quasar | 1abbb40a23b96d43508ea9414e619e4affc2c2754e8867ce1d7778102639fdc0

Analysis

max time kernel
127s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DonioExternalBetaTesting.exe
Size

21.6MB
MD5

8b83b1b0b50756804e0f08c9f3b1b8f7
SHA1

85c32f26ae0e3f04b27bd6718919703aea5543ff
SHA256

1abbb40a23b96d43508ea9414e619e4affc2c2754e8867ce1d7778102639fdc0
SHA512

fac6eb15c691367ef0d67bdd12bc56874c62a87ffdc7b4f6811cb278e432180e4900d6965cb349f1edf3b29f8415506f2c4bf5cd580a309641b525bddcd0ebd9
SSDEEP

393216:b6OqvaxDwIev2jgHvRaWP3xql2s0fdmMsx/pPeBAyYWzUrzShjiIPmF9PDpm:pJUUgPRaGUgfYMuRARzUHiji39PDpm

Score

10^/10

quasar office04 execution pyinstaller spyware stealer trojan upx

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

73.102.120.5:4782

Mutex

45cfb540-284b-48a7-9d2a-e359fc523739

Attributes

encryption_key
70C79CE5F0635CE0445F6E268995D45A5188DFB3
install_name
DonioExternalBeta.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowsUpdate
subdirectory
WhitelistBeta

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\DonioExternalBeta.exe	family_quasar
behavioral1/memory/3588-20-0x0000000000680000-0x00000000009A4000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DonioExternalBetaTesting.exeDonioExternalWhitelistBeta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DonioExternalBetaTesting.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DonioExternalWhitelistBeta.exe

Drops startup file 2 IoCs

Processes:

DonioExternalWhitelist.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DonioExternalWhitelist.exe	DonioExternalWhitelist.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DonioExternalWhitelist.exe	DonioExternalWhitelist.exe

Executes dropped EXE 6 IoCs

Processes:

DonioExternalWhitelistBeta.exeDonioExternalBeta.exeDonioExternalWhitelist.exeDonio.exeDonioExternalWhitelist.exeDonioExternalBeta.exe

pid	process
2420	DonioExternalWhitelistBeta.exe
3588	DonioExternalBeta.exe
1516	DonioExternalWhitelist.exe
1408	Donio.exe
3448	DonioExternalWhitelist.exe
4584	DonioExternalBeta.exe

Loads dropped DLL 52 IoCs

Processes:

DonioExternalWhitelist.exe

pid	process
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI15162\python310.dll	upx
behavioral1/memory/3448-152-0x00007FFD3AA40000-0x00007FFD3AEAE000-memory.dmp	upx
behavioral1/memory/3448-181-0x00007FFD50400000-0x00007FFD50419000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI15162\libssl-1_1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI15162\_uuid.pyd	upx
behavioral1/memory/3448-207-0x00007FFD4AD30000-0x00007FFD4AD49000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI15162\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI15162\pyexpat.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI15162\pywin32_system32\pywintypes310.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI15162\pywin32_system32\pythoncom310.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI15162\win32\win32api.pyd	upx
behavioral1/memory/3448-222-0x00007FFD386E0000-0x00007FFD3879C000-memory.dmp	upx
behavioral1/memory/3448-223-0x00007FFD3A6F0000-0x00007FFD3A71B000-memory.dmp	upx
behavioral1/memory/3448-221-0x00007FFD4A480000-0x00007FFD4A4AE000-memory.dmp	upx
behavioral1/memory/3448-220-0x00007FFD50380000-0x00007FFD5038D000-memory.dmp	upx
behavioral1/memory/3448-219-0x00007FFD3B550000-0x00007FFD3B584000-memory.dmp	upx
behavioral1/memory/3448-218-0x00007FFD50510000-0x00007FFD5051D000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI15162\_queue.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI15162\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI15162\_ssl.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI15162\_sqlite3.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI15162\_overlapped.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI15162\_multiprocessing.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI15162\_hashlib.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI15162\_decimal.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI15162\_cffi_backend.cp310-win_amd64.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI15162\_asyncio.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI15162\unicodedata.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI15162\sqlite3.dll	upx
behavioral1/memory/3448-185-0x00007FFD4A7B0000-0x00007FFD4A7DD000-memory.dmp	upx
behavioral1/memory/3448-180-0x00007FFD50570000-0x00007FFD5057F000-memory.dmp	upx
behavioral1/memory/3448-179-0x00007FFD50200000-0x00007FFD50224000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI15162\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI15162\_lzma.pyd	upx
behavioral1/memory/3448-228-0x00007FFD40070000-0x00007FFD4009E000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI15162\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI15162\libffi-7.dll	upx
behavioral1/memory/3448-230-0x00007FFD3FDD0000-0x00007FFD3FE88000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI15162\_ctypes.pyd	upx
behavioral1/memory/3448-233-0x00007FFD36070000-0x00007FFD363E5000-memory.dmp	upx
behavioral1/memory/3448-241-0x00007FFD4B020000-0x00007FFD4B030000-memory.dmp	upx
behavioral1/memory/3448-237-0x00007FFD40050000-0x00007FFD40065000-memory.dmp	upx
behavioral1/memory/3448-265-0x00007FFD3FDD0000-0x00007FFD3FE88000-memory.dmp	upx
behavioral1/memory/3448-264-0x00007FFD40070000-0x00007FFD4009E000-memory.dmp	upx
behavioral1/memory/3448-266-0x00007FFD36070000-0x00007FFD363E5000-memory.dmp	upx
behavioral1/memory/3448-252-0x00007FFD3AA40000-0x00007FFD3AEAE000-memory.dmp	upx
behavioral1/memory/3448-257-0x00007FFD4AD30000-0x00007FFD4AD49000-memory.dmp	upx
behavioral1/memory/3448-269-0x00007FFD3AA40000-0x00007FFD3AEAE000-memory.dmp	upx
behavioral1/memory/3448-267-0x00007FFD40050000-0x00007FFD40065000-memory.dmp	upx
behavioral1/memory/3448-270-0x00007FFD3AA40000-0x00007FFD3AEAE000-memory.dmp	upx
behavioral1/memory/3448-291-0x00007FFD3FFE0000-0x00007FFD3FFFF000-memory.dmp	upx
behavioral1/memory/3448-292-0x00007FFD34F90000-0x00007FFD35101000-memory.dmp	upx
behavioral1/memory/3448-294-0x00007FFD3A730000-0x00007FFD3A748000-memory.dmp	upx
behavioral1/memory/3448-296-0x00007FFD3A670000-0x00007FFD3A684000-memory.dmp	upx
behavioral1/memory/3448-295-0x00007FFD364B0000-0x00007FFD36537000-memory.dmp	upx
behavioral1/memory/3448-297-0x00007FFD49DB0000-0x00007FFD49DBB000-memory.dmp	upx
behavioral1/memory/3448-298-0x00007FFD3A0A0000-0x00007FFD3A0C6000-memory.dmp	upx
behavioral1/memory/3448-299-0x00007FFD34E70000-0x00007FFD34F88000-memory.dmp	upx
behavioral1/memory/3448-300-0x00007FFD38650000-0x00007FFD38688000-memory.dmp	upx
behavioral1/memory/3448-307-0x00007FFD3A660000-0x00007FFD3A66C000-memory.dmp	upx
behavioral1/memory/3448-309-0x00007FFD3A650000-0x00007FFD3A65B000-memory.dmp	upx
behavioral1/memory/3448-308-0x00007FFD3A670000-0x00007FFD3A684000-memory.dmp	upx
behavioral1/memory/3448-306-0x00007FFD3A720000-0x00007FFD3A72B000-memory.dmp	upx
behavioral1/memory/3448-305-0x00007FFD3FCA0000-0x00007FFD3FCAC000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

