quasar | 1abbb40a23b96d43508ea9414e619e4affc2c2754e8867ce1d7778102639fdc0

Analysis

max time kernel
599s
max time network
601s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 14:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DonioExternalBetaTesting.exe
Size

21.6MB
MD5

8b83b1b0b50756804e0f08c9f3b1b8f7
SHA1

85c32f26ae0e3f04b27bd6718919703aea5543ff
SHA256

1abbb40a23b96d43508ea9414e619e4affc2c2754e8867ce1d7778102639fdc0
SHA512

fac6eb15c691367ef0d67bdd12bc56874c62a87ffdc7b4f6811cb278e432180e4900d6965cb349f1edf3b29f8415506f2c4bf5cd580a309641b525bddcd0ebd9
SSDEEP

393216:b6OqvaxDwIev2jgHvRaWP3xql2s0fdmMsx/pPeBAyYWzUrzShjiIPmF9PDpm:pJUUgPRaGUgfYMuRARzUHiji39PDpm

Score

10^/10

quasar office04 execution pyinstaller spyware stealer trojan upx

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

73.102.120.5:4782

Mutex

45cfb540-284b-48a7-9d2a-e359fc523739

Attributes

encryption_key
70C79CE5F0635CE0445F6E268995D45A5188DFB3
install_name
DonioExternalBeta.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowsUpdate
subdirectory
WhitelistBeta

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\DonioExternalBeta.exe	family_quasar
behavioral1/memory/3636-27-0x0000000000D30000-0x0000000001054000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DonioExternalBetaTesting.exeDonioExternalWhitelistBeta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	DonioExternalBetaTesting.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	DonioExternalWhitelistBeta.exe

Drops startup file 2 IoCs

Processes:

DonioExternalWhitelist.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DonioExternalWhitelist.exe	DonioExternalWhitelist.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DonioExternalWhitelist.exe	DonioExternalWhitelist.exe

Executes dropped EXE 6 IoCs

Processes:

DonioExternalWhitelistBeta.exeDonioExternalBeta.exeDonioExternalWhitelist.exeDonio.exeDonioExternalWhitelist.exeDonioExternalBeta.exe

pid	process
1536	DonioExternalWhitelistBeta.exe
3636	DonioExternalBeta.exe
2384	DonioExternalWhitelist.exe
1672	Donio.exe
4044	DonioExternalWhitelist.exe
1640	DonioExternalBeta.exe

Loads dropped DLL 52 IoCs

Processes:

DonioExternalWhitelist.exe

pid	process
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI23842\python310.dll	upx
behavioral1/memory/4044-166-0x00007FFDA91E0000-0x00007FFDA964E000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23842\libffi-7.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23842\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23842\pyexpat.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23842\pywin32_system32\pythoncom310.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23842\win32\win32api.pyd	upx
behavioral1/memory/4044-232-0x00007FFDBE0E0000-0x00007FFDBE10B000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_ssl.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23842\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23842\libssl-1_1.dll	upx
behavioral1/memory/4044-225-0x00007FFDBDC30000-0x00007FFDBDCEC000-memory.dmp	upx
behavioral1/memory/4044-242-0x00007FFDA8E60000-0x00007FFDA91D5000-memory.dmp	upx
behavioral1/memory/4044-241-0x00007FFDBD2B0000-0x00007FFDBD368000-memory.dmp	upx
behavioral1/memory/4044-240-0x00007FFDBE0B0000-0x00007FFDBE0DE000-memory.dmp	upx
behavioral1/memory/4044-224-0x00007FFDBE130000-0x00007FFDBE15E000-memory.dmp	upx
behavioral1/memory/4044-223-0x00007FFDC0350000-0x00007FFDC035D000-memory.dmp	upx
behavioral1/memory/4044-222-0x00007FFDBE220000-0x00007FFDBE254000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23842\pywin32_system32\pywintypes310.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_queue.pyd	upx
behavioral1/memory/4044-214-0x00007FFDC3140000-0x00007FFDC314D000-memory.dmp	upx
behavioral1/memory/4044-213-0x00007FFDBE990000-0x00007FFDBE9A9000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_socket.pyd	upx
behavioral1/memory/4044-210-0x00007FFDC2170000-0x00007FFDC219D000-memory.dmp	upx
behavioral1/memory/4044-209-0x00007FFDC21A0000-0x00007FFDC21B9000-memory.dmp	upx
behavioral1/memory/4044-208-0x00007FFDC72D0000-0x00007FFDC72DF000-memory.dmp	upx
behavioral1/memory/4044-207-0x00007FFDC21C0000-0x00007FFDC21E4000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_uuid.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_sqlite3.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_overlapped.pyd	upx
behavioral1/memory/4044-247-0x00007FFDC0110000-0x00007FFDC0120000-memory.dmp	upx
behavioral1/memory/4044-246-0x00007FFDBE090000-0x00007FFDBE0A5000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_asyncio.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_multiprocessing.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_hashlib.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_decimal.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_cffi_backend.cp310-win_amd64.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23842\unicodedata.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23842\sqlite3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_ctypes.pyd	upx
behavioral1/memory/4044-261-0x00007FFDBE990000-0x00007FFDBE9A9000-memory.dmp	upx
behavioral1/memory/4044-271-0x00007FFDA8E60000-0x00007FFDA91D5000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23842\psutil\_psutil_windows.pyd	upx
behavioral1/memory/4044-270-0x00007FFDBD2B0000-0x00007FFDBD368000-memory.dmp	upx
behavioral1/memory/4044-269-0x00007FFDBE0B0000-0x00007FFDBE0DE000-memory.dmp	upx
behavioral1/memory/4044-267-0x00007FFDBDC30000-0x00007FFDBDCEC000-memory.dmp	upx
behavioral1/memory/4044-278-0x00007FFDBCED0000-0x00007FFDBCEE8000-memory.dmp	upx
behavioral1/memory/4044-281-0x00007FFDA7F40000-0x00007FFDA8058000-memory.dmp	upx
behavioral1/memory/4044-280-0x00007FFDBB940000-0x00007FFDBB966000-memory.dmp	upx
behavioral1/memory/4044-279-0x00007FFDA87B0000-0x00007FFDA8837000-memory.dmp	upx
behavioral1/memory/4044-256-0x00007FFDA91E0000-0x00007FFDA964E000-memory.dmp	upx
behavioral1/memory/4044-303-0x00007FFDB8DB0000-0x00007FFDB8DE8000-memory.dmp	upx
behavioral1/memory/4044-302-0x00007FFDA7BA0000-0x00007FFDA7DE5000-memory.dmp	upx
behavioral1/memory/4044-301-0x00007FFDAF0E0000-0x00007FFDAF0EC000-memory.dmp	upx
behavioral1/memory/4044-300-0x00007FFDAF0F0000-0x00007FFDAF102000-memory.dmp	upx
behavioral1/memory/4044-299-0x00007FFDAF290000-0x00007FFDAF29D000-memory.dmp	upx
behavioral1/memory/4044-298-0x00007FFDAF2A0000-0x00007FFDAF2AC000-memory.dmp	upx
behavioral1/memory/4044-297-0x00007FFDB4670000-0x00007FFDB467C000-memory.dmp	upx
behavioral1/memory/4044-296-0x00007FFDB4680000-0x00007FFDB468B000-memory.dmp	upx
behavioral1/memory/4044-295-0x00007FFDB4C20000-0x00007FFDB4C2B000-memory.dmp	upx
behavioral1/memory/4044-294-0x00007FFDB4C30000-0x00007FFDB4C3C000-memory.dmp	upx
behavioral1/memory/4044-293-0x00007FFDB6DA0000-0x00007FFDB6DAE000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service
T1102

Processes:

flow ioc

17 discord.com
18 discord.com
22 discord.com
23 discord.com
64 discord.com
65 discord.com
66 discord.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

