quasar | 57e13460fbe54a3cc57d9abfaf6ef9a9c3c2d804230e4df7d8f97408501e7dfa

Analysis

max time kernel
150s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
01-06-2024 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BRUH_QUASAR.exe
Size

3.1MB
MD5

24a82c21233460c9796a86c7857a2adf
SHA1

88017202e84f8d0174caa451bbebd64401ae8032
SHA256

57e13460fbe54a3cc57d9abfaf6ef9a9c3c2d804230e4df7d8f97408501e7dfa
SHA512

32aa12d6dfe90c7dbe2c8f82d60d92e649d381b365c7cc7493526693257d5f859ea8ae5b8b6424193f5465aac76bf210415949ea7b18965644b01f27f38f47a1
SSDEEP

98304:ifNEOWyKYuMQ+xuMiTMBzOKYLSmPX1qadpu4IdXeYbsjeveyYHHY8evKe5Xfc9Oe:AfNuMiTNKYmmPX1qadpu4IdXeYbsjevK

Score

10^/10

quasar remcos $oxy collection persistence rat spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

$OXY

193.34.77.154:4782

Mutex

fc050dca-72e2-474b-873c-c6835aec5c39

Attributes

encryption_key
7F75A06DDBDADB13C7843DF2026145379D75E4DA
install_name
$OXY_EXE.exe
log_directory
Logs
reconnect_delay
3000
startup_key
$OXY_START
subdirectory
$OXY_SUB

Extracted

Family

remcos

Botnet

$OXY

193.34.77.154:9872

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
2
copy_file
$OXY.exe
copy_folder
$OXY
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%\System32
keylog_crypt
true
keylog_file
$OXYlogs.dat
keylog_flag
false
keylog_folder
$OXY
keylog_path
%WinDir%\System32
mouse_option
false
mutex
$OXY-6JA1WZ
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
$OXY_Screenshots
screenshot_path
%WinDir%\System32
screenshot_time
120
startup_value
$OXY
take_screenshot_option
false
take_screenshot_time
5

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3412-1-0x0000000000A20000-0x0000000000D3E000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\$OXY_SUB\$OXY_EXE.exe	family_quasar
behavioral1/memory/3060-21-0x000000001C620000-0x000000001C638000-memory.dmp	family_quasar

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 3 IoCs

Processes:

$OXY_EXE.exeM7hAfiveyCHW.exe$OXY.exe

pid process

3060 $OXY_EXE.exe
3576 M7hAfiveyCHW.exe
432 $OXY.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

$OXY_EXE.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	$OXY_EXE.exe
Key opened	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	$OXY_EXE.exe
Key opened	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	$OXY_EXE.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

M7hAfiveyCHW.exe$OXY.exeiexplore.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\$OXY = "\"C:\\Windows\\SysWOW64\\$OXY\\$OXY.exe\""	M7hAfiveyCHW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\$OXY = "\"C:\\Windows\\SysWOW64\\$OXY\\$OXY.exe\""	$OXY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\$OXY = "\"C:\\Windows\\SysWOW64\\$OXY\\$OXY.exe\""	iexplore.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 icanhazip.com
7 ip-api.com

flow	ioc
5	icanhazip.com
7	ip-api.com

Drops file in System32 directory 6 IoCs

Processes:

iexplore.exeM7hAfiveyCHW.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\$OXY\$OXYlogs.dat	iexplore.exe
File created	C:\Windows\SysWOW64\$OXY\$OXYlogs.dat	iexplore.exe
File created	C:\Windows\SysWOW64\$OXY\$OXY.exe	M7hAfiveyCHW.exe
File opened for modification	C:\Windows\SysWOW64\$OXY\$OXY.exe	M7hAfiveyCHW.exe
File opened for modification	C:\Windows\SysWOW64\$OXY	M7hAfiveyCHW.exe
File created	C:\Windows\SysWOW64\$OXY_Screenshots\time_20240601_175309.dat	iexplore.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