53 discord.com
54 discord.com
58 discord.com
60 discord.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

56 api.ipify.org
57 api.ipify.org
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

3440 powershell.exe
3312 powershell.exe

flow	ioc
53	discord.com
54	discord.com
58	discord.com
60	discord.com

flow	ioc
56	api.ipify.org
57	api.ipify.org

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\DonioExternalWhitelist.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4472 schtasks.exe
924 schtasks.exe
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

1004 WMIC.exe

pid	process
4472	schtasks.exe
924	schtasks.exe

pid	process
1004	WMIC.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exeDonioExternalWhitelist.exe

pid	process
3440	powershell.exe
3440	powershell.exe
3312	powershell.exe
3312	powershell.exe
3440	powershell.exe
3312	powershell.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe
3448	DonioExternalWhitelist.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

DonioExternalBeta.exepowershell.exepowershell.exeDonioExternalBeta.exeDonioExternalWhitelist.exeWMIC.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	3588	DonioExternalBeta.exe
Token: SeDebugPrivilege	3312	powershell.exe
Token: SeDebugPrivilege	3440	powershell.exe
Token: SeDebugPrivilege	4584	DonioExternalBeta.exe
Token: SeDebugPrivilege	3448	DonioExternalWhitelist.exe
Token: SeIncreaseQuotaPrivilege	4732	WMIC.exe
Token: SeSecurityPrivilege	4732	WMIC.exe
Token: SeTakeOwnershipPrivilege	4732	WMIC.exe
Token: SeLoadDriverPrivilege	4732	WMIC.exe
Token: SeSystemProfilePrivilege	4732	WMIC.exe
Token: SeSystemtimePrivilege	4732	WMIC.exe
Token: SeProfSingleProcessPrivilege	4732	WMIC.exe
Token: SeIncBasePriorityPrivilege	4732	WMIC.exe
Token: SeCreatePagefilePrivilege	4732	WMIC.exe
Token: SeBackupPrivilege	4732	WMIC.exe
Token: SeRestorePrivilege	4732	WMIC.exe
Token: SeShutdownPrivilege	4732	WMIC.exe
Token: SeDebugPrivilege	4732	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4732	WMIC.exe
Token: SeRemoteShutdownPrivilege	4732	WMIC.exe
Token: SeUndockPrivilege	4732	WMIC.exe
Token: SeManageVolumePrivilege	4732	WMIC.exe
Token: 33	4732	WMIC.exe
Token: 34	4732	WMIC.exe
Token: 35	4732	WMIC.exe
Token: 36	4732	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4732	WMIC.exe
Token: SeSecurityPrivilege	4732	WMIC.exe
Token: SeTakeOwnershipPrivilege	4732	WMIC.exe
Token: SeLoadDriverPrivilege	4732	WMIC.exe
Token: SeSystemProfilePrivilege	4732	WMIC.exe
Token: SeSystemtimePrivilege	4732	WMIC.exe
Token: SeProfSingleProcessPrivilege	4732	WMIC.exe
Token: SeIncBasePriorityPrivilege	4732	WMIC.exe
Token: SeCreatePagefilePrivilege	4732	WMIC.exe
Token: SeBackupPrivilege	4732	WMIC.exe
Token: SeRestorePrivilege	4732	WMIC.exe
Token: SeShutdownPrivilege	4732	WMIC.exe
Token: SeDebugPrivilege	4732	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4732	WMIC.exe
Token: SeRemoteShutdownPrivilege	4732	WMIC.exe
Token: SeUndockPrivilege	4732	WMIC.exe
Token: SeManageVolumePrivilege	4732	WMIC.exe
Token: 33	4732	WMIC.exe
Token: 34	4732	WMIC.exe
Token: 35	4732	WMIC.exe
Token: 36	4732	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3708	wmic.exe
Token: SeSecurityPrivilege	3708	wmic.exe
Token: SeTakeOwnershipPrivilege	3708	wmic.exe
Token: SeLoadDriverPrivilege	3708	wmic.exe
Token: SeSystemProfilePrivilege	3708	wmic.exe
Token: SeSystemtimePrivilege	3708	wmic.exe
Token: SeProfSingleProcessPrivilege	3708	wmic.exe
Token: SeIncBasePriorityPrivilege	3708	wmic.exe
Token: SeCreatePagefilePrivilege	3708	wmic.exe
Token: SeBackupPrivilege	3708	wmic.exe
Token: SeRestorePrivilege	3708	wmic.exe
Token: SeShutdownPrivilege	3708	wmic.exe
Token: SeDebugPrivilege	3708	wmic.exe
Token: SeSystemEnvironmentPrivilege	3708	wmic.exe
Token: SeRemoteShutdownPrivilege	3708	wmic.exe
Token: SeUndockPrivilege	3708	wmic.exe
Token: SeManageVolumePrivilege	3708	wmic.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Donio.exe

pid process

1408 Donio.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Donio.exe

pid process

1408 Donio.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

DonioExternalBeta.exe

pid process

4584 DonioExternalBeta.exe

pid	process
1408	Donio.exe

pid	process
1408	Donio.exe

pid	process
4584	DonioExternalBeta.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