20 api.ipify.org
21 api.ipify.org
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2708 powershell.exe
3216 powershell.exe

flow	ioc
17	discord.com
18	discord.com
22	discord.com
23	discord.com
64	discord.com
65	discord.com
66	discord.com

flow	ioc
20	api.ipify.org
21	api.ipify.org

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\DonioExternalWhitelist.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1904 schtasks.exe
216 schtasks.exe
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

1392 WMIC.exe

pid	process
1904	schtasks.exe
216	schtasks.exe

pid	process
1392	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133599966281457919"	chrome.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

powershell.exepowershell.exeDonioExternalWhitelist.exetaskmgr.exechrome.exechrome.exe

pid	process
2708	powershell.exe
2708	powershell.exe
3216	powershell.exe
3216	powershell.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
4044	DonioExternalWhitelist.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
232	chrome.exe
232	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

3656 chrome.exe
3656 chrome.exe
3656 chrome.exe
3656 chrome.exe

pid	process
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeDonioExternalBeta.exepowershell.exeDonioExternalBeta.exeDonioExternalWhitelist.exeWMIC.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	3636	DonioExternalBeta.exe
Token: SeDebugPrivilege	3216	powershell.exe
Token: SeDebugPrivilege	1640	DonioExternalBeta.exe
Token: SeDebugPrivilege	4044	DonioExternalWhitelist.exe
Token: SeIncreaseQuotaPrivilege	4184	WMIC.exe
Token: SeSecurityPrivilege	4184	WMIC.exe
Token: SeTakeOwnershipPrivilege	4184	WMIC.exe
Token: SeLoadDriverPrivilege	4184	WMIC.exe
Token: SeSystemProfilePrivilege	4184	WMIC.exe
Token: SeSystemtimePrivilege	4184	WMIC.exe
Token: SeProfSingleProcessPrivilege	4184	WMIC.exe
Token: SeIncBasePriorityPrivilege	4184	WMIC.exe
Token: SeCreatePagefilePrivilege	4184	WMIC.exe
Token: SeBackupPrivilege	4184	WMIC.exe
Token: SeRestorePrivilege	4184	WMIC.exe
Token: SeShutdownPrivilege	4184	WMIC.exe
Token: SeDebugPrivilege	4184	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4184	WMIC.exe
Token: SeRemoteShutdownPrivilege	4184	WMIC.exe
Token: SeUndockPrivilege	4184	WMIC.exe
Token: SeManageVolumePrivilege	4184	WMIC.exe
Token: 33	4184	WMIC.exe
Token: 34	4184	WMIC.exe
Token: 35	4184	WMIC.exe
Token: 36	4184	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4184	WMIC.exe
Token: SeSecurityPrivilege	4184	WMIC.exe
Token: SeTakeOwnershipPrivilege	4184	WMIC.exe
Token: SeLoadDriverPrivilege	4184	WMIC.exe
Token: SeSystemProfilePrivilege	4184	WMIC.exe
Token: SeSystemtimePrivilege	4184	WMIC.exe
Token: SeProfSingleProcessPrivilege	4184	WMIC.exe
Token: SeIncBasePriorityPrivilege	4184	WMIC.exe
Token: SeCreatePagefilePrivilege	4184	WMIC.exe
Token: SeBackupPrivilege	4184	WMIC.exe
Token: SeRestorePrivilege	4184	WMIC.exe
Token: SeShutdownPrivilege	4184	WMIC.exe
Token: SeDebugPrivilege	4184	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4184	WMIC.exe
Token: SeRemoteShutdownPrivilege	4184	WMIC.exe
Token: SeUndockPrivilege	4184	WMIC.exe
Token: SeManageVolumePrivilege	4184	WMIC.exe
Token: 33	4184	WMIC.exe
Token: 34	4184	WMIC.exe
Token: 35	4184	WMIC.exe
Token: 36	4184	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1220	wmic.exe
Token: SeSecurityPrivilege	1220	wmic.exe
Token: SeTakeOwnershipPrivilege	1220	wmic.exe
Token: SeLoadDriverPrivilege	1220	wmic.exe
Token: SeSystemProfilePrivilege	1220	wmic.exe
Token: SeSystemtimePrivilege	1220	wmic.exe
Token: SeProfSingleProcessPrivilege	1220	wmic.exe
Token: SeIncBasePriorityPrivilege	1220	wmic.exe
Token: SeCreatePagefilePrivilege	1220	wmic.exe
Token: SeBackupPrivilege	1220	wmic.exe
Token: SeRestorePrivilege	1220	wmic.exe
Token: SeShutdownPrivilege	1220	wmic.exe
Token: SeDebugPrivilege	1220	wmic.exe
Token: SeSystemEnvironmentPrivilege	1220	wmic.exe
Token: SeRemoteShutdownPrivilege	1220	wmic.exe
Token: SeUndockPrivilege	1220	wmic.exe
Token: SeManageVolumePrivilege	1220	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

Donio.exetaskmgr.exechrome.exe

pid	process
1672	Donio.exe
1672	Donio.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe

Suspicious use of SendNotifyMessage 63 IoCs

Processes:

Donio.exetaskmgr.exechrome.exe

pid	process
1672	Donio.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

DonioExternalBeta.exe

pid process

1640 DonioExternalBeta.exe

pid	process
1640	DonioExternalBeta.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

DonioExternalBetaTesting.exeDonioExternalWhitelistBeta.exeDonioExternalWhitelist.exeDonioExternalBeta.exeDonioExternalWhitelist.exeDonioExternalBeta.execmd.execmd.execmd.execmd.execmd.exechrome.exe