$OXY.exeiexplore.exe

description	pid	process	target process
PID 432 set thread context of 3512	432	$OXY.exe	iexplore.exe
PID 3512 set thread context of 1328	3512	iexplore.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

$OXY_EXE.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	$OXY_EXE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	$OXY_EXE.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1992 schtasks.exe
2864 schtasks.exe

pid	process
1992	schtasks.exe
2864	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies registry class 1 IoCs

Processes:

M7hAfiveyCHW.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings M7hAfiveyCHW.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings	M7hAfiveyCHW.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

$OXY_EXE.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	$OXY_EXE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	$OXY_EXE.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

$OXY_EXE.exechrome.exe$OXY.exechrome.exe

pid	process
3060	$OXY_EXE.exe
3060	$OXY_EXE.exe
3060	$OXY_EXE.exe
3060	$OXY_EXE.exe
3060	$OXY_EXE.exe
3060	$OXY_EXE.exe
3060	$OXY_EXE.exe
3060	$OXY_EXE.exe
3060	$OXY_EXE.exe
3060	$OXY_EXE.exe
3060	$OXY_EXE.exe
3060	$OXY_EXE.exe
3060	$OXY_EXE.exe
3060	$OXY_EXE.exe
3060	$OXY_EXE.exe
3060	$OXY_EXE.exe
3060	$OXY_EXE.exe
3060	$OXY_EXE.exe
3060	$OXY_EXE.exe
3060	$OXY_EXE.exe
4496	chrome.exe
4496	chrome.exe
432	$OXY.exe
432	$OXY.exe
1860	chrome.exe
1860	chrome.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

$OXY.exeiexplore.exe

pid process

432 $OXY.exe
3512 iexplore.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid process

4496 chrome.exe
4496 chrome.exe
4496 chrome.exe
4496 chrome.exe
4496 chrome.exe
4496 chrome.exe

pid	process
432	$OXY.exe
3512	iexplore.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

BRUH_QUASAR.exe$OXY_EXE.exemsiexec.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	3412	BRUH_QUASAR.exe
Token: SeDebugPrivilege	3060	$OXY_EXE.exe
Token: SeSecurityPrivilege	4740	msiexec.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	process
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

iexplore.exe

pid process

3512 iexplore.exe

pid	process
3512	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

BRUH_QUASAR.exe$OXY_EXE.execmd.execmd.exechrome.exe

description	pid	process	target process
PID 3412 wrote to memory of 1992	3412	BRUH_QUASAR.exe	schtasks.exe
PID 3412 wrote to memory of 1992	3412	BRUH_QUASAR.exe	schtasks.exe
PID 3412 wrote to memory of 3060	3412	BRUH_QUASAR.exe	$OXY_EXE.exe
PID 3412 wrote to memory of 3060	3412	BRUH_QUASAR.exe	$OXY_EXE.exe
PID 3060 wrote to memory of 2864	3060	$OXY_EXE.exe	schtasks.exe
PID 3060 wrote to memory of 2864	3060	$OXY_EXE.exe	schtasks.exe
PID 3060 wrote to memory of 3820	3060	$OXY_EXE.exe	cmd.exe
PID 3060 wrote to memory of 3820	3060	$OXY_EXE.exe	cmd.exe
PID 3820 wrote to memory of 2168	3820	cmd.exe	chcp.com
PID 3820 wrote to memory of 2168	3820	cmd.exe	chcp.com
PID 3820 wrote to memory of 2652	3820	cmd.exe	netsh.exe
PID 3820 wrote to memory of 2652	3820	cmd.exe	netsh.exe
PID 3820 wrote to memory of 1708	3820	cmd.exe	findstr.exe
PID 3820 wrote to memory of 1708	3820	cmd.exe	findstr.exe
PID 3060 wrote to memory of 2240	3060	$OXY_EXE.exe	cmd.exe
PID 3060 wrote to memory of 2240	3060	$OXY_EXE.exe	cmd.exe
PID 2240 wrote to memory of 1184	2240	cmd.exe	chcp.com
PID 2240 wrote to memory of 1184	2240	cmd.exe	chcp.com
PID 2240 wrote to memory of 4400	2240	cmd.exe	netsh.exe
PID 2240 wrote to memory of 4400	2240	cmd.exe	netsh.exe
PID 4496 wrote to memory of 1232	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1232	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1396	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1396	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1396	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1396	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1396	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1396	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1396	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1396	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1396	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1396	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1396	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1396	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1396	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1396	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1396	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1396	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1396	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1396	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1396	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1396	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1396	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1396	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1396	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1396	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1396	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1396	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1396	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1396	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1396	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1396	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1396	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1508	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 1508	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 5048	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 5048	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 5048	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 5048	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 5048	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 5048	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 5048	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 5048	4496	chrome.exe	chrome.exe
PID 4496 wrote to memory of 5048	4496	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

