3ac6acc7451c4d147c8d8e771be5463cfc8f0cb6fba75a2ec05e0da3fd1ca8df6ec6147fc6106291a1ab26d92

Download Submit
C:\Users\Admin\Desktop\OXYSPloitRelease4.exe
MD5
9cd4ef4aab1841cfb3274d36cc599760

SHA1
555df36876523dd1b395db32929eecfa4a759fa7

SHA256
5fe7604e5f080d91e2f43fbe3fd053b8d78f7437b8ceab86cf07aab8f4dcc452

SHA512
5aad5b5c9e3ac914d97057520e1c726f3e8c5fe3ac6acc7451c4d147c8d8e771be5463cfc8f0cb6fba75a2ec05e0da3fd1ca8df6ec6147fc6106291a1ab26d92

Download Submit
C:\Users\Admin\Desktop\OXYSPloitRelease4.exe
MD5
9cd4ef4aab1841cfb3274d36cc599760

SHA1
555df36876523dd1b395db32929eecfa4a759fa7

SHA256
5fe7604e5f080d91e2f43fbe3fd053b8d78f7437b8ceab86cf07aab8f4dcc452

SHA512
5aad5b5c9e3ac914d97057520e1c726f3e8c5fe3ac6acc7451c4d147c8d8e771be5463cfc8f0cb6fba75a2ec05e0da3fd1ca8df6ec6147fc6106291a1ab26d92

Download Submit
C:\Users\Admin\Desktop\OXYSPloitRelease4.exe
MD5
9cd4ef4aab1841cfb3274d36cc599760

SHA1
555df36876523dd1b395db32929eecfa4a759fa7

SHA256
5fe7604e5f080d91e2f43fbe3fd053b8d78f7437b8ceab86cf07aab8f4dcc452

SHA512
5aad5b5c9e3ac914d97057520e1c726f3e8c5fe3ac6acc7451c4d147c8d8e771be5463cfc8f0cb6fba75a2ec05e0da3fd1ca8df6ec6147fc6106291a1ab26d92

Download Submit
C:\Users\Admin\Desktop\OXYSPloitRelease4.exe
MD5
9cd4ef4aab1841cfb3274d36cc599760

SHA1
555df36876523dd1b395db32929eecfa4a759fa7

SHA256
5fe7604e5f080d91e2f43fbe3fd053b8d78f7437b8ceab86cf07aab8f4dcc452

SHA512
5aad5b5c9e3ac914d97057520e1c726f3e8c5fe3ac6acc7451c4d147c8d8e771be5463cfc8f0cb6fba75a2ec05e0da3fd1ca8df6ec6147fc6106291a1ab26d92

Download Submit
C:\Users\Admin\Desktop\OXYSploit-ByAlain-release.exe
MD5
f59b1658efb38fd8fb7eb36d99896d2d

SHA1
931646cb9dcc2afb7261daffe96e09880fa68a42

SHA256
654091267fe517ccb5db63e446d2fb16c1e43cf9ca96fb7eb138fcf0ffefd536

SHA512
e576c565f2fd765786866e51e713d8114c79410d4ef40143780ab06ccf07e84484499db3aa134aea7b9a5755accf677d2c9c2ad0ab45f0dd5e9180eba4f70ace

Download Submit
C:\Users\Admin\Desktop\OXYSploit-ByAlain-release.exe
MD5
f59b1658efb38fd8fb7eb36d99896d2d

SHA1
931646cb9dcc2afb7261daffe96e09880fa68a42

SHA256
654091267fe517ccb5db63e446d2fb16c1e43cf9ca96fb7eb138fcf0ffefd536

SHA512
e576c565f2fd765786866e51e713d8114c79410d4ef40143780ab06ccf07e84484499db3aa134aea7b9a5755accf677d2c9c2ad0ab45f0dd5e9180eba4f70ace

Download Submit
C:\note.txt
MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
\??\pipe\LOCAL\crashpad_1716_HDIKOZDRZLENSXFM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1632-184-0x0000000004650000-0x0000000004651000-memory.dmp

Filesize
4KB

Download
memory/1632-196-0x0000000004640000-0x0000000004641000-memory.dmp

Filesize
4KB

Download
memory/1632-182-0x00000000046A0000-0x00000000046A1000-memory.dmp

Filesize
4KB

Download
memory/1632-166-0x0000000000FA0000-0x00000000011FB000-memory.dmp

Filesize
2.4MB

Download
memory/1632-178-0x0000000004620000-0x0000000004621000-memory.dmp

Filesize
4KB

Download
memory/1632-167-0x0000000004690000-0x0000000004691000-memory.dmp

Filesize
4KB

Download
memory/1632-181-0x00000000046B0000-0x00000000046B1000-memory.dmp

Filesize
4KB

Download
memory/1632-183-0x0000000004660000-0x0000000004661000-memory.dmp

Filesize
4KB

Download
memory/1632-193-0x0000000004630000-0x0000000004631000-memory.dmp

Filesize
4KB

Download
memory/1748-189-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/1748-170-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download
memory/1748-160-0x0000000000FA0000-0x00000000011FB000-memory.dmp