description	pid	process	target process
PID 4528 wrote to memory of 2708	4528	DonioExternalBetaTesting.exe	powershell.exe
PID 4528 wrote to memory of 2708	4528	DonioExternalBetaTesting.exe	powershell.exe
PID 4528 wrote to memory of 2708	4528	DonioExternalBetaTesting.exe	powershell.exe
PID 4528 wrote to memory of 1536	4528	DonioExternalBetaTesting.exe	DonioExternalWhitelistBeta.exe
PID 4528 wrote to memory of 1536	4528	DonioExternalBetaTesting.exe	DonioExternalWhitelistBeta.exe
PID 4528 wrote to memory of 1536	4528	DonioExternalBetaTesting.exe	DonioExternalWhitelistBeta.exe
PID 4528 wrote to memory of 3636	4528	DonioExternalBetaTesting.exe	DonioExternalBeta.exe
PID 4528 wrote to memory of 3636	4528	DonioExternalBetaTesting.exe	DonioExternalBeta.exe
PID 1536 wrote to memory of 3216	1536	DonioExternalWhitelistBeta.exe	powershell.exe
PID 1536 wrote to memory of 3216	1536	DonioExternalWhitelistBeta.exe	powershell.exe
PID 1536 wrote to memory of 3216	1536	DonioExternalWhitelistBeta.exe	powershell.exe
PID 1536 wrote to memory of 2384	1536	DonioExternalWhitelistBeta.exe	DonioExternalWhitelist.exe
PID 1536 wrote to memory of 2384	1536	DonioExternalWhitelistBeta.exe	DonioExternalWhitelist.exe
PID 1536 wrote to memory of 1672	1536	DonioExternalWhitelistBeta.exe	Donio.exe
PID 1536 wrote to memory of 1672	1536	DonioExternalWhitelistBeta.exe	Donio.exe
PID 1536 wrote to memory of 1672	1536	DonioExternalWhitelistBeta.exe	Donio.exe
PID 2384 wrote to memory of 4044	2384	DonioExternalWhitelist.exe	DonioExternalWhitelist.exe
PID 2384 wrote to memory of 4044	2384	DonioExternalWhitelist.exe	DonioExternalWhitelist.exe
PID 3636 wrote to memory of 1904	3636	DonioExternalBeta.exe	schtasks.exe
PID 3636 wrote to memory of 1904	3636	DonioExternalBeta.exe	schtasks.exe
PID 4044 wrote to memory of 4644	4044	DonioExternalWhitelist.exe	cmd.exe
PID 4044 wrote to memory of 4644	4044	DonioExternalWhitelist.exe	cmd.exe
PID 3636 wrote to memory of 1640	3636	DonioExternalBeta.exe	DonioExternalBeta.exe
PID 3636 wrote to memory of 1640	3636	DonioExternalBeta.exe	DonioExternalBeta.exe
PID 1640 wrote to memory of 216	1640	DonioExternalBeta.exe	schtasks.exe
PID 1640 wrote to memory of 216	1640	DonioExternalBeta.exe	schtasks.exe
PID 4044 wrote to memory of 4212	4044	DonioExternalWhitelist.exe	cmd.exe
PID 4044 wrote to memory of 4212	4044	DonioExternalWhitelist.exe	cmd.exe
PID 4212 wrote to memory of 2100	4212	cmd.exe	netsh.exe
PID 4212 wrote to memory of 2100	4212	cmd.exe	netsh.exe
PID 4044 wrote to memory of 3836	4044	DonioExternalWhitelist.exe	cmd.exe
PID 4044 wrote to memory of 3836	4044	DonioExternalWhitelist.exe	cmd.exe
PID 3836 wrote to memory of 4184	3836	cmd.exe	WMIC.exe
PID 3836 wrote to memory of 4184	3836	cmd.exe	WMIC.exe
PID 4044 wrote to memory of 1220	4044	DonioExternalWhitelist.exe	wmic.exe
PID 4044 wrote to memory of 1220	4044	DonioExternalWhitelist.exe	wmic.exe
PID 4044 wrote to memory of 3384	4044	DonioExternalWhitelist.exe	cmd.exe
PID 4044 wrote to memory of 3384	4044	DonioExternalWhitelist.exe	cmd.exe
PID 3384 wrote to memory of 1392	3384	cmd.exe	WMIC.exe
PID 3384 wrote to memory of 1392	3384	cmd.exe	WMIC.exe
PID 4044 wrote to memory of 4472	4044	DonioExternalWhitelist.exe	cmd.exe
PID 4044 wrote to memory of 4472	4044	DonioExternalWhitelist.exe	cmd.exe
PID 4472 wrote to memory of 5076	4472	cmd.exe	WMIC.exe
PID 4472 wrote to memory of 5076	4472	cmd.exe	WMIC.exe
PID 4044 wrote to memory of 2180	4044	DonioExternalWhitelist.exe	cmd.exe
PID 4044 wrote to memory of 2180	4044	DonioExternalWhitelist.exe	cmd.exe
PID 2180 wrote to memory of 3356	2180	cmd.exe	WMIC.exe
PID 2180 wrote to memory of 3356	2180	cmd.exe	WMIC.exe
PID 3656 wrote to memory of 3260	3656	chrome.exe	chrome.exe
PID 3656 wrote to memory of 3260	3656	chrome.exe	chrome.exe
PID 3656 wrote to memory of 4008	3656	chrome.exe	chrome.exe
PID 3656 wrote to memory of 4008	3656	chrome.exe	chrome.exe
PID 3656 wrote to memory of 4008	3656	chrome.exe	chrome.exe
PID 3656 wrote to memory of 4008	3656	chrome.exe	chrome.exe
PID 3656 wrote to memory of 4008	3656	chrome.exe	chrome.exe
PID 3656 wrote to memory of 4008	3656	chrome.exe	chrome.exe
PID 3656 wrote to memory of 4008	3656	chrome.exe	chrome.exe
PID 3656 wrote to memory of 4008	3656	chrome.exe	chrome.exe
PID 3656 wrote to memory of 4008	3656	chrome.exe	chrome.exe
PID 3656 wrote to memory of 4008	3656	chrome.exe	chrome.exe
PID 3656 wrote to memory of 4008	3656	chrome.exe	chrome.exe
PID 3656 wrote to memory of 4008	3656	chrome.exe	chrome.exe
PID 3656 wrote to memory of 4008	3656	chrome.exe	chrome.exe
PID 3656 wrote to memory of 4008	3656	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\DonioExternalBetaTesting.exe
"C:\Users\Admin\AppData\Local\Temp\DonioExternalBetaTesting.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4528

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAcgBjACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGoAbQBxACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUwBoAGEAcgBpAG4AZwAsACAAQwByAGEAYwBrAGkAbgBnACwAIABMAGUAYQBrAGkAbgBnACwAIABXAGkAbABsACAAUgBlAHMAdQBsAHQAIABJAG4AIABCAGwAYQBjAGsAbABpAHMAdAAnACwAJwAnACwAJwBPAEsAJwAsACcAVwBhAHIAbgBpAG4AZwAnACkAPAAjAHcAeQB0ACMAPgA="
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Users\Admin\AppData\Local\Temp\DonioExternalWhitelistBeta.exe
"C:\Users\Admin\AppData\Local\Temp\DonioExternalWhitelistBeta.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAYwBjACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGIAdQBrACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUwBoAGEAcgBpAG4AZwAgAG8AcgAgAGEAbgB5ACAAYwByAGEAYwBrAGkAbgBnACAAbABlAGEAZABzACAAdABvACAAYQAgAGIAbABhAGMAawBsAGkAcwB0ACcALAAnACcALAAnAE8ASwAnACwAJwBXAGEAcgBuAGkAbgBnACcAKQA8ACMAYwB0AGQAIwA+AA=="
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3216

C:\Users\Admin\AppData\Local\Temp\DonioExternalWhitelist.exe
"C:\Users\Admin\AppData\Local\Temp\DonioExternalWhitelist.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384

C:\Users\Admin\AppData\Local\Temp\DonioExternalWhitelist.exe
"C:\Users\Admin\AppData\Local\Temp\DonioExternalWhitelist.exe"
4⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
5⤵
PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
5⤵
- Suspicious use of WriteProcessMemory
PID:4212

C:\Windows\system32\netsh.exe
netsh wlan show profiles
6⤵
PID:2100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
5⤵
- Suspicious use of WriteProcessMemory
PID:3836

C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Windows\System32\Wbem\wmic.exe
wmic cpu get Name
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
5⤵
- Suspicious use of WriteProcessMemory
PID:3384

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
6⤵
- Detects videocard installed
PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
5⤵
- Suspicious use of WriteProcessMemory
PID:4472

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
6⤵
PID:5076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
5⤵
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\System32\wbem\WMIC.exe
C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
6⤵
PID:3356

C:\Users\Admin\AppData\Local\Temp\Donio.exe
"C:\Users\Admin\AppData\Local\Temp\Donio.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1672

C:\Users\Admin\AppData\Local\Temp\DonioExternalBeta.exe
"C:\Users\Admin\AppData\Local\Temp\DonioExternalBeta.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3636

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WhitelistBeta\DonioExternalBeta.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1904

C:\Users\Admin\AppData\Roaming\WhitelistBeta\DonioExternalBeta.exe
"C:\Users\Admin\AppData\Roaming\WhitelistBeta\DonioExternalBeta.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WhitelistBeta\DonioExternalBeta.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:216