$OXY_EXE.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	$OXY_EXE.exe

outlook_win_path 1 IoCs

Processes:

$OXY_EXE.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	$OXY_EXE.exe

C:\Users\Admin\AppData\Local\Temp\BRUH_QUASAR.exe
"C:\Users\Admin\AppData\Local\Temp\BRUH_QUASAR.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3412

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "$OXY_START" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$OXY_SUB\$OXY_EXE.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1992

C:\Users\Admin\AppData\Roaming\$OXY_SUB\$OXY_EXE.exe
"C:\Users\Admin\AppData\Roaming\$OXY_SUB\$OXY_EXE.exe"
2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3060

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "$OXY_START" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$OXY_SUB\$OXY_EXE.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2864

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
3⤵
- Suspicious use of WriteProcessMemory
PID:3820

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2168

C:\Windows\system32\netsh.exe
netsh wlan show profile
4⤵
PID:2652

C:\Windows\system32\findstr.exe
findstr All
4⤵
PID:1708

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
3⤵
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:1184

C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
4⤵
PID:4400

C:\Users\Admin\AppData\Local\Temp\M7hAfiveyCHW.exe
"C:\Users\Admin\AppData\Local\Temp\M7hAfiveyCHW.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:3576

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
4⤵
PID:3712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Windows\SysWOW64\$OXY\$OXY.exe"
5⤵
PID:3824

C:\Windows\SysWOW64\$OXY\$OXY.exe
C:\Windows\SysWOW64\$OXY\$OXY.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:432

\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
7⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:3512

C:\Windows\SysWOW64\svchost.exe
svchost.exe
8⤵
PID:1328

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe52dcab58,0x7ffe52dcab68,0x7ffe52dcab78
2⤵
PID:1232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1604 --field-trial-handle=1848,i,1814111886203337132,10885009445592073530,131072 /prefetch:2
2⤵
PID:1396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1848,i,1814111886203337132,10885009445592073530,131072 /prefetch:8
2⤵
PID:1508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2200 --field-trial-handle=1848,i,1814111886203337132,10885009445592073530,131072 /prefetch:8
2⤵
PID:5048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3080 --field-trial-handle=1848,i,1814111886203337132,10885009445592073530,131072 /prefetch:1
2⤵
PID:1052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3160 --field-trial-handle=1848,i,1814111886203337132,10885009445592073530,131072 /prefetch:1
2⤵
PID:2068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4340 --field-trial-handle=1848,i,1814111886203337132,10885009445592073530,131072 /prefetch:1
2⤵
PID:2932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4488 --field-trial-handle=1848,i,1814111886203337132,10885009445592073530,131072 /prefetch:8
2⤵
PID:5036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4576 --field-trial-handle=1848,i,1814111886203337132,10885009445592073530,131072 /prefetch:8
2⤵
PID:3936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4596 --field-trial-handle=1848,i,1814111886203337132,10885009445592073530,131072 /prefetch:8
2⤵
PID:5060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4868 --field-trial-handle=1848,i,1814111886203337132,10885009445592073530,131072 /prefetch:8
2⤵
PID:4156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4956 --field-trial-handle=1848,i,1814111886203337132,10885009445592073530,131072 /prefetch:1
2⤵
PID:2160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4668 --field-trial-handle=1848,i,1814111886203337132,10885009445592073530,131072 /prefetch:1
2⤵
PID:3236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3264 --field-trial-handle=1848,i,1814111886203337132,10885009445592073530,131072 /prefetch:1
2⤵
PID:4068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2740 --field-trial-handle=1848,i,1814111886203337132,10885009445592073530,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1860