DonioExternalBetaTesting.exeDonioExternalWhitelistBeta.exeDonioExternalWhitelist.exeDonioExternalWhitelist.exeDonioExternalBeta.exeDonioExternalBeta.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4128 wrote to memory of 3440	4128	DonioExternalBetaTesting.exe	powershell.exe
PID 4128 wrote to memory of 3440	4128	DonioExternalBetaTesting.exe	powershell.exe
PID 4128 wrote to memory of 3440	4128	DonioExternalBetaTesting.exe	powershell.exe
PID 4128 wrote to memory of 2420	4128	DonioExternalBetaTesting.exe	DonioExternalWhitelistBeta.exe
PID 4128 wrote to memory of 2420	4128	DonioExternalBetaTesting.exe	DonioExternalWhitelistBeta.exe
PID 4128 wrote to memory of 2420	4128	DonioExternalBetaTesting.exe	DonioExternalWhitelistBeta.exe
PID 4128 wrote to memory of 3588	4128	DonioExternalBetaTesting.exe	DonioExternalBeta.exe
PID 4128 wrote to memory of 3588	4128	DonioExternalBetaTesting.exe	DonioExternalBeta.exe
PID 2420 wrote to memory of 3312	2420	DonioExternalWhitelistBeta.exe	powershell.exe
PID 2420 wrote to memory of 3312	2420	DonioExternalWhitelistBeta.exe	powershell.exe
PID 2420 wrote to memory of 3312	2420	DonioExternalWhitelistBeta.exe	powershell.exe
PID 2420 wrote to memory of 1516	2420	DonioExternalWhitelistBeta.exe	DonioExternalWhitelist.exe
PID 2420 wrote to memory of 1516	2420	DonioExternalWhitelistBeta.exe	DonioExternalWhitelist.exe
PID 2420 wrote to memory of 1408	2420	DonioExternalWhitelistBeta.exe	Donio.exe
PID 2420 wrote to memory of 1408	2420	DonioExternalWhitelistBeta.exe	Donio.exe
PID 2420 wrote to memory of 1408	2420	DonioExternalWhitelistBeta.exe	Donio.exe
PID 1516 wrote to memory of 3448	1516	DonioExternalWhitelist.exe	DonioExternalWhitelist.exe
PID 1516 wrote to memory of 3448	1516	DonioExternalWhitelist.exe	DonioExternalWhitelist.exe
PID 3448 wrote to memory of 4824	3448	DonioExternalWhitelist.exe	cmd.exe
PID 3448 wrote to memory of 4824	3448	DonioExternalWhitelist.exe	cmd.exe
PID 3588 wrote to memory of 4472	3588	DonioExternalBeta.exe	schtasks.exe
PID 3588 wrote to memory of 4472	3588	DonioExternalBeta.exe	schtasks.exe
PID 3588 wrote to memory of 4584	3588	DonioExternalBeta.exe	DonioExternalBeta.exe
PID 3588 wrote to memory of 4584	3588	DonioExternalBeta.exe	DonioExternalBeta.exe
PID 4584 wrote to memory of 924	4584	DonioExternalBeta.exe	schtasks.exe
PID 4584 wrote to memory of 924	4584	DonioExternalBeta.exe	schtasks.exe
PID 3448 wrote to memory of 2312	3448	DonioExternalWhitelist.exe	cmd.exe
PID 3448 wrote to memory of 2312	3448	DonioExternalWhitelist.exe	cmd.exe
PID 2312 wrote to memory of 1660	2312	cmd.exe	netsh.exe
PID 2312 wrote to memory of 1660	2312	cmd.exe	netsh.exe
PID 3448 wrote to memory of 3828	3448	DonioExternalWhitelist.exe	cmd.exe
PID 3448 wrote to memory of 3828	3448	DonioExternalWhitelist.exe	cmd.exe
PID 3828 wrote to memory of 4732	3828	cmd.exe	WMIC.exe
PID 3828 wrote to memory of 4732	3828	cmd.exe	WMIC.exe
PID 3448 wrote to memory of 3708	3448	DonioExternalWhitelist.exe	wmic.exe
PID 3448 wrote to memory of 3708	3448	DonioExternalWhitelist.exe	wmic.exe
PID 3448 wrote to memory of 2844	3448	DonioExternalWhitelist.exe	cmd.exe
PID 3448 wrote to memory of 2844	3448	DonioExternalWhitelist.exe	cmd.exe
PID 2844 wrote to memory of 1004	2844	cmd.exe	WMIC.exe
PID 2844 wrote to memory of 1004	2844	cmd.exe	WMIC.exe
PID 3448 wrote to memory of 4636	3448	DonioExternalWhitelist.exe	cmd.exe
PID 3448 wrote to memory of 4636	3448	DonioExternalWhitelist.exe	cmd.exe
PID 4636 wrote to memory of 3716	4636	cmd.exe	WMIC.exe
PID 4636 wrote to memory of 3716	4636	cmd.exe	WMIC.exe
PID 3448 wrote to memory of 368	3448	DonioExternalWhitelist.exe	cmd.exe
PID 3448 wrote to memory of 368	3448	DonioExternalWhitelist.exe	cmd.exe
PID 368 wrote to memory of 1928	368	cmd.exe	WMIC.exe
PID 368 wrote to memory of 1928	368	cmd.exe	WMIC.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\DonioExternalBetaTesting.exe
"C:\Users\Admin\AppData\Local\Temp\DonioExternalBetaTesting.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4128

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAcgBjACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGoAbQBxACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUwBoAGEAcgBpAG4AZwAsACAAQwByAGEAYwBrAGkAbgBnACwAIABMAGUAYQBrAGkAbgBnACwAIABXAGkAbABsACAAUgBlAHMAdQBsAHQAIABJAG4AIABCAGwAYQBjAGsAbABpAHMAdAAnACwAJwAnACwAJwBPAEsAJwAsACcAVwBhAHIAbgBpAG4AZwAnACkAPAAjAHcAeQB0ACMAPgA="
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3440

C:\Users\Admin\AppData\Local\Temp\DonioExternalWhitelistBeta.exe
"C:\Users\Admin\AppData\Local\Temp\DonioExternalWhitelistBeta.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAYwBjACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGIAdQBrACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUwBoAGEAcgBpAG4AZwAgAG8AcgAgAGEAbgB5ACAAYwByAGEAYwBrAGkAbgBnACAAbABlAGEAZABzACAAdABvACAAYQAgAGIAbABhAGMAawBsAGkAcwB0ACcALAAnACcALAAnAE8ASwAnACwAJwBXAGEAcgBuAGkAbgBnACcAKQA8ACMAYwB0AGQAIwA+AA=="
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3312

C:\Users\Admin\AppData\Local\Temp\DonioExternalWhitelist.exe
"C:\Users\Admin\AppData\Local\Temp\DonioExternalWhitelist.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Local\Temp\DonioExternalWhitelist.exe
"C:\Users\Admin\AppData\Local\Temp\DonioExternalWhitelist.exe"
4⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
5⤵
PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
5⤵
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\system32\netsh.exe
netsh wlan show profiles
6⤵
PID:1660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
5⤵
- Suspicious use of WriteProcessMemory
PID:3828