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffda915ab58,0x7ffda915ab68,0x7ffda915ab78
2⤵
PID:3260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1864,i,16682759632624050683,13816030448868931223,131072 /prefetch:2
2⤵
PID:4008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1864,i,16682759632624050683,13816030448868931223,131072 /prefetch:8
2⤵
PID:4324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2316 --field-trial-handle=1864,i,16682759632624050683,13816030448868931223,131072 /prefetch:8
2⤵
PID:576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3128 --field-trial-handle=1864,i,16682759632624050683,13816030448868931223,131072 /prefetch:1
2⤵
PID:4456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3148 --field-trial-handle=1864,i,16682759632624050683,13816030448868931223,131072 /prefetch:1
2⤵
PID:5060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4256 --field-trial-handle=1864,i,16682759632624050683,13816030448868931223,131072 /prefetch:1
2⤵
PID:2100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4476 --field-trial-handle=1864,i,16682759632624050683,13816030448868931223,131072 /prefetch:8
2⤵
PID:4028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4636 --field-trial-handle=1864,i,16682759632624050683,13816030448868931223,131072 /prefetch:8
2⤵
PID:4640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4560 --field-trial-handle=1864,i,16682759632624050683,13816030448868931223,131072 /prefetch:8
2⤵
PID:3828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4788 --field-trial-handle=1864,i,16682759632624050683,13816030448868931223,131072 /prefetch:8
2⤵
PID:2272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 --field-trial-handle=1864,i,16682759632624050683,13816030448868931223,131072 /prefetch:8
2⤵
PID:1248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4844 --field-trial-handle=1864,i,16682759632624050683,13816030448868931223,131072 /prefetch:1
2⤵
PID:4988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 --field-trial-handle=1864,i,16682759632624050683,13816030448868931223,131072 /prefetch:8
2⤵
PID:3176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 --field-trial-handle=1864,i,16682759632624050683,13816030448868931223,131072 /prefetch:8
2⤵
PID:1900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3252 --field-trial-handle=1864,i,16682759632624050683,13816030448868931223,131072 /prefetch:8
2⤵
PID:2500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3512 --field-trial-handle=1864,i,16682759632624050683,13816030448868931223,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:232

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
43a56bc952099c9a2721f20645412f35

SHA1
0c320b90e6bdda14050c29485d8ca1fb9b73b367

SHA256
82207772cdf981c1f2d85de02015d6d8d174f642c3d10cfc46170a382da907e8

SHA512
42d3125117fac77ffe675f033c8763f87446031290a1ef79285cbfbf80f34768258ae50328a7ff77ffab58d0065b539fd5c8422c6605054548e0bb667afde941

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
2f4b54466a709d2dbd61150cc30123f8

SHA1
12d44b1a1c7c2cb5bb197268a6c9f62d40146f35

SHA256
2aecbf533283d1056509467605dfcdde5c44b65a752b63e7d9e86d923bc7924d

SHA512
a0e13df31153696549fd04fb3d2b5a6cc53c8c233b1c13a2e842c8eb7a48d81d2003ca912cdd48feb98ffddad0459ec7a90a320effcf945ee2e04d5313199a8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a8ec92ee3d095da2b9255f94b157abe0

SHA1
5d0a2358e28724efcb4f679e56c320c462a50d8d

SHA256
accf4e66f9059174f9e64e64421fa04bea5b441d3efb7da10319728f070aacc3

SHA512
bfec210ad5e767acfc3850926de7abb38f4a8b019c8ec267c094426277fd4d1cdf075e24e52a398066f3537afb7024e91d5d38ac4e0f8955573d83e1d41139d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
5c388879abf4f837b596b2a2c762318e

SHA1
90b7adb53d8c451eb07a791a2e18e01c0970812f

SHA256
ed274091d0aa27479a237688692b138d686e29d4513608b816f8c6c6380a57d7

SHA512
d8d0fd3e338620cd7a3d835024ef24b2132002a411da702dc085cf52940b3ab4b5a5e93d4d9a8dab04747e6668c5e684ba6a411e90782fcebca261205b6c9854

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
904b6e2ea58204b828039c7a47cd6a91

SHA1
1dcfd4f5a6d53e4ef6753873174b5d716e0ec2b1

SHA256
74f86667820de396fc17bba17334d0067f5a9c4c37a9c13d7a7f74a879226391

SHA512
86b047f5b5302c06bf0b198911a6bb4ab52cb411c4a47d2d5486d82b4ad7141ecfbc447ad18d4b66042e10407d8a4c99954e6a5e874e17c5672d193c01ed1b07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
0e0bd83588d0600f28562b6870b8ded1

SHA1
abf8c0cacc7a5bc4ba2ac52941ff8d6ea4938c96

SHA256
dd8876a44acdd1a083b9d50f971ff7ec5165528e399ac45ccd264b3d995f9dc9

SHA512
8ed3e9c1b3c049da5d47ffc8c832bd8ee80415dfdf8d523e6ee287c149bb91da2a5340e3568f44d7508d89104c0633adebcefeba605026afea26a94d3cd93b89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
258KB

MD5
9b1a169928145bf41b4be2fdf6a2c082

SHA1
6b5bdbfbc24cefc2b189137d20bcdf0abd85d5fc

SHA256
701a8cc13fdb08f1514fc73b51dbe616c70d7d5395dccba607536c68c030ec01

SHA512
0b241989d99df52ec9c29d16bc697cb3fca2d8f3fa1686809b37cd75a87a1a9867222fcfc6a47e518b7385842fef7e85e79c348dc77ff72c14cb2e27e1d6ff13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
258KB

MD5
50e4d85edb61bb700d722e8cc35c3140

SHA1
4a35bc73cbfb5d718b84be359d6b2061ae06d45c

SHA256
31726cd8e938e390d91ad5ad544a5ebdeac5aad7f38a07aaad213e579549b5fa

SHA512
1b7fcf8d9fdff45cfd8e55e8421f9b0d1083cc1e79dd2f679c4e92ef31b737bc8259205c42d04bffc871d39547612151769673acdb255c2bf2feba9c5daff75c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
278KB

MD5
60bda1f1961e972ea5740ac334888b61

SHA1
fd1cca0f674439f5e4d6511f0ee24841a7b51e0b

SHA256
44677916d9cc0a1651630a6169622bfef6e697c3e382b744c4a7930ed42e3033

SHA512
aeeff33165a41b97837de94f116625c51173291a53770d0c2acb326d3667e834b722e3e7f20b77eb62bb34a0e208d4b7ff5f9b03fe94f932acbad2e4a8991b95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
95KB

MD5
22fdc7d632c3014a4f91f6984b32885b

SHA1
226fb820b0047554243abbc498c0c107b87e95ab

SHA256
67489e4b2548abb432a400faaa7952c636f3325a480694553cded5a81da4005f

SHA512
cda9e9db7f696673e4fdb6458f8571e8f51e9b04a184347bf734b79566da9afcb57d125453403fcd865bdc65e9353d28cf1b5712b41869d391531c8bb794b9ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe592aee.TMP

Filesize
91KB

MD5
c184d2826ad662adb9e21baf33912a02

SHA1
b1af156a721d3501c289aabdc8fd38469fba813f

SHA256
4a824daea4dc0d1d1fe86fb33b0b196c1c292df486ac53a187a4c7bdde7b2c47

SHA512
d4c0ae74bad03eaf274b9c6dddc5ad10548945e6bee451452b23beea5dc2b6eb1f3996afec4611a7783e5c98e75d820c3739947912c04b44cbdf1bd61560ada8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Donio.exe

Filesize
902KB

MD5
c86fdb05d8039576a5b4337e9c325501

SHA1
67ab5f331da4ae476834091deb16e6368368cfd4

SHA256
8ec2857c4450d31b6501fcb09d9df278f43aeef4aeb777665eb7c12969f20a55

SHA512
a5588d17134b9dbdcf64818053d9c5175cfa931ccfc753e83720118ecf2e45aae3917b14f17cbff7195c9f843e36bf9a70090a4c01501677ea5878fe4f49c9da

Download Submit
C:\Users\Admin\AppData\Local\Temp\DonioExternalBeta.exe

Filesize
3.1MB

MD5
f6cac3799f1b2b86055066dd79e3b54e

SHA1
b9ed623e0866524e70c780a3dabf3328b951a817

SHA256
fd36b4f1250ecd6a31e5bae1364324ae884396162b5182e876b4fa4a745423e4

SHA512
229a8cc4a0bc298ac6992b939316c6bba3e6e6107d3b3c1fc003520b317b5d7ca550dcd28ae6e32acf726981616482d7f7fa3d2ca1926a25dc0e77d520ab646f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DonioExternalWhitelist.exe