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3828

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\872f92ad-2715-4c02-8ed8-eeb35e30e241.tmp
Filesize
130KB

MD5
8a54e5bb1ddada5b974f0cffec01c421

SHA1
da26638c1656cce98a3259db0d581599990d87f8

SHA256
d3752dd8409c1f86b16d95077303eb6f2f41632fa00a3a5bb478fa8ce190c1d5

SHA512
ab234656ac063156c72ca5ffd1d2a849f08ddb268f355cd4bcc1f7f25f43a6f3e87ce1531e6770b513245f279f3da18cb2c364d9dff0e00d6e96ef6f03d3ffa2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000030
Filesize
27KB

MD5
97f07e182259f3e5f7cf67865bb1d8f0

SHA1
78c49303cb2a9121087a45770389ca1da03cbcdf

SHA256
c3a70f23a2cf331852a818d3f2a0cf7f048753c9b47aa4e7f0fee234c46b226c

SHA512
10056ad3a71ee806a8d8aff04d513a079568bf11799016f76f27c4255be2141a4c2d99c1f46bbfde9c99ba0f8b44e780a92b59f514d3cc1c248ead915c31b5dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
384B

MD5
890a9230f36f55435d26ab4d7b9f7a93

SHA1
0fc6ff53a9d500f2454fceff738caa8dfad68645

SHA256
1777c0f337d6282b37b8dc1fe7bc698d3c84684f7864cf3d2eb201f9fd9e030b

SHA512
693abbd65f44bb55b8a494280a2d21a0ac564ea28e079e70c28757fb6501a069ab295676d12e62365ac048a4175debff0dff903d0247fdb2eba9956b870d63fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
d42568ea3f50f2d23a1217e06b0bcc5f

SHA1
e5205a84d855d2ed7d48a013a6545c1455a5b330

SHA256
cca394d4c2367ea6500b7f82bc7a8ce55cb4486ef0c70e09e724feb0898f4536

SHA512
ff877b0fb26532394fbf6c87b1def08e3a3498f32ad03484c5bf6c6b9ccdb46bc46c2fbd5b60307afedac6bac2add87c017f430fa045e0e77230eb18e3246bd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
684B

MD5
d3df2b19c47f353c5c1f8fa2907f2ced

SHA1
c6fd7af78328e2803f152ae2e7732facdf4c842d

SHA256
7337b18d107168287025f08a87b7e94f542e0c2b7c4a1dc39940bc3bceed91a1

SHA512
ae3aabee20031fb110dbb5e8758aee8edc190d2c5b0a5a6dac9d4119a467608096442d6440fb92f660de5e64390033773b676b72e74f46619cddb49f5782cb61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
e12951e94f9d5dacaea670507333febe

SHA1
cb75e44a64b98833502ea92c6204c157b40ecfe1

SHA256
a1f4241acb157c46a2b140978d031e3a1ddb4b8cddf87ec6098be4f1679fab82

SHA512
1699a7d65f122de7adedbd5b78ec72664aa848d267d4cf7a2e2c9f4efc5585ff20c7ecabfb6d9b409b74ca6e863e50ea94076813044b17966150eeb6818a7bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\M7hAfiveyCHW.exe
Filesize
469KB

MD5
3c5f984fa7db906436eb4c7bef89a019

SHA1
decdd2b0d1307c8a4889b5c7958d85df740d04e3

SHA256
ebc7efee8eec4d345dbe3342b6cb06e705848dffe5192b4baf984d3463d12e4a

SHA512
1313d40e2cf75450103ff76f3f2f1b0a4618ce35d9b972b92caf74dbd6da766432d9dea0d85dbdd078447d75d0255075e1ef511cf7ce47b6f341e1bbd9844fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs
Filesize
524B