Filesize
2.4MB

Download
memory/1748-169-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/1748-164-0x00000000047E0000-0x00000000047E1000-memory.dmp

Filesize
4KB

Download
memory/1748-165-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download
memory/1748-163-0x0000000004750000-0x0000000004751000-memory.dmp

Filesize
4KB

Download
memory/1748-161-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/1748-190-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download
memory/2696-146-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/2696-141-0x0000000000FA0000-0x00000000011FB000-memory.dmp

Filesize
2.4MB

Download
memory/2696-145-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/2696-143-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/2944-176-0x0000000004680000-0x0000000004681000-memory.dmp

Filesize
4KB

Download
memory/2944-173-0x00000000045D0000-0x00000000045D1000-memory.dmp

Filesize
4KB

Download
memory/2944-195-0x00000000045F0000-0x00000000045F1000-memory.dmp

Filesize
4KB

Download
memory/2944-194-0x00000000045E0000-0x00000000045E1000-memory.dmp

Filesize
4KB

Download
memory/2944-177-0x0000000004660000-0x0000000004661000-memory.dmp

Filesize
4KB

Download
memory/2944-153-0x0000000000FA0000-0x00000000011FB000-memory.dmp

Filesize
2.4MB

Download
memory/2944-179-0x0000000004610000-0x0000000004611000-memory.dmp

Filesize
4KB

Download
memory/2944-154-0x0000000004650000-0x0000000004651000-memory.dmp

Filesize
4KB

Download
memory/2944-180-0x0000000004600000-0x0000000004601000-memory.dmp

Filesize
4KB

Download
memory/3588-155-0x0000000000FA0000-0x00000000011FB000-memory.dmp

Filesize
2.4MB

Download
memory/3588-156-0x0000000004250000-0x0000000004251000-memory.dmp

Filesize
4KB

Download
memory/3588-175-0x0000000004210000-0x0000000004211000-memory.dmp

Filesize
4KB

Download
memory/3588-168-0x00000000041E0000-0x00000000041E1000-memory.dmp

Filesize
4KB

Download
memory/3588-172-0x0000000004260000-0x0000000004261000-memory.dmp

Filesize
4KB

Download
memory/3588-174-0x0000000004220000-0x0000000004221000-memory.dmp

Filesize
4KB

Download
memory/3588-192-0x0000000004200000-0x0000000004201000-memory.dmp

Filesize
4KB

Download
memory/3588-171-0x0000000004270000-0x0000000004271000-memory.dmp

Filesize
4KB

Download
memory/3588-191-0x00000000041F0000-0x00000000041F1000-memory.dmp

Filesize
4KB

Download
memory/4024-152-0x0000000004590000-0x0000000004591000-memory.dmp

Filesize
4KB

Download
memory/4024-188-0x0000000004550000-0x0000000004551000-memory.dmp

Filesize
4KB

Download
memory/4024-186-0x0000000004530000-0x0000000004531000-memory.dmp

Filesize
4KB

Download
memory/4024-187-0x0000000004540000-0x0000000004541000-memory.dmp

Filesize
4KB

Download
memory/4024-162-0x0000000004560000-0x0000000004561000-memory.dmp

Filesize
4KB

Download
memory/4024-157-0x0000000004520000-0x0000000004521000-memory.dmp

Filesize
4KB

Download
memory/4024-159-0x00000000045A0000-0x00000000045A1000-memory.dmp

Filesize
4KB

Download
memory/4024-158-0x00000000045B0000-0x00000000045B1000-memory.dmp

Filesize
4KB

Download
memory/4024-151-0x0000000000FA0000-0x00000000011FB000-memory.dmp

Filesize
2.4MB

Download
memory/4516-199-0x00007FFC14B60000-0x00007FFC14B61000-memory.dmp

Filesize
4KB

Download
memory/4780-148-0x0000000004F70000-0x0000000004F72000-memory.dmp

Filesize
8KB

Download
memory/4780-149-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/4780-216-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/4780-217-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/4780-197-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/4780-150-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/4780-147-0x0000000000FA0000-0x00000000011FB000-memory.dmp

Filesize
2.4MB

Download