Filesize
17.6MB

MD5
37b1ed056cce1544b5f403f7de1475b1

SHA1
d93127c883413b2faa6a0e62ecfb64172317fb9f

SHA256
09b42cf2750cf3f7e2ed7d59402f1e7d4a61725470418bf770c2258eff0e18f7

SHA512
d4210115d6e9157b49f0ee8a91dead139bedc76c209f490b351c3ae14088c52a48b81c13ee8129fe5cea73b99e9eeab6b5fefa1a3ab12e4613709b9080e61a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\DonioExternalWhitelistBeta.exe

Filesize
18.5MB

MD5
e5b1ee08a3dc911e1b03c5e1144b56a4

SHA1
a8d6c78529ac362e8f064e9bee6200d876c69dca

SHA256
60166316f528438e7d4b02f15e097ab82d274dbefeee452c0e07ca7b9a629500

SHA512
03e2245541db3bdd3f0a31f226c18617851330f2f0c314233cfa64912eac718eccff997c1d0c02f45e08af1ef54512ff7b2492884b9d36bde7d397a90ba210b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\VCRUNTIME140_1.dll

Filesize
48KB

MD5
bba9680bc310d8d25e97b12463196c92

SHA1
9a480c0cf9d377a4caedd4ea60e90fa79001f03a

SHA256
e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab

SHA512
1575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_asyncio.pyd

Filesize
34KB

MD5
712d3a6f3e4904f7b5e1f2ff98666fcf

SHA1
a1356402f70afa1793a8332760ebbec564cddaec

SHA256
179cc647d2a512101a41e42fda6c60586c57325c1f7669ed5a2862d837e63f0f

SHA512
08577ea318febb1af3c938191118e0a1ae44fdf6fe4c942678085b7e3c178bfeb8312361c9f3706007b6324a71e47ce39e59ef6741bee251694182f9c0164aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_bz2.pyd

Filesize
46KB

MD5
67086fa5b7a91965c6b97793653ac371

SHA1
2bbf4f9b0132fcf8c87abe75861faf5c3183e0ab

SHA256
f4f29d87ef972100dd92c0a585687db051c1d61e6eb15cc0259fcbb28a24213a

SHA512
df5ec287f041285048020658de6bd7a8260f77127df0887646504ee94edd42c43f014a49435d3af7c946d58f2c300bf47f8e3281609f76f033bfda628be33b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_cffi_backend.cp310-win_amd64.pyd

Filesize
71KB

MD5
6954da0da2028a646ba438f3c56d21a5

SHA1
ded5d73f30288d84756c019b1399f9c403fab56c

SHA256
f5cf4158ec21b889fd22e7df962f2bee641b39e4feee604541c2bc5d8d882d71

SHA512
f9a3c1e5d9aa7e39a6e486c15091f427f632a0ec60e6cae206c4276cd920fc87f870931938cbd2b36bec52625cd5d25d15d342a7df4b9f6f9fc241d7fec9f97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_ctypes.pyd

Filesize
56KB

MD5
e3d88469b78bf1919fa552a021ce479c

SHA1
2baad99e4e39177c35970adea25971a6ea46c1a0

SHA256
09eb5b558c678f36dff886ed2e975d5593baf883c463b140d20fdd4369a1e1c3

SHA512
6d7bf9e00e43a26aa677acbb35b620b912ffddc0faca98900c40dd7a50ca127fc2d10ebb15b42b2b603a6ab0a68e8ad312ebb535cb9fcb65403b31021947c16c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_decimal.pyd

Filesize
103KB

MD5
fd1c4c843c3e169cb2a0566fb456a9d7

SHA1
61f363d724d3cb85c44af5121510a6bfdf34a1c1

SHA256
b8cb6060f417858c166e66d2697d96abe4ec0e486fd0074ac2f4e07a6d29d171

SHA512
2263be5c078be7e4f09b3507e8f0e9e658f90485451b0df3a605e8747241b838a065f687904ebda1f0ae4f9fe4a21f707667ef5c9b246c249a6eb3d34b26e63e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_hashlib.pyd

Filesize
33KB

MD5
90c6b459bb46b43b2381a16d96350164

SHA1
5830ef39e0da51fe81e9250f97d1485ba6588b2c

SHA256
5c6bf4d4160d90b82ededdbe29ec757e632119b74bbda8cbf6040acaab06e6f9

SHA512
c5c17f6be39817b645fc5f32cbabc9517aed22bce749e3d4fb93eab0816391ef83a5f7ade83e03883239fd2c6dc5cf6ec775def0e7ff205c46aec571a9b6dc79

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_lzma.pyd

Filesize
84KB

MD5
c731e138e9daff344e74c4ead3922583

SHA1
06447109fa1d04a3d6949a3befe25e16b10eb0c9

SHA256
3ca4c628cff43d16eec49f91c424911a7e0059e2bc6c0842377ca461ecd65ed2

SHA512
aac5403d126ba800eac7ed4f544f0a13ee82af261873894290ef68253970d42473e0c0d1499f8dc26c993e09e35a38f5f7944f43005462460aac0c94e4657f66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_multiprocessing.pyd

Filesize
25KB

MD5
70cc374f078d320c22e0af28ea458763

SHA1
9bdf540a3753f1240bf0b325e73fee6473a1b542

SHA256
40661236d5d459d0a5eca05ab89b4ea552ba2d75739ca64b0b8c7671addc24a1

SHA512
4ad1bfe8c911ed9e2070b412244d982cbc7790bc67682386fba7894168a0afe96f7dc0395bb77cfa7f6012c73b396eedc2a13a4bac8d97c3dbaa4c5004e8dd6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_overlapped.pyd

Filesize
30KB

MD5
0eda90832b62542e3fa8df44d80d7a4a

SHA1
fd2e34a0c5d5dc5df2a6cc46283f042616df2f89

SHA256
a27c1e89a5f80fd580bed93fe6b2d0fd9a90362d0c0461b129579b49f6b0d61d

SHA512
3c93d8643732a197a02daca0863e05e9664fc2790e6d54fa4784fab0eeab3d65652cae84c10392dde937b9cde768054a40221e5263d31b6e01debdbc3e8a63ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_queue.pyd

Filesize
24KB

MD5
8b7afe95319742f4d68be5df05f8647f

SHA1
4e65556259624d25cad8c485c33d4820c6940b57

SHA256
505c019316fc31d664f5f433e2a9dae4e8b2c9c13d4f62fca6abc143fc48fe4c

SHA512
6537903147ab75bebadcb022139a6ba52eae0049e4f504fcc0c848a2c000347f03608f9d98e252962a46e75f0cf20c6b73d3dd026cf8d29fb5996a814110dac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_socket.pyd

Filesize
41KB

MD5
eb901c16ac3dead7dbb69f2df5b1bcd7

SHA1
38ef1766f2c43cd3f47c0a695f9d78b1f63be37d

SHA256
e6d8cf287924b97c626dfe0f6ddffa1f8f62890e94abdd0346f7ecc2a498e147

SHA512
08c431ea59b2dc81dae6eafe4c15024b509790febf25019d5cc0e81f79266c13ebb2767946043555af2cfcadebd6b03707ea951e90b3bf675002fb6cc199667f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_sqlite3.pyd

Filesize
48KB

MD5
a0c3e4372f8378135e7ef192997c455a

SHA1
b8926b99672c541493cf73a5aaabe847f69eebce

SHA256
629c582ace5af6f81874beed471ad34d6a635641d5db2e8dd2f2832285b5a807

SHA512
54e3596bfb49495b11049f2beecd11c4f14d0cd6b292afe7e8348c71032c2d4edbddf3f1418bae7250edc5bd3f0c00d7068aaf8f22ae0ee62b9ac2e7b061d02b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_ssl.pyd