MD5
abfc287a93625331ae52b9240b620c0e

SHA1
1d351babf5c95fb756b8fedce6628087b3acd1ab

SHA256
b943d8c974eef97cc35fc2f05cef98094654fff955531c97637aa83150600a3f

SHA512
661327dd7af88b0a13781312e95a7d7c92a53c5aabf08fbfaa5dacfac1a2e5f5701dc87197ef228494ff306f662e9359724e2257443432358e2208fd9faec7b8

Download Submit
C:\Users\Admin\AppData\Local\ee51da1411f35bfcc3c06fb7eb1c90ae\Admin@FEIHHORR_en-US\Browsers\Firefox\Bookmarks.txt
Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\ee51da1411f35bfcc3c06fb7eb1c90ae\Admin@FEIHHORR_en-US\System\Apps.txt
Filesize
6KB

MD5
b51806fc333623d956bba2b30cb4080d

SHA1
dfaa66ccf4ec1f14e8435ebc9b7d10f6d877e527

SHA256
05cacbe9246623069cad3c2d2373a91b82c3e48c77fda2c495e6ca0871875f5d

SHA512
374ea0bc2d1776b1877a1dfa9d3dda978679bd6740e32779ea675af087d482d04fb0dbfd988523209a78ebecb5eb0a01e0a847d4dced5f19df16fffcb02d39c6

Download Submit
C:\Users\Admin\AppData\Local\ee51da1411f35bfcc3c06fb7eb1c90ae\Admin@FEIHHORR_en-US\System\Debug.txt
Filesize
532B

MD5
4be24b6ffe217a9a1237928b1dce449e

SHA1
b0f2f7add3f50cc37e2816d02ef41be5d30b155e

SHA256
38a1c5f6ffa0f683f39de8599c39731c41ab1079ca2908c4ca7a58d21eb2ec4c

SHA512
96676fd4d0b843d8c945b170b7b27e200fe5e8c01b666345606c334324a39b3285a412b453aacadf37d7f1ecf7c1b3c5f6c6e223d773404f7b32c664320d8c0c

Download Submit
C:\Users\Admin\AppData\Local\ee51da1411f35bfcc3c06fb7eb1c90ae\Admin@FEIHHORR_en-US\System\Process.txt
Filesize
1KB

MD5
9290d96e791acb59d13d446b1f3b399e

SHA1
38ae3d1525f0ad30acac19c0b2b94208b4e2fbad

SHA256
ea3ec579a1d040bc480ec4f5a152af0e5c8be9bb32178b68a1c7fd0fc96724dc

SHA512
67b0fb98de6e2119eb7f8a7aba3303813c87501a0d4a32ad5699faa3e86956c096ac4eba242bac7d7b9b63ea09a166497cb7241213ab06a4de5373f61a343677

Download Submit
C:\Users\Admin\AppData\Local\ee51da1411f35bfcc3c06fb7eb1c90ae\Admin@FEIHHORR_en-US\System\Process.txt
Filesize
2KB

MD5
591c6a63f9b32680abb3930a1dabff4d

SHA1
fed50369709073292113de705eacf21bb9f1e0f1

SHA256
24fff9a70fe8f2a6378d579cc376db403fc42a0d5165f880dd16535ae7a8a928

SHA512
cc19bf0744e7789fa1183890169fd4d89e086d115e9b270710175d9aa8d143c9452be7ab121855a06d3d32eec731651dacda3f7e5d72e86828349e5007b2ff76

Download Submit
C:\Users\Admin\AppData\Local\ee51da1411f35bfcc3c06fb7eb1c90ae\Admin@FEIHHORR_en-US\System\Process.txt
Filesize
2KB

MD5
7b55c392f83691df56a6723a83cb7645

SHA1
dcb6a303e6f4c480c75279069bdf76b5aaa73be0

SHA256
ee0c62adeec5db63f406ce2748e2cd76f14db9284ec7189c862cf74e1e276be2

SHA512
d0a545b1c2f2d3ad7640256a0c90e41cee1ae42c266406ebac33a3aaba73b9a3d7645e51beb2228481f08dbfac15f89bd02c7ca3092bf71508aea06eb176fd7c