C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Windows\System32\Wbem\wmic.exe
wmic cpu get Name
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
5⤵
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
6⤵
- Detects videocard installed
PID:1004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
5⤵
- Suspicious use of WriteProcessMemory
PID:4636

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
6⤵
PID:3716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
5⤵
- Suspicious use of WriteProcessMemory
PID:368

C:\Windows\System32\wbem\WMIC.exe
C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
6⤵
PID:1928

C:\Users\Admin\AppData\Local\Temp\Donio.exe
"C:\Users\Admin\AppData\Local\Temp\Donio.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1408

C:\Users\Admin\AppData\Local\Temp\DonioExternalBeta.exe
"C:\Users\Admin\AppData\Local\Temp\DonioExternalBeta.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3588

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WhitelistBeta\DonioExternalBeta.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4472

C:\Users\Admin\AppData\Roaming\WhitelistBeta\DonioExternalBeta.exe
"C:\Users\Admin\AppData\Roaming\WhitelistBeta\DonioExternalBeta.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4584

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WhitelistBeta\DonioExternalBeta.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DonioExternalBeta.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Donio.exe

Filesize
902KB

MD5
c86fdb05d8039576a5b4337e9c325501

SHA1
67ab5f331da4ae476834091deb16e6368368cfd4

SHA256
8ec2857c4450d31b6501fcb09d9df278f43aeef4aeb777665eb7c12969f20a55

SHA512
a5588d17134b9dbdcf64818053d9c5175cfa931ccfc753e83720118ecf2e45aae3917b14f17cbff7195c9f843e36bf9a70090a4c01501677ea5878fe4f49c9da

Download Submit
C:\Users\Admin\AppData\Local\Temp\DonioExternalBeta.exe

Filesize
3.1MB

MD5
f6cac3799f1b2b86055066dd79e3b54e

SHA1
b9ed623e0866524e70c780a3dabf3328b951a817

SHA256
fd36b4f1250ecd6a31e5bae1364324ae884396162b5182e876b4fa4a745423e4

SHA512
229a8cc4a0bc298ac6992b939316c6bba3e6e6107d3b3c1fc003520b317b5d7ca550dcd28ae6e32acf726981616482d7f7fa3d2ca1926a25dc0e77d520ab646f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DonioExternalWhitelist.exe

Filesize
17.6MB

MD5
37b1ed056cce1544b5f403f7de1475b1

SHA1
d93127c883413b2faa6a0e62ecfb64172317fb9f

SHA256
09b42cf2750cf3f7e2ed7d59402f1e7d4a61725470418bf770c2258eff0e18f7

SHA512
d4210115d6e9157b49f0ee8a91dead139bedc76c209f490b351c3ae14088c52a48b81c13ee8129fe5cea73b99e9eeab6b5fefa1a3ab12e4613709b9080e61a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\DonioExternalWhitelistBeta.exe

Filesize
18.5MB

MD5
e5b1ee08a3dc911e1b03c5e1144b56a4

SHA1
a8d6c78529ac362e8f064e9bee6200d876c69dca

SHA256
60166316f528438e7d4b02f15e097ab82d274dbefeee452c0e07ca7b9a629500

SHA512
03e2245541db3bdd3f0a31f226c18617851330f2f0c314233cfa64912eac718eccff997c1d0c02f45e08af1ef54512ff7b2492884b9d36bde7d397a90ba210b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IShal5ptNM\Browser\cc's.txt

Filesize
91B

MD5
5aa796b6950a92a226cc5c98ed1c47e8

SHA1
6706a4082fc2c141272122f1ca424a446506c44d

SHA256
c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c

SHA512
976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IShal5ptNM\Browser\history.txt

Filesize
23B

MD5
5638715e9aaa8d3f45999ec395e18e77

SHA1
4e3dc4a1123edddf06d92575a033b42a662fe4ad

SHA256
4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6

SHA512
78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15162\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15162\VCRUNTIME140_1.dll

Filesize
48KB

MD5
bba9680bc310d8d25e97b12463196c92

SHA1
9a480c0cf9d377a4caedd4ea60e90fa79001f03a

SHA256
e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab

SHA512
1575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15162\_asyncio.pyd

Filesize
34KB

MD5
712d3a6f3e4904f7b5e1f2ff98666fcf

SHA1
a1356402f70afa1793a8332760ebbec564cddaec

SHA256
179cc647d2a512101a41e42fda6c60586c57325c1f7669ed5a2862d837e63f0f

SHA512
08577ea318febb1af3c938191118e0a1ae44fdf6fe4c942678085b7e3c178bfeb8312361c9f3706007b6324a71e47ce39e59ef6741bee251694182f9c0164aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15162\_bz2.pyd

Filesize
46KB

MD5
67086fa5b7a91965c6b97793653ac371

SHA1
2bbf4f9b0132fcf8c87abe75861faf5c3183e0ab

SHA256
f4f29d87ef972100dd92c0a585687db051c1d61e6eb15cc0259fcbb28a24213a

SHA512
df5ec287f041285048020658de6bd7a8260f77127df0887646504ee94edd42c43f014a49435d3af7c946d58f2c300bf47f8e3281609f76f033bfda628be33b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15162\_cffi_backend.cp310-win_amd64.pyd

Filesize
71KB

MD5
6954da0da2028a646ba438f3c56d21a5

SHA1
ded5d73f30288d84756c019b1399f9c403fab56c

SHA256
f5cf4158ec21b889fd22e7df962f2bee641b39e4feee604541c2bc5d8d882d71

SHA512
f9a3c1e5d9aa7e39a6e486c15091f427f632a0ec60e6cae206c4276cd920fc87f870931938cbd2b36bec52625cd5d25d15d342a7df4b9f6f9fc241d7fec9f97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15162\_ctypes.pyd

Filesize
56KB

MD5
e3d88469b78bf1919fa552a021ce479c

SHA1
2baad99e4e39177c35970adea25971a6ea46c1a0

SHA256
09eb5b558c678f36dff886ed2e975d5593baf883c463b140d20fdd4369a1e1c3

SHA512
6d7bf9e00e43a26aa677acbb35b620b912ffddc0faca98900c40dd7a50ca127fc2d10ebb15b42b2b603a6ab0a68e8ad312ebb535cb9fcb65403b31021947c16c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15162\_decimal.pyd