Filesize
60KB

MD5
817233b9fe6697835c26cd4ec543d829

SHA1
2ad3b07d120712b232762ba5802ba9d4e36b4229

SHA256
192dca065c55c351ccc50ddf2537b7295180de4da55a1ecfc933b3441d38a253

SHA512
e0758ffbd2e393603d1d5bb37a9aaba5d613d092df93398fe47901e5e9a6fa1f99cd281291b00dcf51ee89135f044aee0e7ed65dfaeb1efc921803a198950b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_uuid.pyd

Filesize
21KB

MD5
a14d125f1ff6fddd7f76b4f4b825fd61

SHA1
bf62278ecf758c117020099e1af3cc3705223a9e

SHA256
a76767176657524a78971f8af7cc64f8926b39375d7dee64afb87fd3bcfe3316

SHA512
85241c3679811e99cab94eb3bc146bbae704408ed010b422798b2936e24882a747a4e3abe44893d1b15c10e84f1e0f2ea42b15e831a6b72e046254fdfcec5350

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\base_library.zip

Filesize
859KB

MD5
f5b15ac0a24a122d69c41843da5d463b

SHA1
e25772476631d5b6dd278cb646b93abd282c34ed

SHA256
ec3b8c865c6e3c5e35449b32dcb397da665d6a10fbee61284489a6c420c72a3b

SHA512
1704611166d63962e14deb6d519c2a7af4f05bca308c1949652fddf89bc526c594ede43a34b9306e5979998576f448951d08ad9e25b6d749d5d46b7d18d133b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\libcrypto-1_1.dll

Filesize
1.1MB

MD5
7dcc7e84b12764bfdc109fb3a0354b8c

SHA1
e29855c661003c0c30985cd085b57b1160077219

SHA256
34de2d67d3270d44421d6b5e39f29b4466f7f4121fdbb72b37a62449731230ec

SHA512
45ad32ba83a010fcc6ffd6651305af114fc891dbd409213ca640665da9ba27bccddd35cb329acc8e92a789f7c8a2ab527621cf46aa6c3b93c97342c030a2b826

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\libffi-7.dll

Filesize
23KB

MD5
bfdf5ec44cb18cfd1e5e62c1dd9234b8

SHA1
c8f6ca25dac5f1ace786f38315f38f39d5da5a47

SHA256
4da81872062f20cb20228f211837984ee841ab230b0deb4ee8ecb4185d744c94

SHA512
b8d36d5e7f876d362056788b5175ba2af1a016a5330098c96657d376a9be7f91ca4729403bb531610b3a20b70d2d957262c1f492b80a59b25ed2ea81a15f3fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\libssl-1_1.dll

Filesize
203KB

MD5
a76169ad3875772a2ce65bdd9579a67e

SHA1
6bcb1c76976fa0fbc847848174f057b268665cb3

SHA256
45dbc7f6c47a30a11c8d56f820dcc439686c8267d53293a33a7fa3d4cd5b617d

SHA512
74d6196098363217b3344ba60517c7c98443b46c018dfcd983f19133cd770eea6d8c9c9cc3d19f689c945fb642b4106a8324509fe840b2e9565157c36690b368

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\psutil\_psutil_windows.pyd

Filesize
31KB

MD5
4732b2f1e51342fe289bc316897d8d62

SHA1
acb5ac5fc83121e8caec091191bd66d519f29787

SHA256
9ba42d887ff1655a9a7fd20b33c6bf80b6429a60dcd9f0409281a25e3d73f329

SHA512
7435c0da033dbc07bbd2e6bebfc48041701dbc7bcb58276fbf51ba6db7507a16ad8a7a12dbdbdbdd4074772094c3bd969e27a2c4946c050bcff049a9c4666d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\pyexpat.pyd

Filesize
86KB

MD5
da7d165787f16ed5c466c491d60ab14d

SHA1
70073b055317fa12335242ae0cb936c785ed28a3

SHA256
93702905c2b42b43ea6756221ae374b0ef4f2d3949f3a82545ad35eb9a3fff97

SHA512
83798f3df5e22fb0ecc642c311af3c8e8e661f32c454f9e14614a7a4ae670f1b8256dd14152030e8269a8356a3e55ea0b52d9d778d1e1db529ceb341114db3ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\python3.dll

Filesize
63KB

MD5
c17b7a4b853827f538576f4c3521c653

SHA1
6115047d02fbbad4ff32afb4ebd439f5d529485a

SHA256
d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68

SHA512
8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\python310.dll

Filesize
1.4MB

MD5
c2897cda0fa2dec34a7df6f8701d2b70

SHA1
e255ef1bf6da858730c11160eafa3872a9729c0b

SHA256
36ceefbbdccabff811439d5b4fe9f52be6265ee0f9048dbe7744c8c365f848a3

SHA512
a051f58ca01ffe0614e6ad5643a27c8012b3a0c3c5be8d662ffe931e65fc70c6561d16261412c731d392f7affdf46757c459dfb2dce9a30fb0704ee04916e50c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\pywin32_system32\pythoncom310.dll

Filesize
193KB

MD5
7582d557db4ff51de84f5c31d1ec621e

SHA1
ba09b3471b1818bfca04e8d3e2c45114b1a514d0

SHA256
74ad540180c90eb5ba63560c6602cbb824c642cf997dfc4f9e926f1ef520f5a7

SHA512
4a72617f6ae75f71ad57608b61df0095faac9364a2174f67c252fd6c9c69e11591971e8525aa7437f969f708d350825ab14a108d31226a62e47bd32aeed62e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\pywin32_system32\pywintypes310.dll

Filesize
62KB

MD5
9c3180552346dc1853a15f61d0d1ec23

SHA1
27fc9c7be498922c2e281373f35f348eaa517444

SHA256
3308d28cb2e56562b0f77eb5fdc5bd5ff9c7d6a38192a36a41ace206e71353d7

SHA512
793c75ef0964170c7ea008ca3d7ee00576bf9fbdca0ffe3d08194625606854725bf767b2ed7a84de0e868438428084c2978c38096f19014b0a01f28aaaaeebba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\select.pyd

Filesize
24KB

MD5
e7af562db16c73c340fa4fd1ac048935

SHA1
98e7ab9e6cf465d24a2f655703e21b1e22baa313

SHA256
55c5af3082b849472289ce261aa53dca12ff3a5f720ac38c0967bd2fc9095c52

SHA512
e65f41fc410c5d71d377c3485c2f2fa80a03c592915bf7e64cf99c6a47b325d7f4ff3c6e0c5da4f42461fbc843ddb1e8481fa2c6e84f07f3a6d2689ae47dd5db

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\sqlite3.dll

Filesize
608KB

MD5
8ab8a5fa338b9dd855b0a1247bde46d9

SHA1
89a08a10c92335b1367ab0d5c36b82a7464c95b7

SHA256
7833378ca393dfc816d619703829e0440b350a389cf174017c2c045a9c27463d

SHA512
5380e692faafce754844d5be2421221e7469ce5665a82de4658462d33b5fdf1a9fda8338f36b75d2151bdc29bea1e909634b6c9f00fafaa6f7120998f0086ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\unicodedata.pyd

Filesize
287KB

MD5
b6dce7d76ddd91fe3ac768f9272a3c5e

SHA1
5b7a6a644c7f54472f2ffcb7211f0fc7a17c6630

SHA256
6bb012c7a7426b1093192d61ebf52f349c0c01fbe043945002fbf9a9498ce0f8

SHA512
4e520936a36a460cb7a675a95b1b2d4b7856869b308919ba9bac81abdab2ce3ec31b89ba48b6f75aee2d6881c5457217db302f76d10e0dab3222b492e5b30765

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\win32\win32api.pyd

Filesize
48KB

MD5
f8b962cd8522a108d63237e073ecf464

SHA1
a1de787120bd109efa224ebfb64ffd94891d207e

SHA256
77c5ecce2a9fc001560beec95d326363375c5ca768f897fe5fd9105f8ac6300d

SHA512
12c551c9f7c55c98d52fa51e472c61e57af6da38ba19b5d9ad696a051b21103c8dc10af3ef8cfdc41cbcb6cc7b0ccdce91b04ea14a6b6f0089c0626d0082c1ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_akik0cy4.ki1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\eRTcy1jE6Q\Browser\cc's.txt