Download Submit
C:\Users\Admin\AppData\Local\ee51da1411f35bfcc3c06fb7eb1c90ae\Admin@FEIHHORR_en-US\System\Process.txt
Filesize
4KB

MD5
a2cd26dc7f0ea9cada2828f1620b0cb9

SHA1
944aacb91d1db646eb9f6ca1cd4686a65d115618

SHA256
4c10ea89f262a2f35fc84526460bc9e241ca8f1a24e87999d0e0782c37ce8218

SHA512
d4ee4de50a12315634983aa93b1d12360285144e73746643fa5cbec0bfaff76da7dec9f973360a0ee2827859f263e564c9295bbe0d1a123306c2c3b6a78dad26

Download Submit
C:\Users\Admin\AppData\Local\ee51da1411f35bfcc3c06fb7eb1c90ae\Admin@FEIHHORR_en-US\System\Process.txt
Filesize
320B

MD5
bbe4a603d5ed7f8208e78de96d8bd106

SHA1
89890a489ac7dcb6c5cd5d68aefc1e94c0c62ddd

SHA256
87ec93c0146c57f8dd188efd704049b99ec1c252754967c049b768c256e2ba3a

SHA512
e9fa89e650336e4a062e836a768728433694759cecdaadeab6d8c7a1715873da7dbc7845deddcd560c1ec279e32bb10ff1c85d4234519c6e710c48629117c539

Download Submit
C:\Users\Admin\AppData\Local\ee51da1411f35bfcc3c06fb7eb1c90ae\Admin@FEIHHORR_en-US\System\Process.txt
Filesize
702B

MD5
26b9970dbb7a683cd93322798003954f

SHA1
b2b3a4ba4b64d905e18400896c9565eae4bd0a9d

SHA256
6c25af47b5b811939af06e098e1aee8a9f38c51d04d3c05d6d5378e371c0ab93

SHA512
9d0c40db9d201fa31c3dd16ba602801febb7139d446ede8d6e5b650ec519113c043d8ebbab1696decd4c0cc0a40d254d3a9d5bab56a639d43c363a48ae4fe063

Download Submit
C:\Users\Admin\AppData\Local\ee51da1411f35bfcc3c06fb7eb1c90ae\Admin@FEIHHORR_en-US\System\Process.txt
Filesize
1KB

MD5
8e4436d680e796eb2e76a871efe8321f

SHA1
4364e849d7d0a1a35d5878791eb6050778c5f8ea

SHA256
a44d20317868c3eb5973482a3ee6bb3a1ebe1ea4f12f5b06357d631907e4463c

SHA512
7ad4af5a19869501c1b82169d25fef4c221d536ed05a9c4d1fa24c4aa3f5dfb54a916a1152ec43d46dfb77bcd96851553342ebc24c0ed5017ae43f7d7b62d5c4

Download Submit
C:\Users\Admin\AppData\Roaming\$OXY_SUB\$OXY_EXE.exe
Filesize
3.1MB

MD5
24a82c21233460c9796a86c7857a2adf

SHA1
88017202e84f8d0174caa451bbebd64401ae8032

SHA256
57e13460fbe54a3cc57d9abfaf6ef9a9c3c2d804230e4df7d8f97408501e7dfa

SHA512
32aa12d6dfe90c7dbe2c8f82d60d92e649d381b365c7cc7493526693257d5f859ea8ae5b8b6424193f5465aac76bf210415949ea7b18965644b01f27f38f47a1

Download Submit
C:\Windows\SysWOW64\$OXY\$OXYlogs.dat
Filesize
102B

MD5
44a7dec349d271e975ea50b7b27f8ff0

SHA1
e09958b818b3cf2dd21c1b6084cf10210a8e4118

SHA256
15bbf875062e2e45c79863c124a82736cb274f4e3edd378107897f5221009c52

SHA512
77b2c9ed8d02359e9df27fc1f2f0ffef2914236dad602f93e15f3db1ff150da0bad64803a06cb508f2705c9b1e5c33675fe58f2cdb4e466a50bf93e82355ef49