Filesize
103KB

MD5
fd1c4c843c3e169cb2a0566fb456a9d7

SHA1
61f363d724d3cb85c44af5121510a6bfdf34a1c1

SHA256
b8cb6060f417858c166e66d2697d96abe4ec0e486fd0074ac2f4e07a6d29d171

SHA512
2263be5c078be7e4f09b3507e8f0e9e658f90485451b0df3a605e8747241b838a065f687904ebda1f0ae4f9fe4a21f707667ef5c9b246c249a6eb3d34b26e63e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15162\_hashlib.pyd

Filesize
33KB

MD5
90c6b459bb46b43b2381a16d96350164

SHA1
5830ef39e0da51fe81e9250f97d1485ba6588b2c

SHA256
5c6bf4d4160d90b82ededdbe29ec757e632119b74bbda8cbf6040acaab06e6f9

SHA512
c5c17f6be39817b645fc5f32cbabc9517aed22bce749e3d4fb93eab0816391ef83a5f7ade83e03883239fd2c6dc5cf6ec775def0e7ff205c46aec571a9b6dc79

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15162\_lzma.pyd

Filesize
84KB

MD5
c731e138e9daff344e74c4ead3922583

SHA1
06447109fa1d04a3d6949a3befe25e16b10eb0c9

SHA256
3ca4c628cff43d16eec49f91c424911a7e0059e2bc6c0842377ca461ecd65ed2

SHA512
aac5403d126ba800eac7ed4f544f0a13ee82af261873894290ef68253970d42473e0c0d1499f8dc26c993e09e35a38f5f7944f43005462460aac0c94e4657f66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15162\_multiprocessing.pyd

Filesize
25KB

MD5
70cc374f078d320c22e0af28ea458763

SHA1
9bdf540a3753f1240bf0b325e73fee6473a1b542

SHA256
40661236d5d459d0a5eca05ab89b4ea552ba2d75739ca64b0b8c7671addc24a1

SHA512
4ad1bfe8c911ed9e2070b412244d982cbc7790bc67682386fba7894168a0afe96f7dc0395bb77cfa7f6012c73b396eedc2a13a4bac8d97c3dbaa4c5004e8dd6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15162\_overlapped.pyd

Filesize
30KB

MD5
0eda90832b62542e3fa8df44d80d7a4a

SHA1
fd2e34a0c5d5dc5df2a6cc46283f042616df2f89

SHA256
a27c1e89a5f80fd580bed93fe6b2d0fd9a90362d0c0461b129579b49f6b0d61d

SHA512
3c93d8643732a197a02daca0863e05e9664fc2790e6d54fa4784fab0eeab3d65652cae84c10392dde937b9cde768054a40221e5263d31b6e01debdbc3e8a63ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15162\_queue.pyd

Filesize
24KB

MD5
8b7afe95319742f4d68be5df05f8647f

SHA1
4e65556259624d25cad8c485c33d4820c6940b57

SHA256
505c019316fc31d664f5f433e2a9dae4e8b2c9c13d4f62fca6abc143fc48fe4c

SHA512
6537903147ab75bebadcb022139a6ba52eae0049e4f504fcc0c848a2c000347f03608f9d98e252962a46e75f0cf20c6b73d3dd026cf8d29fb5996a814110dac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15162\_socket.pyd

Filesize
41KB

MD5
eb901c16ac3dead7dbb69f2df5b1bcd7

SHA1
38ef1766f2c43cd3f47c0a695f9d78b1f63be37d

SHA256
e6d8cf287924b97c626dfe0f6ddffa1f8f62890e94abdd0346f7ecc2a498e147

SHA512
08c431ea59b2dc81dae6eafe4c15024b509790febf25019d5cc0e81f79266c13ebb2767946043555af2cfcadebd6b03707ea951e90b3bf675002fb6cc199667f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15162\_sqlite3.pyd

Filesize
48KB

MD5
a0c3e4372f8378135e7ef192997c455a

SHA1
b8926b99672c541493cf73a5aaabe847f69eebce

SHA256
629c582ace5af6f81874beed471ad34d6a635641d5db2e8dd2f2832285b5a807

SHA512
54e3596bfb49495b11049f2beecd11c4f14d0cd6b292afe7e8348c71032c2d4edbddf3f1418bae7250edc5bd3f0c00d7068aaf8f22ae0ee62b9ac2e7b061d02b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15162\_ssl.pyd

Filesize
60KB

MD5
817233b9fe6697835c26cd4ec543d829

SHA1
2ad3b07d120712b232762ba5802ba9d4e36b4229

SHA256
192dca065c55c351ccc50ddf2537b7295180de4da55a1ecfc933b3441d38a253

SHA512
e0758ffbd2e393603d1d5bb37a9aaba5d613d092df93398fe47901e5e9a6fa1f99cd281291b00dcf51ee89135f044aee0e7ed65dfaeb1efc921803a198950b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15162\_uuid.pyd

Filesize
21KB

MD5
a14d125f1ff6fddd7f76b4f4b825fd61

SHA1
bf62278ecf758c117020099e1af3cc3705223a9e

SHA256
a76767176657524a78971f8af7cc64f8926b39375d7dee64afb87fd3bcfe3316

SHA512
85241c3679811e99cab94eb3bc146bbae704408ed010b422798b2936e24882a747a4e3abe44893d1b15c10e84f1e0f2ea42b15e831a6b72e046254fdfcec5350

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15162\base_library.zip

Filesize
859KB

MD5
f5b15ac0a24a122d69c41843da5d463b

SHA1
e25772476631d5b6dd278cb646b93abd282c34ed

SHA256
ec3b8c865c6e3c5e35449b32dcb397da665d6a10fbee61284489a6c420c72a3b

SHA512
1704611166d63962e14deb6d519c2a7af4f05bca308c1949652fddf89bc526c594ede43a34b9306e5979998576f448951d08ad9e25b6d749d5d46b7d18d133b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15162\libcrypto-1_1.dll

Filesize
1.1MB

MD5
7dcc7e84b12764bfdc109fb3a0354b8c

SHA1
e29855c661003c0c30985cd085b57b1160077219

SHA256
34de2d67d3270d44421d6b5e39f29b4466f7f4121fdbb72b37a62449731230ec

SHA512
45ad32ba83a010fcc6ffd6651305af114fc891dbd409213ca640665da9ba27bccddd35cb329acc8e92a789f7c8a2ab527621cf46aa6c3b93c97342c030a2b826

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15162\libffi-7.dll

Filesize
23KB

MD5
bfdf5ec44cb18cfd1e5e62c1dd9234b8

SHA1
c8f6ca25dac5f1ace786f38315f38f39d5da5a47

SHA256
4da81872062f20cb20228f211837984ee841ab230b0deb4ee8ecb4185d744c94

SHA512
b8d36d5e7f876d362056788b5175ba2af1a016a5330098c96657d376a9be7f91ca4729403bb531610b3a20b70d2d957262c1f492b80a59b25ed2ea81a15f3fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15162\libssl-1_1.dll