Filesize
91B

MD5
5aa796b6950a92a226cc5c98ed1c47e8

SHA1
6706a4082fc2c141272122f1ca424a446506c44d

SHA256
c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c

SHA512
976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\eRTcy1jE6Q\Browser\history.txt

Filesize
23B

MD5
5638715e9aaa8d3f45999ec395e18e77

SHA1
4e3dc4a1123edddf06d92575a033b42a662fe4ad

SHA256
4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6

SHA512
78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b

Download Submit
memory/1640-251-0x000000001BD50000-0x000000001BE02000-memory.dmp

Filesize
712KB

Download
memory/1640-250-0x0000000002A20000-0x0000000002A70000-memory.dmp

Filesize
320KB

Download
memory/1640-437-0x000000001C680000-0x000000001CBA8000-memory.dmp

Filesize
5.2MB

Download
memory/2520-446-0x00000220960B0000-0x00000220960B1000-memory.dmp

Filesize
4KB

Download
memory/2520-451-0x00000220960B0000-0x00000220960B1000-memory.dmp

Filesize
4KB

Download
memory/2520-450-0x00000220960B0000-0x00000220960B1000-memory.dmp

Filesize
4KB

Download
memory/2520-448-0x00000220960B0000-0x00000220960B1000-memory.dmp

Filesize
4KB

Download
memory/2520-447-0x00000220960B0000-0x00000220960B1000-memory.dmp

Filesize
4KB

Download
memory/2520-439-0x00000220960B0000-0x00000220960B1000-memory.dmp

Filesize
4KB

Download
memory/2520-440-0x00000220960B0000-0x00000220960B1000-memory.dmp

Filesize
4KB

Download
memory/2520-445-0x00000220960B0000-0x00000220960B1000-memory.dmp

Filesize
4KB

Download
memory/2520-441-0x00000220960B0000-0x00000220960B1000-memory.dmp

Filesize
4KB

Download
memory/2520-449-0x00000220960B0000-0x00000220960B1000-memory.dmp

Filesize
4KB

Download
memory/2708-254-0x0000000073820000-0x0000000073FD0000-memory.dmp

Filesize
7.7MB

Download
memory/2708-248-0x00000000087A0000-0x0000000008D44000-memory.dmp

Filesize
5.6MB

Download
memory/2708-8-0x0000000073820000-0x0000000073FD0000-memory.dmp

Filesize
7.7MB

Download
memory/2708-239-0x0000000006AB0000-0x0000000006ACA000-memory.dmp

Filesize
104KB

Download
memory/2708-7-0x0000000005670000-0x0000000005C98000-memory.dmp

Filesize
6.2MB

Download
memory/2708-111-0x00000000067E0000-0x000000000682C000-memory.dmp

Filesize
304KB

Download
memory/2708-33-0x0000000005FB0000-0x0000000006304000-memory.dmp

Filesize
3.3MB

Download
memory/2708-6-0x0000000004FC0000-0x0000000004FF6000-memory.dmp

Filesize
216KB

Download
memory/2708-24-0x00000000055F0000-0x0000000005612000-memory.dmp

Filesize
136KB

Download
memory/2708-25-0x0000000005ED0000-0x0000000005F36000-memory.dmp

Filesize
408KB

Download
memory/2708-26-0x0000000005F40000-0x0000000005FA6000-memory.dmp

Filesize
408KB

Download
memory/2708-236-0x0000000007B70000-0x00000000081EA000-memory.dmp

Filesize
6.5MB

Download
memory/2708-249-0x0000000007960000-0x00000000079F2000-memory.dmp

Filesize
584KB

Download
memory/2708-15-0x0000000073820000-0x0000000073FD0000-memory.dmp

Filesize
7.7MB

Download
memory/2708-109-0x0000000006590000-0x00000000065AE000-memory.dmp

Filesize
120KB

Download
memory/2708-1-0x000000007382E000-0x000000007382F000-memory.dmp

Filesize
4KB

Download
memory/3636-27-0x0000000000D30000-0x0000000001054000-memory.dmp

Filesize
3.1MB

Download
memory/4044-303-0x00007FFDB8DB0000-0x00007FFDB8DE8000-memory.dmp

Filesize
224KB

Download
memory/4044-375-0x00007FFDBE990000-0x00007FFDBE9A9000-memory.dmp

Filesize
100KB

Download
memory/4044-256-0x00007FFDA91E0000-0x00007FFDA964E000-memory.dmp

Filesize
4.4MB

Download
memory/4044-280-0x00007FFDBB940000-0x00007FFDBB966000-memory.dmp

Filesize
152KB

Download
memory/4044-302-0x00007FFDA7BA0000-0x00007FFDA7DE5000-memory.dmp

Filesize
2.3MB

Download
memory/4044-301-0x00007FFDAF0E0000-0x00007FFDAF0EC000-memory.dmp

Filesize
48KB

Download
memory/4044-300-0x00007FFDAF0F0000-0x00007FFDAF102000-memory.dmp

Filesize
72KB

Download
memory/4044-299-0x00007FFDAF290000-0x00007FFDAF29D000-memory.dmp

Filesize
52KB

Download
memory/4044-298-0x00007FFDAF2A0000-0x00007FFDAF2AC000-memory.dmp

Filesize
48KB

Download
memory/4044-297-0x00007FFDB4670000-0x00007FFDB467C000-memory.dmp

Filesize
48KB

Download
memory/4044-296-0x00007FFDB4680000-0x00007FFDB468B000-memory.dmp

Filesize
44KB

Download
memory/4044-295-0x00007FFDB4C20000-0x00007FFDB4C2B000-memory.dmp

Filesize
44KB

Download
memory/4044-294-0x00007FFDB4C30000-0x00007FFDB4C3C000-memory.dmp

Filesize
48KB

Download
memory/4044-293-0x00007FFDB6DA0000-0x00007FFDB6DAE000-memory.dmp

Filesize
56KB

Download
memory/4044-292-0x00007FFDBB930000-0x00007FFDBB93C000-memory.dmp

Filesize
48KB

Download
memory/4044-291-0x00007FFDBC3A0000-0x00007FFDBC3AC000-memory.dmp

Filesize
48KB

Download
memory/4044-290-0x00007FFDBD050000-0x00007FFDBD05B000-memory.dmp

Filesize
44KB

Download
memory/4044-289-0x00007FFDBD1A0000-0x00007FFDBD1AC000-memory.dmp

Filesize
48KB

Download
memory/4044-288-0x00007FFDBD9A0000-0x00007FFDBD9AB000-memory.dmp

Filesize
44KB

Download
memory/4044-287-0x00007FFDBDA00000-0x00007FFDBDA0C000-memory.dmp

Filesize
48KB

Download
memory/4044-286-0x00007FFDBE1D0000-0x00007FFDBE1DB000-memory.dmp

Filesize
44KB

Download
memory/4044-285-0x00007FFDBE210000-0x00007FFDBE21B000-memory.dmp

Filesize
44KB

Download
memory/4044-284-0x00007FFDBE920000-0x00007FFDBE92B000-memory.dmp

Filesize
44KB

Download
memory/4044-283-0x00007FFDBBA70000-0x00007FFDBBA84000-memory.dmp

Filesize
80KB

Download
memory/4044-282-0x00007FFDA91E0000-0x00007FFDA964E000-memory.dmp

Filesize
4.4MB

Download
memory/4044-276-0x00007FFDA8840000-0x00007FFDA89B1000-memory.dmp

Filesize
1.4MB

Download
memory/4044-275-0x00007FFDBD210000-0x00007FFDBD22F000-memory.dmp