Download Submit
\??\pipe\crashpad_4496_YAJJBVBGONMAVGIP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1328-489-0x0000000000550000-0x00000000005CF000-memory.dmp

Filesize
508KB

Download
memory/1328-488-0x0000000000550000-0x00000000005CF000-memory.dmp

Filesize
508KB

Download
memory/3060-13-0x000000001C640000-0x000000001C6F2000-memory.dmp

Filesize
712KB

Download
memory/3060-38-0x000000001E370000-0x000000001E422000-memory.dmp

Filesize
712KB

Download
memory/3060-505-0x000000001D410000-0x000000001D432000-memory.dmp

Filesize
136KB

Download
memory/3060-20-0x000000001D650000-0x000000001D66E000-memory.dmp

Filesize
120KB

Download
memory/3060-18-0x000000001D6D0000-0x000000001D746000-memory.dmp

Filesize
472KB

Download
memory/3060-195-0x000000001DF70000-0x000000001DFE8000-memory.dmp

Filesize
480KB

Download
memory/3060-17-0x000000001C5E0000-0x000000001C61C000-memory.dmp

Filesize
240KB

Download
memory/3060-21-0x000000001C620000-0x000000001C638000-memory.dmp

Filesize
96KB

Download
memory/3060-16-0x000000001C580000-0x000000001C592000-memory.dmp

Filesize
72KB

Download
memory/3060-22-0x000000001DC60000-0x000000001DD6A000-memory.dmp

Filesize
1.0MB

Download
memory/3060-416-0x00007FFE5BA90000-0x00007FFE5C552000-memory.dmp

Filesize
10.8MB

Download
memory/3060-12-0x000000001BFF0000-0x000000001C040000-memory.dmp

Filesize
320KB

Download
memory/3060-11-0x00007FFE5BA90000-0x00007FFE5C552000-memory.dmp

Filesize
10.8MB

Download
memory/3060-10-0x00007FFE5BA90000-0x00007FFE5C552000-memory.dmp

Filesize
10.8MB

Download
memory/3060-504-0x000000001EDF0000-0x000000001F318000-memory.dmp

Filesize
5.2MB

Download
memory/3060-19-0x000000001D850000-0x000000001DAE2000-memory.dmp

Filesize
2.6MB

Download
memory/3060-503-0x000000001D390000-0x000000001D3B6000-memory.dmp

Filesize
152KB

Download
memory/3060-502-0x000000001D350000-0x000000001D390000-memory.dmp

Filesize
256KB

Download
memory/3060-23-0x000000001DB50000-0x000000001DB8A000-memory.dmp

Filesize
232KB

Download
memory/3060-24-0x000000001D6A0000-0x000000001D6CA000-memory.dmp

Filesize
168KB

Download
memory/3060-25-0x000000001DB90000-0x000000001DBDC000-memory.dmp

Filesize
304KB

Download
memory/3412-1-0x0000000000A20000-0x0000000000D3E000-memory.dmp

Filesize
3.1MB

Download
memory/3412-2-0x00007FFE5BA90000-0x00007FFE5C552000-memory.dmp

Filesize
10.8MB

Download
memory/3412-9-0x00007FFE5BA90000-0x00007FFE5C552000-memory.dmp

Filesize
10.8MB

Download
memory/3412-0-0x00007FFE5BA93000-0x00007FFE5BA95000-memory.dmp

Filesize
8KB

Download
memory/3512-484-0x0000000000820000-0x000000000089F000-memory.dmp

Filesize
508KB

Download
memory/3512-480-0x0000000000820000-0x000000000089F000-memory.dmp

Filesize
508KB

Download
memory/3512-487-0x0000000000820000-0x000000000089F000-memory.dmp

Filesize
508KB

Download
memory/3512-479-0x0000000000820000-0x000000000089F000-memory.dmp

Filesize
508KB

Download
memory/3512-478-0x0000000000820000-0x000000000089F000-memory.dmp

Filesize
508KB

Download