Filesize
203KB

MD5
a76169ad3875772a2ce65bdd9579a67e

SHA1
6bcb1c76976fa0fbc847848174f057b268665cb3

SHA256
45dbc7f6c47a30a11c8d56f820dcc439686c8267d53293a33a7fa3d4cd5b617d

SHA512
74d6196098363217b3344ba60517c7c98443b46c018dfcd983f19133cd770eea6d8c9c9cc3d19f689c945fb642b4106a8324509fe840b2e9565157c36690b368

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15162\pyexpat.pyd

Filesize
86KB

MD5
da7d165787f16ed5c466c491d60ab14d

SHA1
70073b055317fa12335242ae0cb936c785ed28a3

SHA256
93702905c2b42b43ea6756221ae374b0ef4f2d3949f3a82545ad35eb9a3fff97

SHA512
83798f3df5e22fb0ecc642c311af3c8e8e661f32c454f9e14614a7a4ae670f1b8256dd14152030e8269a8356a3e55ea0b52d9d778d1e1db529ceb341114db3ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15162\python3.DLL

Filesize
63KB

MD5
c17b7a4b853827f538576f4c3521c653

SHA1
6115047d02fbbad4ff32afb4ebd439f5d529485a

SHA256
d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68

SHA512
8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15162\python310.dll

Filesize
1.4MB

MD5
c2897cda0fa2dec34a7df6f8701d2b70

SHA1
e255ef1bf6da858730c11160eafa3872a9729c0b

SHA256
36ceefbbdccabff811439d5b4fe9f52be6265ee0f9048dbe7744c8c365f848a3

SHA512
a051f58ca01ffe0614e6ad5643a27c8012b3a0c3c5be8d662ffe931e65fc70c6561d16261412c731d392f7affdf46757c459dfb2dce9a30fb0704ee04916e50c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15162\pywin32_system32\pythoncom310.dll

Filesize
193KB

MD5
7582d557db4ff51de84f5c31d1ec621e

SHA1
ba09b3471b1818bfca04e8d3e2c45114b1a514d0

SHA256
74ad540180c90eb5ba63560c6602cbb824c642cf997dfc4f9e926f1ef520f5a7

SHA512
4a72617f6ae75f71ad57608b61df0095faac9364a2174f67c252fd6c9c69e11591971e8525aa7437f969f708d350825ab14a108d31226a62e47bd32aeed62e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15162\pywin32_system32\pywintypes310.dll

Filesize
62KB

MD5
9c3180552346dc1853a15f61d0d1ec23

SHA1
27fc9c7be498922c2e281373f35f348eaa517444

SHA256
3308d28cb2e56562b0f77eb5fdc5bd5ff9c7d6a38192a36a41ace206e71353d7

SHA512
793c75ef0964170c7ea008ca3d7ee00576bf9fbdca0ffe3d08194625606854725bf767b2ed7a84de0e868438428084c2978c38096f19014b0a01f28aaaaeebba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15162\select.pyd

Filesize
24KB

MD5
e7af562db16c73c340fa4fd1ac048935

SHA1
98e7ab9e6cf465d24a2f655703e21b1e22baa313

SHA256
55c5af3082b849472289ce261aa53dca12ff3a5f720ac38c0967bd2fc9095c52

SHA512
e65f41fc410c5d71d377c3485c2f2fa80a03c592915bf7e64cf99c6a47b325d7f4ff3c6e0c5da4f42461fbc843ddb1e8481fa2c6e84f07f3a6d2689ae47dd5db

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15162\sqlite3.dll

Filesize
608KB

MD5
8ab8a5fa338b9dd855b0a1247bde46d9

SHA1
89a08a10c92335b1367ab0d5c36b82a7464c95b7

SHA256
7833378ca393dfc816d619703829e0440b350a389cf174017c2c045a9c27463d

SHA512
5380e692faafce754844d5be2421221e7469ce5665a82de4658462d33b5fdf1a9fda8338f36b75d2151bdc29bea1e909634b6c9f00fafaa6f7120998f0086ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15162\unicodedata.pyd

Filesize
287KB

MD5
b6dce7d76ddd91fe3ac768f9272a3c5e

SHA1
5b7a6a644c7f54472f2ffcb7211f0fc7a17c6630

SHA256
6bb012c7a7426b1093192d61ebf52f349c0c01fbe043945002fbf9a9498ce0f8

SHA512
4e520936a36a460cb7a675a95b1b2d4b7856869b308919ba9bac81abdab2ce3ec31b89ba48b6f75aee2d6881c5457217db302f76d10e0dab3222b492e5b30765

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15162\win32\win32api.pyd

Filesize
48KB

MD5
f8b962cd8522a108d63237e073ecf464

SHA1
a1de787120bd109efa224ebfb64ffd94891d207e

SHA256
77c5ecce2a9fc001560beec95d326363375c5ca768f897fe5fd9105f8ac6300d

SHA512
12c551c9f7c55c98d52fa51e472c61e57af6da38ba19b5d9ad696a051b21103c8dc10af3ef8cfdc41cbcb6cc7b0ccdce91b04ea14a6b6f0089c0626d0082c1ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4pqt0ae5.d0s.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3312-153-0x0000000006200000-0x0000000006554000-memory.dmp