Filesize
124KB

Download
memory/4044-265-0x00007FFDBE130000-0x00007FFDBE15E000-memory.dmp

Filesize
184KB

Download
memory/4044-311-0x00007FFDA8780000-0x00007FFDA87A9000-memory.dmp

Filesize
164KB

Download
memory/4044-310-0x00007FFDAF0B0000-0x00007FFDAF0BA000-memory.dmp

Filesize
40KB

Download
memory/4044-281-0x00007FFDA7F40000-0x00007FFDA8058000-memory.dmp

Filesize
1.1MB

Download
memory/4044-278-0x00007FFDBCED0000-0x00007FFDBCEE8000-memory.dmp

Filesize
96KB

Download
memory/4044-337-0x00007FFDC0350000-0x00007FFDC035D000-memory.dmp

Filesize
52KB

Download
memory/4044-339-0x00007FFDA8E60000-0x00007FFDA91D5000-memory.dmp

Filesize
3.5MB

Download
memory/4044-340-0x00007FFDBDF40000-0x00007FFDBDF4F000-memory.dmp

Filesize
60KB

Download
memory/4044-363-0x00007FFDBCED0000-0x00007FFDBCEE8000-memory.dmp

Filesize
96KB

Download
memory/4044-379-0x00007FFDBE130000-0x00007FFDBE15E000-memory.dmp

Filesize
184KB

Download
memory/4044-382-0x00007FFDBE0B0000-0x00007FFDBE0DE000-memory.dmp

Filesize
184KB

Download
memory/4044-381-0x00007FFDBE0E0000-0x00007FFDBE10B000-memory.dmp

Filesize
172KB

Download
memory/4044-380-0x00007FFDBDC30000-0x00007FFDBDCEC000-memory.dmp

Filesize
752KB

Download
memory/4044-378-0x00007FFDC0350000-0x00007FFDC035D000-memory.dmp

Filesize
52KB

Download
memory/4044-377-0x00007FFDBE220000-0x00007FFDBE254000-memory.dmp

Filesize
208KB

Download
memory/4044-376-0x00007FFDC3140000-0x00007FFDC314D000-memory.dmp

Filesize
52KB

Download
memory/4044-279-0x00007FFDA87B0000-0x00007FFDA8837000-memory.dmp

Filesize
540KB

Download
memory/4044-374-0x00007FFDC2170000-0x00007FFDC219D000-memory.dmp

Filesize
180KB

Download
memory/4044-373-0x00007FFDC21A0000-0x00007FFDC21B9000-memory.dmp

Filesize
100KB

Download
memory/4044-372-0x00007FFDC72D0000-0x00007FFDC72DF000-memory.dmp

Filesize
60KB

Download
memory/4044-371-0x00007FFDC21C0000-0x00007FFDC21E4000-memory.dmp

Filesize
144KB

Download
memory/4044-370-0x00007FFDB8DB0000-0x00007FFDB8DE8000-memory.dmp

Filesize
224KB

Download
memory/4044-369-0x00007FFDA8840000-0x00007FFDA89B1000-memory.dmp

Filesize
1.4MB

Download
memory/4044-368-0x00007FFDBD210000-0x00007FFDBD22F000-memory.dmp

Filesize
124KB

Download
memory/4044-367-0x00007FFDBB940000-0x00007FFDBB966000-memory.dmp

Filesize
152KB

Download
memory/4044-366-0x00007FFDBE920000-0x00007FFDBE92B000-memory.dmp

Filesize
44KB

Download
memory/4044-365-0x00007FFDBBA70000-0x00007FFDBBA84000-memory.dmp

Filesize
80KB

Download
memory/4044-364-0x00007FFDA87B0000-0x00007FFDA8837000-memory.dmp

Filesize
540KB

Download
memory/4044-360-0x00007FFDC0110000-0x00007FFDC0120000-memory.dmp

Filesize
64KB

Download
memory/4044-359-0x00007FFDBE090000-0x00007FFDBE0A5000-memory.dmp

Filesize
84KB

Download
memory/4044-358-0x00007FFDA8E60000-0x00007FFDA91D5000-memory.dmp

Filesize
3.5MB

Download
memory/4044-357-0x00007FFDBD2B0000-0x00007FFDBD368000-memory.dmp

Filesize
736KB

Download
memory/4044-344-0x00007FFDA91E0000-0x00007FFDA964E000-memory.dmp

Filesize
4.4MB

Download
memory/4044-383-0x00007FFDA7F40000-0x00007FFDA8058000-memory.dmp

Filesize
1.1MB

Download
memory/4044-387-0x00007FFDBDF40000-0x00007FFDBDF4F000-memory.dmp

Filesize
60KB

Download
memory/4044-386-0x00007FFDA8780000-0x00007FFDA87A9000-memory.dmp

Filesize
164KB

Download
memory/4044-385-0x00007FFDAF0B0000-0x00007FFDAF0BA000-memory.dmp

Filesize
40KB

Download
memory/4044-384-0x00007FFDA7BA0000-0x00007FFDA7DE5000-memory.dmp

Filesize
2.3MB

Download
memory/4044-267-0x00007FFDBDC30000-0x00007FFDBDCEC000-memory.dmp

Filesize
752KB

Download
memory/4044-269-0x00007FFDBE0B0000-0x00007FFDBE0DE000-memory.dmp

Filesize
184KB

Download
memory/4044-270-0x00007FFDBD2B0000-0x00007FFDBD368000-memory.dmp

Filesize
736KB

Download
memory/4044-271-0x00007FFDA8E60000-0x00007FFDA91D5000-memory.dmp

Filesize
3.5MB

Download
memory/4044-261-0x00007FFDBE990000-0x00007FFDBE9A9000-memory.dmp

Filesize
100KB

Download
memory/4044-246-0x00007FFDBE090000-0x00007FFDBE0A5000-memory.dmp

Filesize
84KB

Download
memory/4044-247-0x00007FFDC0110000-0x00007FFDC0120000-memory.dmp

Filesize
64KB

Download
memory/4044-207-0x00007FFDC21C0000-0x00007FFDC21E4000-memory.dmp

Filesize
144KB

Download
memory/4044-208-0x00007FFDC72D0000-0x00007FFDC72DF000-memory.dmp

Filesize
60KB

Download
memory/4044-209-0x00007FFDC21A0000-0x00007FFDC21B9000-memory.dmp

Filesize
100KB

Download
memory/4044-210-0x00007FFDC2170000-0x00007FFDC219D000-memory.dmp

Filesize
180KB

Download
memory/4044-213-0x00007FFDBE990000-0x00007FFDBE9A9000-memory.dmp

Filesize
100KB

Download
memory/4044-214-0x00007FFDC3140000-0x00007FFDC314D000-memory.dmp

Filesize
52KB

Download
memory/4044-222-0x00007FFDBE220000-0x00007FFDBE254000-memory.dmp

Filesize
208KB

Download
memory/4044-223-0x00007FFDC0350000-0x00007FFDC035D000-memory.dmp

Filesize
52KB

Download
memory/4044-224-0x00007FFDBE130000-0x00007FFDBE15E000-memory.dmp

Filesize
184KB

Download
memory/4044-240-0x00007FFDBE0B0000-0x00007FFDBE0DE000-memory.dmp

Filesize
184KB

Download
memory/4044-241-0x00007FFDBD2B0000-0x00007FFDBD368000-memory.dmp

Filesize
736KB

Download
memory/4044-242-0x00007FFDA8E60000-0x00007FFDA91D5000-memory.dmp

Filesize
3.5MB

Download
memory/4044-243-0x00000139AD280000-0x00000139AD5F5000-memory.dmp

Filesize
3.5MB

Download
memory/4044-225-0x00007FFDBDC30000-0x00007FFDBDCEC000-memory.dmp

Filesize
752KB

Download
memory/4044-232-0x00007FFDBE0E0000-0x00007FFDBE10B000-memory.dmp

Filesize
172KB

Download
memory/4044-166-0x00007FFDA91E0000-0x00007FFDA964E000-memory.dmp

Filesize
4.4MB

Download