Filesize
3.3MB

Download
memory/3312-246-0x0000000007E40000-0x00000000084BA000-memory.dmp

Filesize
6.5MB

Download
memory/3312-247-0x0000000006D10000-0x0000000006D2A000-memory.dmp

Filesize
104KB

Download
memory/3312-248-0x0000000008A70000-0x0000000009014000-memory.dmp

Filesize
5.6MB

Download
memory/3440-240-0x00000000737DE000-0x00000000737DF000-memory.dmp

Filesize
4KB

Download
memory/3440-146-0x0000000005590000-0x00000000055B2000-memory.dmp

Filesize
136KB

Download
memory/3440-225-0x00000000065A0000-0x00000000065EC000-memory.dmp

Filesize
304KB

Download
memory/3440-22-0x0000000005820000-0x0000000005E48000-memory.dmp

Filesize
6.2MB

Download
memory/3440-151-0x0000000005F30000-0x0000000005F96000-memory.dmp

Filesize
408KB

Download
memory/3440-224-0x0000000006560000-0x000000000657E000-memory.dmp

Filesize
120KB

Download
memory/3440-21-0x0000000002F60000-0x0000000002F96000-memory.dmp

Filesize
216KB

Download
memory/3440-150-0x0000000005EC0000-0x0000000005F26000-memory.dmp

Filesize
408KB

Download
memory/3440-5-0x00000000737DE000-0x00000000737DF000-memory.dmp

Filesize
4KB

Download
memory/3440-249-0x0000000007720000-0x00000000077B2000-memory.dmp

Filesize
584KB

Download
memory/3448-267-0x00007FFD40050000-0x00007FFD40065000-memory.dmp

Filesize
84KB

Download
memory/3448-313-0x00007FFD395F0000-0x00007FFD395FC000-memory.dmp

Filesize
48KB

Download
memory/3448-179-0x00007FFD50200000-0x00007FFD50224000-memory.dmp

Filesize
144KB

Download
memory/3448-180-0x00007FFD50570000-0x00007FFD5057F000-memory.dmp

Filesize
60KB

Download
memory/3448-230-0x00007FFD3FDD0000-0x00007FFD3FE88000-memory.dmp

Filesize
736KB

Download
memory/3448-185-0x00007FFD4A7B0000-0x00007FFD4A7DD000-memory.dmp

Filesize
180KB

Download
memory/3448-233-0x00007FFD36070000-0x00007FFD363E5000-memory.dmp

Filesize
3.5MB

Download
memory/3448-218-0x00007FFD50510000-0x00007FFD5051D000-memory.dmp

Filesize
52KB

Download
memory/3448-241-0x00007FFD4B020000-0x00007FFD4B030000-memory.dmp

Filesize
64KB

Download
memory/3448-219-0x00007FFD3B550000-0x00007FFD3B584000-memory.dmp

Filesize
208KB

Download
memory/3448-237-0x00007FFD40050000-0x00007FFD40065000-memory.dmp

Filesize
84KB

Download
memory/3448-236-0x00000245B7140000-0x00000245B74B5000-memory.dmp

Filesize
3.5MB

Download
memory/3448-220-0x00007FFD50380000-0x00007FFD5038D000-memory.dmp

Filesize
52KB

Download
memory/3448-221-0x00007FFD4A480000-0x00007FFD4A4AE000-memory.dmp

Filesize
184KB

Download
memory/3448-223-0x00007FFD3A6F0000-0x00007FFD3A71B000-memory.dmp

Filesize
172KB

Download
memory/3448-222-0x00007FFD386E0000-0x00007FFD3879C000-memory.dmp

Filesize
752KB

Download
memory/3448-430-0x00007FFD34E70000-0x00007FFD34F88000-memory.dmp

Filesize
1.1MB

Download
memory/3448-431-0x00007FFD34C20000-0x00007FFD34E65000-memory.dmp

Filesize
2.3MB

Download
memory/3448-265-0x00007FFD3FDD0000-0x00007FFD3FE88000-memory.dmp

Filesize
736KB

Download
memory/3448-264-0x00007FFD40070000-0x00007FFD4009E000-memory.dmp

Filesize
184KB

Download
memory/3448-266-0x00007FFD36070000-0x00007FFD363E5000-memory.dmp

Filesize
3.5MB

Download
memory/3448-252-0x00007FFD3AA40000-0x00007FFD3AEAE000-memory.dmp

Filesize
4.4MB

Download
memory/3448-257-0x00007FFD4AD30000-0x00007FFD4AD49000-memory.dmp

Filesize
100KB

Download
memory/3448-269-0x00007FFD3AA40000-0x00007FFD3AEAE000-memory.dmp

Filesize
4.4MB

Download
memory/3448-207-0x00007FFD4AD30000-0x00007FFD4AD49000-memory.dmp

Filesize
100KB

Download
memory/3448-270-0x00007FFD3AA40000-0x00007FFD3AEAE000-memory.dmp

Filesize
4.4MB

Download
memory/3448-181-0x00007FFD50400000-0x00007FFD50419000-memory.dmp

Filesize
100KB

Download
memory/3448-291-0x00007FFD3FFE0000-0x00007FFD3FFFF000-memory.dmp

Filesize
124KB

Download
memory/3448-292-0x00007FFD34F90000-0x00007FFD35101000-memory.dmp

Filesize
1.4MB

Download
memory/3448-294-0x00007FFD3A730000-0x00007FFD3A748000-memory.dmp

Filesize
96KB

Download
memory/3448-293-0x00000245B7140000-0x00000245B74B5000-memory.dmp

Filesize
3.5MB

Download
memory/3448-296-0x00007FFD3A670000-0x00007FFD3A684000-memory.dmp

Filesize
80KB

Download
memory/3448-295-0x00007FFD364B0000-0x00007FFD36537000-memory.dmp

Filesize
540KB

Download
memory/3448-297-0x00007FFD49DB0000-0x00007FFD49DBB000-memory.dmp

Filesize
44KB

Download
memory/3448-298-0x00007FFD3A0A0000-0x00007FFD3A0C6000-memory.dmp

Filesize
152KB

Download
memory/3448-299-0x00007FFD34E70000-0x00007FFD34F88000-memory.dmp

Filesize
1.1MB

Download
memory/3448-300-0x00007FFD38650000-0x00007FFD38688000-memory.dmp

Filesize
224KB

Download
memory/3448-307-0x00007FFD3A660000-0x00007FFD3A66C000-memory.dmp

Filesize
48KB

Download
memory/3448-309-0x00007FFD3A650000-0x00007FFD3A65B000-memory.dmp

Filesize
44KB

Download
memory/3448-308-0x00007FFD3A670000-0x00007FFD3A684000-memory.dmp

Filesize
80KB

Download
memory/3448-306-0x00007FFD3A720000-0x00007FFD3A72B000-memory.dmp

Filesize
44KB

Download
memory/3448-305-0x00007FFD3FCA0000-0x00007FFD3FCAC000-memory.dmp

Filesize
48KB

Download
memory/3448-304-0x00007FFD34F90000-0x00007FFD35101000-memory.dmp

Filesize
1.4MB

Download
memory/3448-303-0x00007FFD47230000-0x00007FFD4723B000-memory.dmp

Filesize
44KB

Download
memory/3448-302-0x00007FFD3FFE0000-0x00007FFD3FFFF000-memory.dmp

Filesize
124KB

Download
memory/3448-310-0x00007FFD39940000-0x00007FFD3994C000-memory.dmp

Filesize
48KB

Download
memory/3448-301-0x00007FFD48320000-0x00007FFD4832B000-memory.dmp

Filesize
44KB

Download
memory/3448-312-0x00007FFD34E70000-0x00007FFD34F88000-memory.dmp

Filesize
1.1MB

Download
memory/3448-316-0x00007FFD38E70000-0x00007FFD38E7C000-memory.dmp

Filesize
48KB

Download
memory/3448-315-0x00007FFD38650000-0x00007FFD38688000-memory.dmp

Filesize
224KB

Download
memory/3448-314-0x00007FFD395E0000-0x00007FFD395EE000-memory.dmp

Filesize
56KB

Download
memory/3448-228-0x00007FFD40070000-0x00007FFD4009E000-memory.dmp

Filesize
184KB

Download
memory/3448-311-0x00007FFD3A0A0000-0x00007FFD3A0C6000-memory.dmp

Filesize
152KB

Download
memory/3448-317-0x00007FFD38E60000-0x00007FFD38E6B000-memory.dmp

Filesize
44KB

Download
memory/3448-320-0x00007FFD38590000-0x00007FFD3859C000-memory.dmp

Filesize
48KB

Download
memory/3448-319-0x00007FFD385A0000-0x00007FFD385AC000-memory.dmp

Filesize
48KB

Download
memory/3448-318-0x00007FFD38E50000-0x00007FFD38E5B000-memory.dmp

Filesize
44KB

Download
memory/3448-322-0x00007FFD38560000-0x00007FFD38572000-memory.dmp

Filesize
72KB

Download
memory/3448-321-0x00007FFD38580000-0x00007FFD3858D000-memory.dmp

Filesize
52KB

Download
memory/3448-323-0x00007FFD381A0000-0x00007FFD381AC000-memory.dmp

Filesize
48KB

Download
memory/3448-324-0x00007FFD34C20000-0x00007FFD34E65000-memory.dmp

Filesize
2.3MB

Download
memory/3448-325-0x00007FFD38190000-0x00007FFD3819A000-memory.dmp

Filesize
40KB

Download
memory/3448-326-0x00007FFD38160000-0x00007FFD38189000-memory.dmp

Filesize
164KB

Download
memory/3448-152-0x00007FFD3AA40000-0x00007FFD3AEAE000-memory.dmp

Filesize
4.4MB

Download
memory/3448-432-0x00007FFD38190000-0x00007FFD3819A000-memory.dmp

Filesize
40KB

Download
memory/3448-370-0x00007FFD3FDD0000-0x00007FFD3FE88000-memory.dmp

Filesize
736KB

Download
memory/3448-374-0x00007FFD3FFE0000-0x00007FFD3FFFF000-memory.dmp

Filesize
124KB

Download
memory/3448-375-0x00007FFD34F90000-0x00007FFD35101000-memory.dmp

Filesize
1.4MB

Download
memory/3448-371-0x00007FFD36070000-0x00007FFD363E5000-memory.dmp

Filesize
3.5MB

Download
memory/3448-369-0x00007FFD40070000-0x00007FFD4009E000-memory.dmp

Filesize
184KB

Download
memory/3448-365-0x00007FFD50380000-0x00007FFD5038D000-memory.dmp

Filesize
52KB

Download
memory/3448-357-0x00007FFD3AA40000-0x00007FFD3AEAE000-memory.dmp

Filesize
4.4MB

Download
memory/3448-383-0x00007FFD55680000-0x00007FFD5568F000-memory.dmp

Filesize
60KB

Download
memory/3448-382-0x00007FFD385A0000-0x00007FFD385AC000-memory.dmp

Filesize
48KB

Download
memory/3448-389-0x00007FFD50570000-0x00007FFD5057F000-memory.dmp

Filesize
60KB

Download
memory/3448-393-0x00007FFD50510000-0x00007FFD5051D000-memory.dmp

Filesize
52KB

Download
memory/3448-392-0x00007FFD4AD30000-0x00007FFD4AD49000-memory.dmp

Filesize
100KB

Download
memory/3448-391-0x00007FFD4A7B0000-0x00007FFD4A7DD000-memory.dmp

Filesize
180KB

Download
memory/3448-414-0x00007FFD4A480000-0x00007FFD4A4AE000-memory.dmp

Filesize
184KB

Download
memory/3448-416-0x00007FFD3A6F0000-0x00007FFD3A71B000-memory.dmp

Filesize
172KB

Download
memory/3448-418-0x00007FFD3FDD0000-0x00007FFD3FE88000-memory.dmp

Filesize
736KB

Download
memory/3448-417-0x00007FFD40070000-0x00007FFD4009E000-memory.dmp

Filesize
184KB

Download
memory/3448-415-0x00007FFD386E0000-0x00007FFD3879C000-memory.dmp

Filesize
752KB

Download
memory/3448-413-0x00007FFD50380000-0x00007FFD5038D000-memory.dmp

Filesize
52KB

Download
memory/3448-412-0x00007FFD3B550000-0x00007FFD3B584000-memory.dmp

Filesize
208KB

Download
memory/3448-411-0x00007FFD3AA40000-0x00007FFD3AEAE000-memory.dmp

Filesize
4.4MB

Download
memory/3448-390-0x00007FFD50400000-0x00007FFD50419000-memory.dmp

Filesize
100KB

Download
memory/3448-388-0x00007FFD50200000-0x00007FFD50224000-memory.dmp

Filesize
144KB

Download
memory/3448-419-0x00007FFD36070000-0x00007FFD363E5000-memory.dmp

Filesize
3.5MB

Download
memory/3448-420-0x00007FFD40050000-0x00007FFD40065000-memory.dmp

Filesize
84KB

Download
memory/3448-423-0x00007FFD3A730000-0x00007FFD3A748000-memory.dmp

Filesize
96KB

Download
memory/3448-426-0x00007FFD3A0A0000-0x00007FFD3A0C6000-memory.dmp

Filesize
152KB

Download
memory/3448-427-0x00007FFD38650000-0x00007FFD38688000-memory.dmp

Filesize
224KB

Download
memory/3448-425-0x00007FFD49DB0000-0x00007FFD49DBB000-memory.dmp

Filesize
44KB

Download
memory/3448-424-0x00007FFD3A670000-0x00007FFD3A684000-memory.dmp

Filesize
80KB

Download
memory/3448-422-0x00007FFD3FFE0000-0x00007FFD3FFFF000-memory.dmp

Filesize
124KB

Download
memory/3448-421-0x00007FFD4B020000-0x00007FFD4B030000-memory.dmp

Filesize
64KB

Download
memory/3448-428-0x00007FFD34F90000-0x00007FFD35101000-memory.dmp

Filesize
1.4MB

Download
memory/3448-429-0x00007FFD364B0000-0x00007FFD36537000-memory.dmp

Filesize
540KB

Download
memory/3588-20-0x0000000000680000-0x00000000009A4000-memory.dmp

Filesize
3.1MB

Download
memory/4584-251-0x000000001DCD0000-0x000000001DD82000-memory.dmp

Filesize
712KB

Download
memory/4584-250-0x000000001BC20000-0x000000001BC70000-memory.dmp

Filesize
320KB

Download